]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
23 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
24 from wpasupplicant
import WpaSupplicant
25 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
29 openssl_imported
= True
31 openssl_imported
= False
33 def check_hlr_auc_gw_support():
34 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
35 raise HwsimSkip("No hlr_auc_gw available")
37 def check_eap_capa(dev
, method
):
38 res
= dev
.get_capability("eap")
40 raise HwsimSkip("EAP method %s not supported in the build" % method
)
42 def check_subject_match_support(dev
):
43 tls
= dev
.request("GET tls_library")
44 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
45 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
47 def check_altsubject_match_support(dev
):
48 tls
= dev
.request("GET tls_library")
49 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
50 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
52 def check_domain_match(dev
):
53 tls
= dev
.request("GET tls_library")
54 if tls
.startswith("internal"):
55 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
57 def check_domain_suffix_match(dev
):
58 tls
= dev
.request("GET tls_library")
59 if tls
.startswith("internal"):
60 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
62 def check_domain_match_full(dev
):
63 tls
= dev
.request("GET tls_library")
64 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
65 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
67 def check_cert_probe_support(dev
):
68 tls
= dev
.request("GET tls_library")
69 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
70 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
72 def check_ext_cert_check_support(dev
):
73 tls
= dev
.request("GET tls_library")
74 if not tls
.startswith("OpenSSL"):
75 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
77 def check_ocsp_support(dev
):
78 tls
= dev
.request("GET tls_library")
79 #if tls.startswith("internal"):
80 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 #if "BoringSSL" in tls:
82 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
84 def check_pkcs5_v15_support(dev
):
85 tls
= dev
.request("GET tls_library")
86 if "BoringSSL" in tls
or "GnuTLS" in tls
:
87 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
89 def check_ocsp_multi_support(dev
):
90 tls
= dev
.request("GET tls_library")
91 if not tls
.startswith("internal"):
92 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
93 as_hapd
= hostapd
.Hostapd("as")
94 res
= as_hapd
.request("GET tls_library")
96 if not res
.startswith("internal"):
97 raise HwsimSkip("Authentication server does not support ocsp_multi")
99 def check_pkcs12_support(dev
):
100 tls
= dev
.request("GET tls_library")
101 #if tls.startswith("internal"):
102 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 if tls
.startswith("wolfSSL"):
104 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
106 def check_dh_dsa_support(dev
):
107 tls
= dev
.request("GET tls_library")
108 if tls
.startswith("internal"):
109 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
112 with
open(fname
, "r") as f
:
113 lines
= f
.readlines()
121 if "-----BEGIN" in l
:
123 return base64
.b64decode(cert
)
125 def eap_connect(dev
, hapd
, method
, identity
,
126 sha256
=False, expect_failure
=False, local_error_report
=False,
127 maybe_local_error
=False, **kwargs
):
128 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
129 eap
=method
, identity
=identity
,
130 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
132 eap_check_auth(dev
, method
, True, sha256
=sha256
,
133 expect_failure
=expect_failure
,
134 local_error_report
=local_error_report
,
135 maybe_local_error
=maybe_local_error
)
138 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
140 raise Exception("No connection event received from hostapd")
143 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
144 expect_failure
=False, local_error_report
=False,
145 maybe_local_error
=False):
146 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
148 raise Exception("Association and EAP start timed out")
149 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
150 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
152 raise Exception("EAP method selection timed out")
153 if "CTRL-EVENT-EAP-FAILURE" in ev
:
154 if maybe_local_error
:
156 raise Exception("Could not select EAP method")
158 raise Exception("Unexpected EAP method")
160 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
162 raise Exception("EAP failure timed out")
163 ev
= dev
.wait_disconnected(timeout
=10)
164 if maybe_local_error
and "locally_generated=1" in ev
:
166 if not local_error_report
:
167 if "reason=23" not in ev
:
168 raise Exception("Proper reason code for disconnection not reported")
170 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
172 raise Exception("EAP success timed out")
175 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
177 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
179 raise Exception("Association with the AP timed out")
180 status
= dev
.get_status()
181 if status
["wpa_state"] != "COMPLETED":
182 raise Exception("Connection not completed")
184 if status
["suppPortStatus"] != "Authorized":
185 raise Exception("Port not authorized")
186 if "selectedMethod" not in status
:
187 logger
.info("Status: " + str(status
))
188 raise Exception("No selectedMethod in status")
189 if method
not in status
["selectedMethod"]:
190 raise Exception("Incorrect EAP method status")
192 e
= "WPA2-EAP-SHA256"
194 e
= "WPA2/IEEE 802.1X/EAP"
196 e
= "WPA/IEEE 802.1X/EAP"
197 if status
["key_mgmt"] != e
:
198 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
201 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
202 dev
.request("REAUTHENTICATE")
203 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
204 expect_failure
=expect_failure
)
206 def test_ap_wpa2_eap_sim(dev
, apdev
):
207 """WPA2-Enterprise connection using EAP-SIM"""
208 check_hlr_auc_gw_support()
209 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
210 hapd
= hostapd
.add_ap(apdev
[0], params
)
211 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
212 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
213 hwsim_utils
.test_connectivity(dev
[0], hapd
)
214 eap_reauth(dev
[0], "SIM")
216 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
217 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
218 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
219 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
222 logger
.info("Negative test with incorrect key")
223 dev
[0].request("REMOVE_NETWORK all")
224 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
225 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
228 logger
.info("Invalid GSM-Milenage key")
229 dev
[0].request("REMOVE_NETWORK all")
230 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
231 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
234 logger
.info("Invalid GSM-Milenage key(2)")
235 dev
[0].request("REMOVE_NETWORK all")
236 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
237 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
240 logger
.info("Invalid GSM-Milenage key(3)")
241 dev
[0].request("REMOVE_NETWORK all")
242 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
243 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
246 logger
.info("Invalid GSM-Milenage key(4)")
247 dev
[0].request("REMOVE_NETWORK all")
248 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
249 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
252 logger
.info("Missing key configuration")
253 dev
[0].request("REMOVE_NETWORK all")
254 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
257 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
258 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
259 check_hlr_auc_gw_support()
263 raise HwsimSkip("No sqlite3 module available")
264 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
265 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
266 params
['auth_server_port'] = "1814"
267 hapd
= hostapd
.add_ap(apdev
[0], params
)
268 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
269 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
271 logger
.info("SIM fast re-authentication")
272 eap_reauth(dev
[0], "SIM")
274 logger
.info("SIM full auth with pseudonym")
277 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
278 eap_reauth(dev
[0], "SIM")
280 logger
.info("SIM full auth with permanent identity")
283 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
284 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
285 eap_reauth(dev
[0], "SIM")
287 logger
.info("SIM reauth with mismatching MK")
290 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
291 eap_reauth(dev
[0], "SIM", expect_failure
=True)
292 dev
[0].request("REMOVE_NETWORK all")
294 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
295 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
298 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
299 eap_reauth(dev
[0], "SIM")
302 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
303 logger
.info("SIM reauth with mismatching counter")
304 eap_reauth(dev
[0], "SIM")
305 dev
[0].request("REMOVE_NETWORK all")
307 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
308 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
311 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
312 logger
.info("SIM reauth with max reauth count reached")
313 eap_reauth(dev
[0], "SIM")
315 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
316 """EAP-SIM configuration options"""
317 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
318 hapd
= hostapd
.add_ap(apdev
[0], params
)
319 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
320 identity
="1232010000000000",
321 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 phase1
="sim_min_num_chal=1",
323 wait_connect
=False, scan_freq
="2412")
324 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
326 raise Exception("No EAP error message seen")
327 dev
[0].request("REMOVE_NETWORK all")
329 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
330 identity
="1232010000000000",
331 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
332 phase1
="sim_min_num_chal=4",
333 wait_connect
=False, scan_freq
="2412")
334 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
336 raise Exception("No EAP error message seen (2)")
337 dev
[0].request("REMOVE_NETWORK all")
339 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 phase1
="sim_min_num_chal=2")
342 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
343 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
344 anonymous_identity
="345678")
346 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
347 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
349 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
351 dev
[0].request("SET external_sim 0")
353 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
354 check_hlr_auc_gw_support()
355 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
356 hostapd
.add_ap(apdev
[0], params
)
357 dev
[0].request("SET external_sim 1")
358 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
359 identity
="1232010000000000",
360 wait_connect
=False, scan_freq
="2412")
361 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
363 raise Exception("Network connected timed out")
365 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
367 raise Exception("Wait for external SIM processing request timed out")
369 if p
[1] != "GSM-AUTH":
370 raise Exception("Unexpected CTRL-REQ-SIM type")
371 rid
= p
[0].split('-')[3]
374 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
375 # This will fail during processing, but the ctrl_iface command succeeds
376 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
377 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
379 raise Exception("EAP failure not reported")
380 dev
[0].request("DISCONNECT")
381 dev
[0].wait_disconnected()
384 dev
[0].select_network(id, freq
="2412")
385 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
387 raise Exception("Wait for external SIM processing request timed out")
389 if p
[1] != "GSM-AUTH":
390 raise Exception("Unexpected CTRL-REQ-SIM type")
391 rid
= p
[0].split('-')[3]
392 # This will fail during GSM auth validation
393 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
394 raise Exception("CTRL-RSP-SIM failed")
395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
397 raise Exception("EAP failure not reported")
398 dev
[0].request("DISCONNECT")
399 dev
[0].wait_disconnected()
402 dev
[0].select_network(id, freq
="2412")
403 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
405 raise Exception("Wait for external SIM processing request timed out")
407 if p
[1] != "GSM-AUTH":
408 raise Exception("Unexpected CTRL-REQ-SIM type")
409 rid
= p
[0].split('-')[3]
410 # This will fail during GSM auth validation
411 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
412 raise Exception("CTRL-RSP-SIM failed")
413 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
415 raise Exception("EAP failure not reported")
416 dev
[0].request("DISCONNECT")
417 dev
[0].wait_disconnected()
420 dev
[0].select_network(id, freq
="2412")
421 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
423 raise Exception("Wait for external SIM processing request timed out")
425 if p
[1] != "GSM-AUTH":
426 raise Exception("Unexpected CTRL-REQ-SIM type")
427 rid
= p
[0].split('-')[3]
428 # This will fail during GSM auth validation
429 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
430 raise Exception("CTRL-RSP-SIM failed")
431 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
433 raise Exception("EAP failure not reported")
434 dev
[0].request("DISCONNECT")
435 dev
[0].wait_disconnected()
438 dev
[0].select_network(id, freq
="2412")
439 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
441 raise Exception("Wait for external SIM processing request timed out")
443 if p
[1] != "GSM-AUTH":
444 raise Exception("Unexpected CTRL-REQ-SIM type")
445 rid
= p
[0].split('-')[3]
446 # This will fail during GSM auth validation
447 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
448 raise Exception("CTRL-RSP-SIM failed")
449 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
451 raise Exception("EAP failure not reported")
452 dev
[0].request("DISCONNECT")
453 dev
[0].wait_disconnected()
456 dev
[0].select_network(id, freq
="2412")
457 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
459 raise Exception("Wait for external SIM processing request timed out")
461 if p
[1] != "GSM-AUTH":
462 raise Exception("Unexpected CTRL-REQ-SIM type")
463 rid
= p
[0].split('-')[3]
464 # This will fail during GSM auth validation
465 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
466 raise Exception("CTRL-RSP-SIM failed")
467 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
469 raise Exception("EAP failure not reported")
470 dev
[0].request("DISCONNECT")
471 dev
[0].wait_disconnected()
474 dev
[0].select_network(id, freq
="2412")
475 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
477 raise Exception("Wait for external SIM processing request timed out")
479 if p
[1] != "GSM-AUTH":
480 raise Exception("Unexpected CTRL-REQ-SIM type")
481 rid
= p
[0].split('-')[3]
482 # This will fail during GSM auth validation
483 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
484 raise Exception("CTRL-RSP-SIM failed")
485 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
487 raise Exception("EAP failure not reported")
489 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
490 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
492 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
494 dev
[0].request("SET external_sim 0")
496 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
497 check_hlr_auc_gw_support()
498 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
499 hostapd
.add_ap(apdev
[0], params
)
500 dev
[0].request("SET external_sim 1")
501 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
502 identity
="1232010000000000",
503 wait_connect
=False, scan_freq
="2412")
505 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
507 raise Exception("Wait for external SIM processing request timed out")
509 if p
[1] != "GSM-AUTH":
510 raise Exception("Unexpected CTRL-REQ-SIM type")
511 rid
= p
[0].split('-')[3]
512 rand
= p
[2].split(' ')[0]
514 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
516 "auth_serv/hlr_auc_gw.milenage_db",
517 "GSM-AUTH-REQ 232010000000000 " + rand
])
518 if "GSM-AUTH-RESP" not in res
:
519 raise Exception("Unexpected hlr_auc_gw response")
520 resp
= res
.split(' ')[2].rstrip()
522 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
523 dev
[0].wait_connected(timeout
=15)
524 dev
[0].request("DISCONNECT")
525 dev
[0].wait_disconnected()
527 # Replace SIM, but forget to drop the previous pseudonym identity
528 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
529 dev
[0].select_network(id, freq
="2412")
531 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
533 raise Exception("Wait for external SIM processing request timed out")
535 if p
[1] != "GSM-AUTH":
536 raise Exception("Unexpected CTRL-REQ-SIM type")
537 rid
= p
[0].split('-')[3]
538 rand
= p
[2].split(' ')[0]
540 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
542 "auth_serv/hlr_auc_gw.milenage_db",
543 "GSM-AUTH-REQ 232010000000009 " + rand
])
544 if "GSM-AUTH-RESP" not in res
:
545 raise Exception("Unexpected hlr_auc_gw response")
546 resp
= res
.split(' ')[2].rstrip()
548 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
549 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
551 raise Exception("EAP-Failure not reported")
552 dev
[0].request("DISCONNECT")
553 dev
[0].wait_disconnected()
555 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
556 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
558 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
560 dev
[0].request("SET external_sim 0")
562 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
563 check_hlr_auc_gw_support()
564 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
565 hostapd
.add_ap(apdev
[0], params
)
566 dev
[0].request("SET external_sim 1")
567 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
568 identity
="1232010000000000",
569 wait_connect
=False, scan_freq
="2412")
571 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
573 raise Exception("Wait for external SIM processing request timed out")
575 if p
[1] != "GSM-AUTH":
576 raise Exception("Unexpected CTRL-REQ-SIM type")
577 rid
= p
[0].split('-')[3]
578 rand
= p
[2].split(' ')[0]
580 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
582 "auth_serv/hlr_auc_gw.milenage_db",
583 "GSM-AUTH-REQ 232010000000000 " + rand
])
584 if "GSM-AUTH-RESP" not in res
:
585 raise Exception("Unexpected hlr_auc_gw response")
586 resp
= res
.split(' ')[2].rstrip()
588 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
589 dev
[0].wait_connected(timeout
=15)
590 dev
[0].request("DISCONNECT")
591 dev
[0].wait_disconnected()
593 # Replace SIM and drop the previous pseudonym identity
594 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
595 dev
[0].set_network(id, "anonymous_identity", "NULL")
596 dev
[0].select_network(id, freq
="2412")
598 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
600 raise Exception("Wait for external SIM processing request timed out")
602 if p
[1] != "GSM-AUTH":
603 raise Exception("Unexpected CTRL-REQ-SIM type")
604 rid
= p
[0].split('-')[3]
605 rand
= p
[2].split(' ')[0]
607 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
609 "auth_serv/hlr_auc_gw.milenage_db",
610 "GSM-AUTH-REQ 232010000000009 " + rand
])
611 if "GSM-AUTH-RESP" not in res
:
612 raise Exception("Unexpected hlr_auc_gw response")
613 resp
= res
.split(' ')[2].rstrip()
615 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
616 dev
[0].wait_connected()
617 dev
[0].request("DISCONNECT")
618 dev
[0].wait_disconnected()
620 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
621 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
623 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
625 dev
[0].request("SET external_sim 0")
627 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
628 check_hlr_auc_gw_support()
629 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
630 hostapd
.add_ap(apdev
[0], params
)
631 dev
[0].request("SET external_sim 1")
632 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
633 wait_connect
=False, scan_freq
="2412")
635 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
637 raise Exception("Request for identity timed out")
638 rid
= ev
.split(':')[0].split('-')[-1]
639 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
641 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
643 raise Exception("Wait for external SIM processing request timed out")
645 if p
[1] != "GSM-AUTH":
646 raise Exception("Unexpected CTRL-REQ-SIM type")
647 rid
= p
[0].split('-')[3]
648 rand
= p
[2].split(' ')[0]
650 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
652 "auth_serv/hlr_auc_gw.milenage_db",
653 "GSM-AUTH-REQ 232010000000000 " + rand
])
654 if "GSM-AUTH-RESP" not in res
:
655 raise Exception("Unexpected hlr_auc_gw response")
656 resp
= res
.split(' ')[2].rstrip()
658 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
659 dev
[0].wait_connected(timeout
=15)
660 dev
[0].request("DISCONNECT")
661 dev
[0].wait_disconnected()
663 # Replace SIM and drop the previous permanent and pseudonym identities
664 dev
[0].set_network(id, "identity", "NULL")
665 dev
[0].set_network(id, "anonymous_identity", "NULL")
666 dev
[0].select_network(id, freq
="2412")
668 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
670 raise Exception("Request for identity timed out")
671 rid
= ev
.split(':')[0].split('-')[-1]
672 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
674 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
676 raise Exception("Wait for external SIM processing request timed out")
678 if p
[1] != "GSM-AUTH":
679 raise Exception("Unexpected CTRL-REQ-SIM type")
680 rid
= p
[0].split('-')[3]
681 rand
= p
[2].split(' ')[0]
683 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
685 "auth_serv/hlr_auc_gw.milenage_db",
686 "GSM-AUTH-REQ 232010000000009 " + rand
])
687 if "GSM-AUTH-RESP" not in res
:
688 raise Exception("Unexpected hlr_auc_gw response")
689 resp
= res
.split(' ')[2].rstrip()
691 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
692 dev
[0].wait_connected()
693 dev
[0].request("DISCONNECT")
694 dev
[0].wait_disconnected()
696 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
697 """EAP-SIM with external GSM auth and auth failing"""
699 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
701 dev
[0].request("SET external_sim 0")
703 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
704 check_hlr_auc_gw_support()
705 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
706 hostapd
.add_ap(apdev
[0], params
)
707 dev
[0].request("SET external_sim 1")
708 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
709 identity
="1232010000000000",
710 wait_connect
=False, scan_freq
="2412")
712 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
714 raise Exception("Wait for external SIM processing request timed out")
716 rid
= p
[0].split('-')[3]
717 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
718 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
720 raise Exception("EAP failure not reported")
721 dev
[0].request("REMOVE_NETWORK all")
722 dev
[0].wait_disconnected()
724 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
725 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
727 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
729 dev
[0].request("SET external_sim 0")
731 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
732 check_hlr_auc_gw_support()
733 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
734 hostapd
.add_ap(apdev
[0], params
)
735 dev
[0].request("SET external_sim 1")
736 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
737 identity
="1232010000000000",
738 wait_connect
=False, scan_freq
="2412")
740 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
742 raise Exception("Wait for external SIM processing request timed out")
744 if p
[1] != "GSM-AUTH":
745 raise Exception("Unexpected CTRL-REQ-SIM type")
746 rid
= p
[0].split('-')[3]
747 rand
= p
[2].split(' ')[0]
749 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
751 "auth_serv/hlr_auc_gw.milenage_db",
752 "GSM-AUTH-REQ 232010000000000 " + rand
])
753 if "GSM-AUTH-RESP" not in res
:
754 raise Exception("Unexpected hlr_auc_gw response")
755 resp
= res
.split(' ')[2].rstrip()
757 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
758 dev
[0].wait_connected(timeout
=15)
760 # Verify that EAP-SIM Reauthentication can be used after a profile change
761 # that does not affect EAP parameters.
762 dev
[0].set_network(id, "bssid", "any")
763 eap_reauth(dev
[0], "SIM")
765 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
766 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
768 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
770 dev
[0].request("SET external_sim 0")
772 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
773 check_hlr_auc_gw_support()
774 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
775 hostapd
.add_ap(apdev
[0], params
)
776 dev
[0].request("SET external_sim 1")
777 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
778 identity
="1232010000000000",
779 wait_connect
=False, scan_freq
="2412")
781 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
783 raise Exception("Wait for external SIM processing request timed out")
785 if p
[1] != "GSM-AUTH":
786 raise Exception("Unexpected CTRL-REQ-SIM type")
787 rid
= p
[0].split('-')[3]
788 rand
= p
[2].split(' ')[0]
790 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
792 "auth_serv/hlr_auc_gw.milenage_db",
793 "GSM-AUTH-REQ 232010000000000 " + rand
])
794 if "GSM-AUTH-RESP" not in res
:
795 raise Exception("Unexpected hlr_auc_gw response")
796 resp
= res
.split(' ')[2].rstrip()
798 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
799 dev
[0].wait_connected(timeout
=15)
801 # Verify that EAP-SIM Reauthentication can be used after network profile
802 # SET_NETWORK commands that do not actually change previously set
804 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
805 dev
[0].set_network(id, "eap", "SIM")
806 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
807 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
808 eap_reauth(dev
[0], "SIM")
810 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
811 """EAP-SIM and OOM"""
812 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
813 hostapd
.add_ap(apdev
[0], params
)
814 tests
= [ (1, "milenage_f2345"),
815 (2, "milenage_f2345"),
816 (3, "milenage_f2345"),
817 (4, "milenage_f2345"),
818 (5, "milenage_f2345"),
819 (6, "milenage_f2345"),
820 (7, "milenage_f2345"),
821 (8, "milenage_f2345"),
822 (9, "milenage_f2345"),
823 (10, "milenage_f2345"),
824 (11, "milenage_f2345"),
825 (12, "milenage_f2345") ]
826 for count
, func
in tests
:
827 with
fail_test(dev
[0], count
, func
):
828 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
829 identity
="1232010000000000",
830 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
831 wait_connect
=False, scan_freq
="2412")
832 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
834 raise Exception("EAP method not selected")
835 dev
[0].wait_disconnected()
836 dev
[0].request("REMOVE_NETWORK all")
838 def test_ap_wpa2_eap_aka(dev
, apdev
):
839 """WPA2-Enterprise connection using EAP-AKA"""
840 check_hlr_auc_gw_support()
841 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
842 hapd
= hostapd
.add_ap(apdev
[0], params
)
843 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
844 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
845 hwsim_utils
.test_connectivity(dev
[0], hapd
)
846 eap_reauth(dev
[0], "AKA")
848 logger
.info("Negative test with incorrect key")
849 dev
[0].request("REMOVE_NETWORK all")
850 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
851 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
854 logger
.info("Invalid Milenage key")
855 dev
[0].request("REMOVE_NETWORK all")
856 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
857 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
860 logger
.info("Invalid Milenage key(2)")
861 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
862 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
865 logger
.info("Invalid Milenage key(3)")
866 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
867 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
870 logger
.info("Invalid Milenage key(4)")
871 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
872 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
875 logger
.info("Invalid Milenage key(5)")
876 dev
[0].request("REMOVE_NETWORK all")
877 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
878 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
881 logger
.info("Invalid Milenage key(6)")
882 dev
[0].request("REMOVE_NETWORK all")
883 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
884 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
887 logger
.info("Missing key configuration")
888 dev
[0].request("REMOVE_NETWORK all")
889 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
892 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
893 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
894 check_hlr_auc_gw_support()
898 raise HwsimSkip("No sqlite3 module available")
899 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
900 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
901 params
['auth_server_port'] = "1814"
902 hapd
= hostapd
.add_ap(apdev
[0], params
)
903 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
904 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
906 logger
.info("AKA fast re-authentication")
907 eap_reauth(dev
[0], "AKA")
909 logger
.info("AKA full auth with pseudonym")
912 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
913 eap_reauth(dev
[0], "AKA")
915 logger
.info("AKA full auth with permanent identity")
918 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
919 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
920 eap_reauth(dev
[0], "AKA")
922 logger
.info("AKA reauth with mismatching MK")
925 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
926 eap_reauth(dev
[0], "AKA", expect_failure
=True)
927 dev
[0].request("REMOVE_NETWORK all")
929 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
930 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
933 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
934 eap_reauth(dev
[0], "AKA")
937 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
938 logger
.info("AKA reauth with mismatching counter")
939 eap_reauth(dev
[0], "AKA")
940 dev
[0].request("REMOVE_NETWORK all")
942 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
943 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
946 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
947 logger
.info("AKA reauth with max reauth count reached")
948 eap_reauth(dev
[0], "AKA")
950 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
951 """EAP-AKA configuration options"""
952 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
953 hapd
= hostapd
.add_ap(apdev
[0], params
)
954 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
955 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
956 anonymous_identity
="2345678")
958 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
959 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
961 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
963 dev
[0].request("SET external_sim 0")
965 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
966 check_hlr_auc_gw_support()
967 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
968 hostapd
.add_ap(apdev
[0], params
)
969 dev
[0].request("SET external_sim 1")
970 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
971 identity
="0232010000000000",
972 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
973 wait_connect
=False, scan_freq
="2412")
974 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
976 raise Exception("Network connected timed out")
978 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
980 raise Exception("Wait for external SIM processing request timed out")
982 if p
[1] != "UMTS-AUTH":
983 raise Exception("Unexpected CTRL-REQ-SIM type")
984 rid
= p
[0].split('-')[3]
987 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
988 # This will fail during processing, but the ctrl_iface command succeeds
989 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
990 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
992 raise Exception("EAP failure not reported")
993 dev
[0].request("DISCONNECT")
994 dev
[0].wait_disconnected()
996 dev
[0].dump_monitor()
998 dev
[0].select_network(id, freq
="2412")
999 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1001 raise Exception("Wait for external SIM processing request timed out")
1002 p
= ev
.split(':', 2)
1003 if p
[1] != "UMTS-AUTH":
1004 raise Exception("Unexpected CTRL-REQ-SIM type")
1005 rid
= p
[0].split('-')[3]
1006 # This will fail during UMTS auth validation
1007 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1008 raise Exception("CTRL-RSP-SIM failed")
1009 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1011 raise Exception("Wait for external SIM processing request timed out")
1012 p
= ev
.split(':', 2)
1013 if p
[1] != "UMTS-AUTH":
1014 raise Exception("Unexpected CTRL-REQ-SIM type")
1015 rid
= p
[0].split('-')[3]
1016 # This will fail during UMTS auth validation
1017 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1018 raise Exception("CTRL-RSP-SIM failed")
1019 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1021 raise Exception("EAP failure not reported")
1022 dev
[0].request("DISCONNECT")
1023 dev
[0].wait_disconnected()
1025 dev
[0].dump_monitor()
1027 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1029 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1030 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1031 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1032 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1033 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1035 dev
[0].select_network(id, freq
="2412")
1036 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1038 raise Exception("Wait for external SIM processing request timed out")
1039 p
= ev
.split(':', 2)
1040 if p
[1] != "UMTS-AUTH":
1041 raise Exception("Unexpected CTRL-REQ-SIM type")
1042 rid
= p
[0].split('-')[3]
1043 # This will fail during UMTS auth validation
1044 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1045 raise Exception("CTRL-RSP-SIM failed")
1046 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1048 raise Exception("EAP failure not reported")
1049 dev
[0].request("DISCONNECT")
1050 dev
[0].wait_disconnected()
1052 dev
[0].dump_monitor()
1054 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1055 """EAP-AKA with external UMTS auth and auth failing"""
1057 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1059 dev
[0].request("SET external_sim 0")
1061 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1062 check_hlr_auc_gw_support()
1063 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1064 hostapd
.add_ap(apdev
[0], params
)
1065 dev
[0].request("SET external_sim 1")
1066 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1067 identity
="0232010000000000",
1068 wait_connect
=False, scan_freq
="2412")
1070 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1072 raise Exception("Wait for external SIM processing request timed out")
1073 p
= ev
.split(':', 2)
1074 rid
= p
[0].split('-')[3]
1075 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1076 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1078 raise Exception("EAP failure not reported")
1079 dev
[0].request("REMOVE_NETWORK all")
1080 dev
[0].wait_disconnected()
1082 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1083 """WPA2-Enterprise connection using EAP-AKA'"""
1084 check_hlr_auc_gw_support()
1085 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1086 hapd
= hostapd
.add_ap(apdev
[0], params
)
1087 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1088 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1089 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1090 eap_reauth(dev
[0], "AKA'")
1092 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1093 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1094 identity
="6555444333222111@both",
1095 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1096 wait_connect
=False, scan_freq
="2412")
1097 dev
[1].wait_connected(timeout
=15)
1099 logger
.info("Negative test with incorrect key")
1100 dev
[0].request("REMOVE_NETWORK all")
1101 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1102 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1103 expect_failure
=True)
1105 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1106 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1107 check_hlr_auc_gw_support()
1111 raise HwsimSkip("No sqlite3 module available")
1112 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1113 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1114 params
['auth_server_port'] = "1814"
1115 hapd
= hostapd
.add_ap(apdev
[0], params
)
1116 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1117 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1119 logger
.info("AKA' fast re-authentication")
1120 eap_reauth(dev
[0], "AKA'")
1122 logger
.info("AKA' full auth with pseudonym")
1125 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1126 eap_reauth(dev
[0], "AKA'")
1128 logger
.info("AKA' full auth with permanent identity")
1131 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1132 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1133 eap_reauth(dev
[0], "AKA'")
1135 logger
.info("AKA' reauth with mismatching k_aut")
1138 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1139 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1140 dev
[0].request("REMOVE_NETWORK all")
1142 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1143 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1146 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1147 eap_reauth(dev
[0], "AKA'")
1150 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1151 logger
.info("AKA' reauth with mismatching counter")
1152 eap_reauth(dev
[0], "AKA'")
1153 dev
[0].request("REMOVE_NETWORK all")
1155 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1156 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1159 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1160 logger
.info("AKA' reauth with max reauth count reached")
1161 eap_reauth(dev
[0], "AKA'")
1163 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1164 """EAP-AKA' with external UMTS auth and auth failing"""
1166 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1168 dev
[0].request("SET external_sim 0")
1170 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1171 check_hlr_auc_gw_support()
1172 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1173 hostapd
.add_ap(apdev
[0], params
)
1174 dev
[0].request("SET external_sim 1")
1175 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1176 identity
="6555444333222111",
1177 wait_connect
=False, scan_freq
="2412")
1179 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1181 raise Exception("Wait for external SIM processing request timed out")
1182 p
= ev
.split(':', 2)
1183 rid
= p
[0].split('-')[3]
1184 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1185 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1187 raise Exception("EAP failure not reported")
1188 dev
[0].request("REMOVE_NETWORK all")
1189 dev
[0].wait_disconnected()
1191 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1192 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1194 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1196 dev
[0].request("SET external_sim 0")
1198 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1199 check_hlr_auc_gw_support()
1200 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1201 hostapd
.add_ap(apdev
[0], params
)
1202 dev
[0].request("SET external_sim 1")
1203 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1204 identity
="6555444333222111",
1205 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1206 wait_connect
=False, scan_freq
="2412")
1207 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1209 raise Exception("Network connected timed out")
1211 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1213 raise Exception("Wait for external SIM processing request timed out")
1214 p
= ev
.split(':', 2)
1215 if p
[1] != "UMTS-AUTH":
1216 raise Exception("Unexpected CTRL-REQ-SIM type")
1217 rid
= p
[0].split('-')[3]
1218 # This will fail during UMTS auth validation
1219 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1220 raise Exception("CTRL-RSP-SIM failed")
1221 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1223 raise Exception("Wait for external SIM processing request timed out")
1225 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1226 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1227 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1228 hapd
= hostapd
.add_ap(apdev
[0], params
)
1229 key_mgmt
= hapd
.get_config()['key_mgmt']
1230 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1231 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1232 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1233 anonymous_identity
="ttls", password
="password",
1234 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1235 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1236 eap_reauth(dev
[0], "TTLS")
1237 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1238 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1240 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1241 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1242 check_subject_match_support(dev
[0])
1243 check_altsubject_match_support(dev
[0])
1244 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1245 hapd
= hostapd
.add_ap(apdev
[0], params
)
1246 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1247 anonymous_identity
="ttls", password
="password",
1248 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1249 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1250 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1251 eap_reauth(dev
[0], "TTLS")
1253 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1254 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1255 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1256 hapd
= hostapd
.add_ap(apdev
[0], params
)
1257 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1258 anonymous_identity
="ttls", password
="wrong",
1259 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1260 expect_failure
=True)
1261 eap_connect(dev
[1], hapd
, "TTLS", "user",
1262 anonymous_identity
="ttls", password
="password",
1263 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1264 expect_failure
=True)
1266 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1267 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1268 skip_with_fips(dev
[0])
1269 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1270 hapd
= hostapd
.add_ap(apdev
[0], params
)
1271 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1272 anonymous_identity
="ttls", password
="password",
1273 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1274 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1275 eap_reauth(dev
[0], "TTLS")
1277 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1278 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1279 skip_with_fips(dev
[0])
1280 check_altsubject_match_support(dev
[0])
1281 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1282 hapd
= hostapd
.add_ap(apdev
[0], params
)
1283 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1284 anonymous_identity
="ttls", password
="password",
1285 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1286 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1287 eap_reauth(dev
[0], "TTLS")
1289 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1290 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1291 skip_with_fips(dev
[0])
1292 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1293 hapd
= hostapd
.add_ap(apdev
[0], params
)
1294 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1295 anonymous_identity
="ttls", password
="wrong",
1296 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1297 expect_failure
=True)
1298 eap_connect(dev
[1], hapd
, "TTLS", "user",
1299 anonymous_identity
="ttls", password
="password",
1300 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1301 expect_failure
=True)
1303 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1304 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1305 skip_with_fips(dev
[0])
1306 check_domain_suffix_match(dev
[0])
1307 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1308 hapd
= hostapd
.add_ap(apdev
[0], params
)
1309 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1310 anonymous_identity
="ttls", password
="password",
1311 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1312 domain_suffix_match
="server.w1.fi")
1313 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1314 eap_reauth(dev
[0], "TTLS")
1315 dev
[0].request("REMOVE_NETWORK all")
1316 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1317 anonymous_identity
="ttls", password
="password",
1318 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1319 fragment_size
="200")
1320 dev
[0].request("REMOVE_NETWORK all")
1321 dev
[0].wait_disconnected()
1322 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1323 anonymous_identity
="ttls",
1324 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1325 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1327 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1328 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1329 skip_with_fips(dev
[0])
1330 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1331 hapd
= hostapd
.add_ap(apdev
[0], params
)
1332 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1333 anonymous_identity
="ttls", password
="wrong",
1334 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1335 expect_failure
=True)
1336 eap_connect(dev
[1], hapd
, "TTLS", "user",
1337 anonymous_identity
="ttls", password
="password",
1338 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1339 expect_failure
=True)
1340 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1341 anonymous_identity
="ttls", password
="password",
1342 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1343 expect_failure
=True)
1345 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1346 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1347 check_domain_suffix_match(dev
[0])
1348 check_eap_capa(dev
[0], "MSCHAPV2")
1349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1350 hapd
= hostapd
.add_ap(apdev
[0], params
)
1351 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1352 anonymous_identity
="ttls", password
="password",
1353 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1354 domain_suffix_match
="server.w1.fi")
1355 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1356 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1357 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1358 eap_reauth(dev
[0], "TTLS")
1359 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1360 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1361 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1362 raise Exception("dot1xAuthEapolFramesRx did not increase")
1363 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1364 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1365 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1366 raise Exception("backendAuthSuccesses did not increase")
1368 logger
.info("Password as hash value")
1369 dev
[0].request("REMOVE_NETWORK all")
1370 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1371 anonymous_identity
="ttls",
1372 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1373 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1375 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1376 """EAP-TTLS with invalid phase2 parameter values"""
1377 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1378 hostapd
.add_ap(apdev
[0], params
)
1379 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1380 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1381 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1383 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1384 identity
="DOMAIN\mschapv2 user",
1385 anonymous_identity
="ttls", password
="password",
1386 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1387 wait_connect
=False, scan_freq
="2412")
1388 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1389 if ev
is None or "method=21" not in ev
:
1390 raise Exception("EAP-TTLS not started")
1391 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1392 "CTRL-EVENT-CONNECTED"], timeout
=5)
1393 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1394 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1395 dev
[0].request("REMOVE_NETWORK all")
1396 dev
[0].wait_disconnected()
1397 dev
[0].dump_monitor()
1399 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1400 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1401 check_domain_match_full(dev
[0])
1402 skip_with_fips(dev
[0])
1403 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1404 hapd
= hostapd
.add_ap(apdev
[0], params
)
1405 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1406 anonymous_identity
="ttls", password
="password",
1407 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1408 domain_suffix_match
="w1.fi")
1409 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1410 eap_reauth(dev
[0], "TTLS")
1412 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1413 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1414 check_domain_match(dev
[0])
1415 skip_with_fips(dev
[0])
1416 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1417 hapd
= hostapd
.add_ap(apdev
[0], params
)
1418 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1419 anonymous_identity
="ttls", password
="password",
1420 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1421 domain_match
="Server.w1.fi")
1422 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1423 eap_reauth(dev
[0], "TTLS")
1425 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1426 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1427 skip_with_fips(dev
[0])
1428 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1429 hapd
= hostapd
.add_ap(apdev
[0], params
)
1430 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1431 anonymous_identity
="ttls", password
="password1",
1432 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1433 expect_failure
=True)
1434 eap_connect(dev
[1], hapd
, "TTLS", "user",
1435 anonymous_identity
="ttls", password
="password",
1436 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1437 expect_failure
=True)
1439 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1440 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1441 skip_with_fips(dev
[0])
1442 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1443 hapd
= hostapd
.add_ap(apdev
[0], params
)
1444 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1445 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1446 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1447 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1448 anonymous_identity
="ttls",
1449 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1450 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1451 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1452 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1453 eap
="TTLS", identity
="utf8-user-hash",
1454 anonymous_identity
="ttls", password_hex
=p
,
1455 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1456 wait_connect
=False, scan_freq
="2412")
1457 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1459 raise Exception("No failure reported")
1460 dev
[2].request("REMOVE_NETWORK all")
1461 dev
[2].wait_disconnected()
1463 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1464 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1465 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1466 hapd
= hostapd
.add_ap(apdev
[0], params
)
1467 eap_connect(dev
[0], hapd
, "TTLS", "user",
1468 anonymous_identity
="ttls", password
="password",
1469 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1470 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1471 eap_reauth(dev
[0], "TTLS")
1473 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1474 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1475 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1476 hapd
= hostapd
.add_ap(apdev
[0], params
)
1477 eap_connect(dev
[0], hapd
, "TTLS", "user",
1478 anonymous_identity
="ttls", password
="wrong",
1479 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1480 expect_failure
=True)
1482 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1483 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1484 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1485 hapd
= hostapd
.add_ap(apdev
[0], params
)
1486 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1487 anonymous_identity
="ttls", password
="password",
1488 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1489 expect_failure
=True)
1491 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1492 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1493 params
= int_eap_server_params()
1494 hapd
= hostapd
.add_ap(apdev
[0], params
)
1495 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1496 eap_connect(dev
[0], hapd
, "TTLS", "user",
1497 anonymous_identity
="ttls", password
="password",
1498 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1499 expect_failure
=True)
1500 dev
[0].request("REMOVE_NETWORK all")
1502 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1503 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1504 eap
="TTLS", identity
="user",
1505 anonymous_identity
="ttls", password
="password",
1506 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1507 wait_connect
=False, scan_freq
="2412")
1508 # This would eventually time out, but we can stop after having reached
1509 # the allocation failure.
1512 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1515 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1516 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1517 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1518 hapd
= hostapd
.add_ap(apdev
[0], params
)
1520 tests
= [ "eap_gtc_init",
1521 "eap_msg_alloc;eap_gtc_process" ]
1523 with
alloc_fail(dev
[0], 1, func
):
1524 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1526 eap
="TTLS", identity
="user",
1527 anonymous_identity
="ttls", password
="password",
1528 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1530 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1531 dev
[0].request("REMOVE_NETWORK all")
1532 dev
[0].wait_disconnected()
1534 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1535 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1536 check_eap_capa(dev
[0], "MD5")
1537 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1538 hapd
= hostapd
.add_ap(apdev
[0], params
)
1539 eap_connect(dev
[0], hapd
, "TTLS", "user",
1540 anonymous_identity
="ttls", password
="password",
1541 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1542 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1543 eap_reauth(dev
[0], "TTLS")
1545 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1546 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1547 check_eap_capa(dev
[0], "MD5")
1548 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1549 hapd
= hostapd
.add_ap(apdev
[0], params
)
1550 eap_connect(dev
[0], hapd
, "TTLS", "user",
1551 anonymous_identity
="ttls", password
="wrong",
1552 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1553 expect_failure
=True)
1555 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1556 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1557 check_eap_capa(dev
[0], "MD5")
1558 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1559 hapd
= hostapd
.add_ap(apdev
[0], params
)
1560 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1561 anonymous_identity
="ttls", password
="password",
1562 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1563 expect_failure
=True)
1565 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1566 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1567 check_eap_capa(dev
[0], "MD5")
1568 params
= int_eap_server_params()
1569 hapd
= hostapd
.add_ap(apdev
[0], params
)
1570 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1571 eap_connect(dev
[0], hapd
, "TTLS", "user",
1572 anonymous_identity
="ttls", password
="password",
1573 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1574 expect_failure
=True)
1575 dev
[0].request("REMOVE_NETWORK all")
1577 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1578 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1579 eap
="TTLS", identity
="user",
1580 anonymous_identity
="ttls", password
="password",
1581 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1582 wait_connect
=False, scan_freq
="2412")
1583 # This would eventually time out, but we can stop after having reached
1584 # the allocation failure.
1587 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1590 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1591 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1592 check_eap_capa(dev
[0], "MSCHAPV2")
1593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1594 hapd
= hostapd
.add_ap(apdev
[0], params
)
1595 eap_connect(dev
[0], hapd
, "TTLS", "user",
1596 anonymous_identity
="ttls", password
="password",
1597 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1598 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1599 eap_reauth(dev
[0], "TTLS")
1601 logger
.info("Negative test with incorrect password")
1602 dev
[0].request("REMOVE_NETWORK all")
1603 eap_connect(dev
[0], hapd
, "TTLS", "user",
1604 anonymous_identity
="ttls", password
="password1",
1605 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1606 expect_failure
=True)
1608 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1609 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1610 check_eap_capa(dev
[0], "MSCHAPV2")
1611 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1612 hapd
= hostapd
.add_ap(apdev
[0], params
)
1613 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1614 anonymous_identity
="ttls", password
="password",
1615 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1616 expect_failure
=True)
1618 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1619 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1620 check_eap_capa(dev
[0], "MSCHAPV2")
1621 params
= int_eap_server_params()
1622 hapd
= hostapd
.add_ap(apdev
[0], params
)
1623 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1624 eap_connect(dev
[0], hapd
, "TTLS", "user",
1625 anonymous_identity
="ttls", password
="password",
1626 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1627 expect_failure
=True)
1628 dev
[0].request("REMOVE_NETWORK all")
1630 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1631 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1632 eap
="TTLS", identity
="user",
1633 anonymous_identity
="ttls", password
="password",
1634 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1635 wait_connect
=False, scan_freq
="2412")
1636 # This would eventually time out, but we can stop after having reached
1637 # the allocation failure.
1640 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1642 dev
[0].request("REMOVE_NETWORK all")
1644 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1645 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1646 eap
="TTLS", identity
="user",
1647 anonymous_identity
="ttls", password
="password",
1648 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1649 wait_connect
=False, scan_freq
="2412")
1650 # This would eventually time out, but we can stop after having reached
1651 # the allocation failure.
1654 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1656 dev
[0].request("REMOVE_NETWORK all")
1658 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1659 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1660 eap
="TTLS", identity
="user",
1661 anonymous_identity
="ttls", password
="wrong",
1662 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1663 wait_connect
=False, scan_freq
="2412")
1664 # This would eventually time out, but we can stop after having reached
1665 # the allocation failure.
1668 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1670 dev
[0].request("REMOVE_NETWORK all")
1672 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1673 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1674 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1675 hapd
= hostapd
.add_ap(apdev
[0], params
)
1676 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1677 anonymous_identity
="1232010000000000@ttls",
1678 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1679 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1680 eap_reauth(dev
[0], "TTLS")
1682 def run_ext_sim_auth(dev
):
1683 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1685 raise Exception("Wait for external SIM processing request timed out")
1686 p
= ev
.split(':', 2)
1687 if p
[1] != "GSM-AUTH":
1688 raise Exception("Unexpected CTRL-REQ-SIM type")
1689 rid
= p
[0].split('-')[3]
1690 rand
= p
[2].split(' ')[0]
1692 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1694 "auth_serv/hlr_auc_gw.milenage_db",
1695 "GSM-AUTH-REQ 232010000000000 " + rand
])
1696 if "GSM-AUTH-RESP" not in res
:
1697 raise Exception("Unexpected hlr_auc_gw response")
1698 resp
= res
.split(' ')[2].rstrip()
1700 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1701 dev
.wait_connected(timeout
=15)
1704 dev
.request("REAUTHENTICATE")
1705 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1707 raise Exception("EAP reauthentication did not succeed")
1708 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1710 raise Exception("Key negotiation did not complete")
1713 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1714 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1715 check_hlr_auc_gw_support()
1717 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1719 dev
[0].request("SET external_sim 0")
1721 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1722 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1723 hapd
= hostapd
.add_ap(apdev
[0], params
)
1724 dev
[0].request("SET external_sim 1")
1725 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1726 identity
="1232010000000000",
1727 anonymous_identity
="1232010000000000@ttls",
1728 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1729 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1730 wait_connect
=False, scan_freq
="2412")
1731 run_ext_sim_auth(dev
[0])
1733 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1734 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1735 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1736 hapd
= hostapd
.add_ap(apdev
[0], params
)
1737 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1738 anonymous_identity
="1232010000000000@peap",
1739 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1740 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1741 eap_reauth(dev
[0], "PEAP")
1743 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1744 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1745 check_hlr_auc_gw_support()
1747 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1749 dev
[0].request("SET external_sim 0")
1751 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1752 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1753 hapd
= hostapd
.add_ap(apdev
[0], params
)
1754 dev
[0].request("SET external_sim 1")
1755 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1756 identity
="1232010000000000",
1757 anonymous_identity
="1232010000000000@peap",
1758 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1759 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1760 wait_connect
=False, scan_freq
="2412")
1761 run_ext_sim_auth(dev
[0])
1763 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1764 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1765 check_eap_capa(dev
[0], "FAST")
1766 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1767 hapd
= hostapd
.add_ap(apdev
[0], params
)
1768 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1769 anonymous_identity
="1232010000000000@fast",
1770 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1771 phase1
="fast_provisioning=2",
1772 pac_file
="blob://fast_pac_auth_sim",
1773 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1774 eap_reauth(dev
[0], "FAST")
1776 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1777 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1778 check_hlr_auc_gw_support()
1780 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1782 dev
[0].request("SET external_sim 0")
1784 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1785 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1786 hapd
= hostapd
.add_ap(apdev
[0], params
)
1787 dev
[0].request("SET external_sim 1")
1788 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1789 identity
="1232010000000000",
1790 anonymous_identity
="1232010000000000@peap",
1791 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1792 phase1
="fast_provisioning=2",
1793 pac_file
="blob://fast_pac_auth_sim",
1794 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1795 wait_connect
=False, scan_freq
="2412")
1796 run_ext_sim_auth(dev
[0])
1798 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1799 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1800 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1801 hapd
= hostapd
.add_ap(apdev
[0], params
)
1802 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1803 anonymous_identity
="0232010000000000@ttls",
1804 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1805 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1806 eap_reauth(dev
[0], "TTLS")
1808 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1809 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1810 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1811 hapd
= hostapd
.add_ap(apdev
[0], params
)
1812 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1813 anonymous_identity
="0232010000000000@peap",
1814 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1815 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1816 eap_reauth(dev
[0], "PEAP")
1818 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1819 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1820 check_eap_capa(dev
[0], "FAST")
1821 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1822 hapd
= hostapd
.add_ap(apdev
[0], params
)
1823 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1824 anonymous_identity
="0232010000000000@fast",
1825 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1826 phase1
="fast_provisioning=2",
1827 pac_file
="blob://fast_pac_auth_aka",
1828 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1829 eap_reauth(dev
[0], "FAST")
1831 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1832 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1833 check_eap_capa(dev
[0], "MSCHAPV2")
1834 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1835 hapd
= hostapd
.add_ap(apdev
[0], params
)
1836 eap_connect(dev
[0], hapd
, "PEAP", "user",
1837 anonymous_identity
="peap", password
="password",
1838 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1839 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1840 eap_reauth(dev
[0], "PEAP")
1841 dev
[0].request("REMOVE_NETWORK all")
1842 eap_connect(dev
[0], hapd
, "PEAP", "user",
1843 anonymous_identity
="peap", password
="password",
1844 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1845 fragment_size
="200")
1847 logger
.info("Password as hash value")
1848 dev
[0].request("REMOVE_NETWORK all")
1849 eap_connect(dev
[0], hapd
, "PEAP", "user",
1850 anonymous_identity
="peap",
1851 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1852 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1854 logger
.info("Negative test with incorrect password")
1855 dev
[0].request("REMOVE_NETWORK all")
1856 eap_connect(dev
[0], hapd
, "PEAP", "user",
1857 anonymous_identity
="peap", password
="password1",
1858 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1859 expect_failure
=True)
1861 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1862 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1863 check_eap_capa(dev
[0], "MSCHAPV2")
1864 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1865 hapd
= hostapd
.add_ap(apdev
[0], params
)
1866 eap_connect(dev
[0], hapd
, "PEAP", "DOMAIN\user3",
1867 anonymous_identity
="peap", password
="password",
1868 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1869 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1870 eap_reauth(dev
[0], "PEAP")
1872 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1873 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1874 check_eap_capa(dev
[0], "MSCHAPV2")
1875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1876 hapd
= hostapd
.add_ap(apdev
[0], params
)
1877 eap_connect(dev
[0], hapd
, "PEAP", "user",
1878 anonymous_identity
="peap", password
="wrong",
1879 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1880 expect_failure
=True)
1882 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1883 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1884 check_eap_capa(dev
[0], "MSCHAPV2")
1885 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1886 hapd
= hostapd
.add_ap(apdev
[0], params
)
1887 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1888 ca_cert
="auth_serv/ca.pem",
1889 phase1
="peapver=0 crypto_binding=2",
1890 phase2
="auth=MSCHAPV2")
1891 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1892 eap_reauth(dev
[0], "PEAP")
1894 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1895 ca_cert
="auth_serv/ca.pem",
1896 phase1
="peapver=0 crypto_binding=1",
1897 phase2
="auth=MSCHAPV2")
1898 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1899 ca_cert
="auth_serv/ca.pem",
1900 phase1
="peapver=0 crypto_binding=0",
1901 phase2
="auth=MSCHAPV2")
1903 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1904 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1905 check_eap_capa(dev
[0], "MSCHAPV2")
1906 params
= int_eap_server_params()
1907 hapd
= hostapd
.add_ap(apdev
[0], params
)
1908 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1909 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1910 ca_cert
="auth_serv/ca.pem",
1911 phase1
="peapver=0 crypto_binding=2",
1912 phase2
="auth=MSCHAPV2",
1913 expect_failure
=True, local_error_report
=True)
1915 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1916 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1917 check_eap_capa(dev
[0], "MSCHAPV2")
1918 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1919 hapd
= hostapd
.add_ap(apdev
[0], params
)
1920 eap_connect(dev
[0], hapd
, "PEAP", "user",
1921 anonymous_identity
="peap", password
="password",
1922 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1923 phase1
="peapver=0 peaplabel=1",
1924 expect_failure
=True)
1925 dev
[0].request("REMOVE_NETWORK all")
1926 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1928 anonymous_identity
="peap", password
="password",
1929 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1930 phase1
="peap_outer_success=0",
1931 wait_connect
=False, scan_freq
="2412")
1932 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1934 raise Exception("No EAP success seen")
1935 # This won't succeed to connect with peap_outer_success=0, so stop here.
1936 dev
[0].request("REMOVE_NETWORK all")
1937 dev
[0].wait_disconnected()
1938 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1939 ca_cert
="auth_serv/ca.pem",
1940 phase1
="peap_outer_success=1",
1941 phase2
="auth=MSCHAPV2")
1942 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1943 ca_cert
="auth_serv/ca.pem",
1944 phase1
="peap_outer_success=2",
1945 phase2
="auth=MSCHAPV2")
1946 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1948 anonymous_identity
="peap", password
="password",
1949 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1950 phase1
="peapver=1 peaplabel=1",
1951 wait_connect
=False, scan_freq
="2412")
1952 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1954 raise Exception("No EAP success seen")
1955 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1957 raise Exception("Unexpected connection")
1959 tests
= [ ("peap-ver0", ""),
1961 ("peap-ver0", "peapver=0"),
1962 ("peap-ver1", "peapver=1") ]
1963 for anon
,phase1
in tests
:
1964 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1965 identity
="user", anonymous_identity
=anon
,
1966 password
="password", phase1
=phase1
,
1967 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1969 dev
[0].request("REMOVE_NETWORK all")
1970 dev
[0].wait_disconnected()
1972 tests
= [ ("peap-ver0", "peapver=1"),
1973 ("peap-ver1", "peapver=0") ]
1974 for anon
,phase1
in tests
:
1975 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1976 identity
="user", anonymous_identity
=anon
,
1977 password
="password", phase1
=phase1
,
1978 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1979 wait_connect
=False, scan_freq
="2412")
1980 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1982 raise Exception("No EAP-Failure seen")
1983 dev
[0].request("REMOVE_NETWORK all")
1984 dev
[0].wait_disconnected()
1986 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1987 ca_cert
="auth_serv/ca.pem",
1988 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1989 phase2
="auth=MSCHAPV2")
1991 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1992 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1993 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1994 hapd
= hostapd
.add_ap(apdev
[0], params
)
1995 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
1996 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1997 ca_cert2
="auth_serv/ca.pem",
1998 client_cert2
="auth_serv/user.pem",
1999 private_key2
="auth_serv/user.key")
2000 eap_reauth(dev
[0], "PEAP")
2002 def test_ap_wpa2_eap_tls(dev
, apdev
):
2003 """WPA2-Enterprise connection using EAP-TLS"""
2004 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2005 hapd
= hostapd
.add_ap(apdev
[0], params
)
2006 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2007 client_cert
="auth_serv/user.pem",
2008 private_key
="auth_serv/user.key")
2009 eap_reauth(dev
[0], "TLS")
2011 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2012 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2013 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2014 hapd
= hostapd
.add_ap(apdev
[0], params
)
2015 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2016 client_cert
="auth_serv/user.pem",
2017 private_key
="auth_serv/user.key.pkcs8",
2018 private_key_passwd
="whatever")
2020 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2021 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2022 check_pkcs5_v15_support(dev
[0])
2023 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2024 hapd
= hostapd
.add_ap(apdev
[0], params
)
2025 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2026 client_cert
="auth_serv/user.pem",
2027 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2028 private_key_passwd
="whatever")
2030 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2031 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2032 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2033 hapd
= hostapd
.add_ap(apdev
[0], params
)
2034 cert
= read_pem("auth_serv/ca.pem")
2035 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2036 raise Exception("Could not set cacert blob")
2037 cert
= read_pem("auth_serv/user.pem")
2038 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
2039 raise Exception("Could not set usercert blob")
2040 key
= read_pem("auth_serv/user.rsa-key")
2041 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
2042 raise Exception("Could not set cacert blob")
2043 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2044 client_cert
="blob://usercert",
2045 private_key
="blob://userkey")
2047 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2048 """EAP-TLS and config blob missing"""
2049 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2050 hostapd
.add_ap(apdev
[0], params
)
2051 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2052 identity
="tls user",
2053 ca_cert
="blob://testing-blob-does-not-exist",
2054 client_cert
="blob://testing-blob-does-not-exist",
2055 private_key
="blob://testing-blob-does-not-exist",
2056 wait_connect
=False, scan_freq
="2412")
2057 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2059 raise Exception("EAP failure not reported")
2060 dev
[0].request("REMOVE_NETWORK all")
2061 dev
[0].wait_disconnected()
2063 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2064 """EAP-TLS and TLS Message Length in unfragmented packets"""
2065 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2066 hapd
= hostapd
.add_ap(apdev
[0], params
)
2067 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2068 phase1
="include_tls_length=1",
2069 client_cert
="auth_serv/user.pem",
2070 private_key
="auth_serv/user.key")
2072 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2073 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2074 check_pkcs12_support(dev
[0])
2075 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2076 hapd
= hostapd
.add_ap(apdev
[0], params
)
2077 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2078 private_key
="auth_serv/user.pkcs12",
2079 private_key_passwd
="whatever")
2080 dev
[0].request("REMOVE_NETWORK all")
2081 dev
[0].wait_disconnected()
2083 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2084 identity
="tls user",
2085 ca_cert
="auth_serv/ca.pem",
2086 private_key
="auth_serv/user.pkcs12",
2087 wait_connect
=False, scan_freq
="2412")
2088 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2090 raise Exception("Request for private key passphrase timed out")
2091 id = ev
.split(':')[0].split('-')[-1]
2092 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2093 dev
[0].wait_connected(timeout
=10)
2094 dev
[0].request("REMOVE_NETWORK all")
2095 dev
[0].wait_disconnected()
2097 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2098 # different files to cover both cases of the extra certificate being the
2099 # one that signed the client certificate and it being unrelated to the
2100 # client certificate.
2101 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2103 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2104 ca_cert
="auth_serv/ca.pem",
2106 private_key_passwd
="whatever")
2107 dev
[0].request("REMOVE_NETWORK all")
2108 dev
[0].wait_disconnected()
2110 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2111 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2112 check_pkcs12_support(dev
[0])
2113 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2114 hapd
= hostapd
.add_ap(apdev
[0], params
)
2115 cert
= read_pem("auth_serv/ca.pem")
2116 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2117 raise Exception("Could not set cacert blob")
2118 with
open("auth_serv/user.pkcs12", "rb") as f
:
2119 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
2120 raise Exception("Could not set pkcs12 blob")
2121 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2122 private_key
="blob://pkcs12",
2123 private_key_passwd
="whatever")
2125 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2126 """WPA2-Enterprise negative test - incorrect trust root"""
2127 check_eap_capa(dev
[0], "MSCHAPV2")
2128 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2129 hostapd
.add_ap(apdev
[0], params
)
2130 cert
= read_pem("auth_serv/ca-incorrect.pem")
2131 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2132 raise Exception("Could not set cacert blob")
2133 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2134 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2135 password
="password", phase2
="auth=MSCHAPV2",
2136 ca_cert
="blob://cacert",
2137 wait_connect
=False, scan_freq
="2412")
2138 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2139 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2140 password
="password", phase2
="auth=MSCHAPV2",
2141 ca_cert
="auth_serv/ca-incorrect.pem",
2142 wait_connect
=False, scan_freq
="2412")
2144 for dev
in (dev
[0], dev
[1]):
2145 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2147 raise Exception("Association and EAP start timed out")
2149 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2151 raise Exception("EAP method selection timed out")
2152 if "TTLS" not in ev
:
2153 raise Exception("Unexpected EAP method")
2155 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2156 "CTRL-EVENT-EAP-SUCCESS",
2157 "CTRL-EVENT-EAP-FAILURE",
2158 "CTRL-EVENT-CONNECTED",
2159 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2161 raise Exception("EAP result timed out")
2162 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2163 raise Exception("TLS certificate error not reported")
2165 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2166 "CTRL-EVENT-EAP-FAILURE",
2167 "CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2170 raise Exception("EAP result(2) timed out")
2171 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2172 raise Exception("EAP failure not reported")
2174 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2175 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2177 raise Exception("EAP result(3) timed out")
2178 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2179 raise Exception("Disconnection not reported")
2181 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2183 raise Exception("Network block disabling not reported")
2185 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2186 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2188 hapd
= hostapd
.add_ap(apdev
[0], params
)
2189 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2190 identity
="pap user", anonymous_identity
="ttls",
2191 password
="password", phase2
="auth=PAP",
2192 ca_cert
="auth_serv/ca.pem",
2193 wait_connect
=True, scan_freq
="2412")
2194 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2195 identity
="pap user", anonymous_identity
="ttls",
2196 password
="password", phase2
="auth=PAP",
2197 ca_cert
="auth_serv/ca-incorrect.pem",
2198 only_add_network
=True, scan_freq
="2412")
2200 dev
[0].request("DISCONNECT")
2201 dev
[0].wait_disconnected()
2202 dev
[0].dump_monitor()
2203 dev
[0].select_network(id, freq
="2412")
2205 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2207 raise Exception("EAP-TTLS not re-started")
2209 ev
= dev
[0].wait_disconnected(timeout
=15)
2210 if "reason=23" not in ev
:
2211 raise Exception("Proper reason code for disconnection not reported")
2213 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2214 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2215 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2216 hapd
= hostapd
.add_ap(apdev
[0], params
)
2217 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2218 identity
="pap user", anonymous_identity
="ttls",
2219 password
="password", phase2
="auth=PAP",
2220 wait_connect
=True, scan_freq
="2412")
2221 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2222 identity
="pap user", anonymous_identity
="ttls",
2223 password
="password", phase2
="auth=PAP",
2224 ca_cert
="auth_serv/ca-incorrect.pem",
2225 only_add_network
=True, scan_freq
="2412")
2227 dev
[0].request("DISCONNECT")
2228 dev
[0].wait_disconnected()
2229 dev
[0].dump_monitor()
2230 dev
[0].select_network(id, freq
="2412")
2232 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2234 raise Exception("EAP-TTLS not re-started")
2236 ev
= dev
[0].wait_disconnected(timeout
=15)
2237 if "reason=23" not in ev
:
2238 raise Exception("Proper reason code for disconnection not reported")
2240 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2241 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2243 hapd
= hostapd
.add_ap(apdev
[0], params
)
2244 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2245 identity
="pap user", anonymous_identity
="ttls",
2246 password
="password", phase2
="auth=PAP",
2247 ca_cert
="auth_serv/ca.pem",
2248 wait_connect
=True, scan_freq
="2412")
2249 dev
[0].request("DISCONNECT")
2250 dev
[0].wait_disconnected()
2251 dev
[0].dump_monitor()
2252 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2253 dev
[0].select_network(id, freq
="2412")
2255 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2257 raise Exception("EAP-TTLS not re-started")
2259 ev
= dev
[0].wait_disconnected(timeout
=15)
2260 if "reason=23" not in ev
:
2261 raise Exception("Proper reason code for disconnection not reported")
2263 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2264 """WPA2-Enterprise negative test - domain suffix mismatch"""
2265 check_domain_suffix_match(dev
[0])
2266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2267 hostapd
.add_ap(apdev
[0], params
)
2268 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2269 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2270 password
="password", phase2
="auth=MSCHAPV2",
2271 ca_cert
="auth_serv/ca.pem",
2272 domain_suffix_match
="incorrect.example.com",
2273 wait_connect
=False, scan_freq
="2412")
2275 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2277 raise Exception("Association and EAP start timed out")
2279 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2281 raise Exception("EAP method selection timed out")
2282 if "TTLS" not in ev
:
2283 raise Exception("Unexpected EAP method")
2285 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2286 "CTRL-EVENT-EAP-SUCCESS",
2287 "CTRL-EVENT-EAP-FAILURE",
2288 "CTRL-EVENT-CONNECTED",
2289 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2291 raise Exception("EAP result timed out")
2292 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2293 raise Exception("TLS certificate error not reported")
2294 if "Domain suffix mismatch" not in ev
:
2295 raise Exception("Domain suffix mismatch not reported")
2297 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2298 "CTRL-EVENT-EAP-FAILURE",
2299 "CTRL-EVENT-CONNECTED",
2300 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2302 raise Exception("EAP result(2) timed out")
2303 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2304 raise Exception("EAP failure not reported")
2306 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2307 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2309 raise Exception("EAP result(3) timed out")
2310 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2311 raise Exception("Disconnection not reported")
2313 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2315 raise Exception("Network block disabling not reported")
2317 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2318 """WPA2-Enterprise negative test - domain mismatch"""
2319 check_domain_match(dev
[0])
2320 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2321 hostapd
.add_ap(apdev
[0], params
)
2322 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2323 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2324 password
="password", phase2
="auth=MSCHAPV2",
2325 ca_cert
="auth_serv/ca.pem",
2326 domain_match
="w1.fi",
2327 wait_connect
=False, scan_freq
="2412")
2329 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2331 raise Exception("Association and EAP start timed out")
2333 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2335 raise Exception("EAP method selection timed out")
2336 if "TTLS" not in ev
:
2337 raise Exception("Unexpected EAP method")
2339 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2340 "CTRL-EVENT-EAP-SUCCESS",
2341 "CTRL-EVENT-EAP-FAILURE",
2342 "CTRL-EVENT-CONNECTED",
2343 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2345 raise Exception("EAP result timed out")
2346 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2347 raise Exception("TLS certificate error not reported")
2348 if "Domain mismatch" not in ev
:
2349 raise Exception("Domain mismatch not reported")
2351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2352 "CTRL-EVENT-EAP-FAILURE",
2353 "CTRL-EVENT-CONNECTED",
2354 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2356 raise Exception("EAP result(2) timed out")
2357 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2358 raise Exception("EAP failure not reported")
2360 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2361 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2363 raise Exception("EAP result(3) timed out")
2364 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2365 raise Exception("Disconnection not reported")
2367 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2369 raise Exception("Network block disabling not reported")
2371 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2372 """WPA2-Enterprise negative test - subject mismatch"""
2373 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2374 hostapd
.add_ap(apdev
[0], params
)
2375 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2376 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2377 password
="password", phase2
="auth=MSCHAPV2",
2378 ca_cert
="auth_serv/ca.pem",
2379 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2380 wait_connect
=False, scan_freq
="2412")
2382 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2384 raise Exception("Association and EAP start timed out")
2386 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2387 "EAP: Failed to initialize EAP method"], timeout
=10)
2389 raise Exception("EAP method selection timed out")
2390 if "EAP: Failed to initialize EAP method" in ev
:
2391 tls
= dev
[0].request("GET tls_library")
2392 if tls
.startswith("OpenSSL"):
2393 raise Exception("Failed to select EAP method")
2394 logger
.info("subject_match not supported - connection failed, so test succeeded")
2396 if "TTLS" not in ev
:
2397 raise Exception("Unexpected EAP method")
2399 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2400 "CTRL-EVENT-EAP-SUCCESS",
2401 "CTRL-EVENT-EAP-FAILURE",
2402 "CTRL-EVENT-CONNECTED",
2403 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2405 raise Exception("EAP result timed out")
2406 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2407 raise Exception("TLS certificate error not reported")
2408 if "Subject mismatch" not in ev
:
2409 raise Exception("Subject mismatch not reported")
2411 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2412 "CTRL-EVENT-EAP-FAILURE",
2413 "CTRL-EVENT-CONNECTED",
2414 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2416 raise Exception("EAP result(2) timed out")
2417 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2418 raise Exception("EAP failure not reported")
2420 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2421 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2423 raise Exception("EAP result(3) timed out")
2424 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2425 raise Exception("Disconnection not reported")
2427 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2429 raise Exception("Network block disabling not reported")
2431 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2432 """WPA2-Enterprise negative test - altsubject mismatch"""
2433 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2434 hostapd
.add_ap(apdev
[0], params
)
2436 tests
= [ "incorrect.example.com",
2437 "DNS:incorrect.example.com",
2441 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2443 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2444 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2445 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2446 password
="password", phase2
="auth=MSCHAPV2",
2447 ca_cert
="auth_serv/ca.pem",
2448 altsubject_match
=match
,
2449 wait_connect
=False, scan_freq
="2412")
2451 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2453 raise Exception("Association and EAP start timed out")
2455 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2456 "EAP: Failed to initialize EAP method"], timeout
=10)
2458 raise Exception("EAP method selection timed out")
2459 if "EAP: Failed to initialize EAP method" in ev
:
2460 tls
= dev
[0].request("GET tls_library")
2461 if tls
.startswith("OpenSSL"):
2462 raise Exception("Failed to select EAP method")
2463 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2465 if "TTLS" not in ev
:
2466 raise Exception("Unexpected EAP method")
2468 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2469 "CTRL-EVENT-EAP-SUCCESS",
2470 "CTRL-EVENT-EAP-FAILURE",
2471 "CTRL-EVENT-CONNECTED",
2472 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2474 raise Exception("EAP result timed out")
2475 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2476 raise Exception("TLS certificate error not reported")
2477 if "AltSubject mismatch" not in ev
:
2478 raise Exception("altsubject mismatch not reported")
2480 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2481 "CTRL-EVENT-EAP-FAILURE",
2482 "CTRL-EVENT-CONNECTED",
2483 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2485 raise Exception("EAP result(2) timed out")
2486 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2487 raise Exception("EAP failure not reported")
2489 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2490 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2492 raise Exception("EAP result(3) timed out")
2493 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2494 raise Exception("Disconnection not reported")
2496 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2498 raise Exception("Network block disabling not reported")
2500 dev
[0].request("REMOVE_NETWORK all")
2502 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2503 """WPA2-Enterprise connection using UNAUTH-TLS"""
2504 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2505 hapd
= hostapd
.add_ap(apdev
[0], params
)
2506 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2507 ca_cert
="auth_serv/ca.pem")
2508 eap_reauth(dev
[0], "UNAUTH-TLS")
2510 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2511 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2512 check_cert_probe_support(dev
[0])
2513 skip_with_fips(dev
[0])
2514 srv_cert_hash
= "53728dde442d4adc27cb10a847234a4315590f0b36786353023c3b0f2e9fdf49"
2515 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2516 hapd
= hostapd
.add_ap(apdev
[0], params
)
2517 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2518 identity
="probe", ca_cert
="probe://",
2519 wait_connect
=False, scan_freq
="2412")
2520 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2522 raise Exception("Association and EAP start timed out")
2523 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2525 raise Exception("No peer server certificate event seen")
2526 if "hash=" + srv_cert_hash
not in ev
:
2527 raise Exception("Expected server certificate hash not reported")
2528 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2530 raise Exception("EAP result timed out")
2531 if "Server certificate chain probe" not in ev
:
2532 raise Exception("Server certificate probe not reported")
2533 dev
[0].wait_disconnected(timeout
=10)
2534 dev
[0].request("REMOVE_NETWORK all")
2536 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2537 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2538 password
="password", phase2
="auth=MSCHAPV2",
2539 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2540 wait_connect
=False, scan_freq
="2412")
2541 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2543 raise Exception("Association and EAP start timed out")
2544 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2546 raise Exception("EAP result timed out")
2547 if "Server certificate mismatch" not in ev
:
2548 raise Exception("Server certificate mismatch not reported")
2549 dev
[0].wait_disconnected(timeout
=10)
2550 dev
[0].request("REMOVE_NETWORK all")
2552 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2553 anonymous_identity
="ttls", password
="password",
2554 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2555 phase2
="auth=MSCHAPV2")
2557 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2558 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2559 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2560 hostapd
.add_ap(apdev
[0], params
)
2561 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2562 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2563 password
="password", phase2
="auth=MSCHAPV2",
2564 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2565 wait_connect
=False, scan_freq
="2412")
2566 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2567 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2568 password
="password", phase2
="auth=MSCHAPV2",
2569 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2570 wait_connect
=False, scan_freq
="2412")
2571 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2572 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2573 password
="password", phase2
="auth=MSCHAPV2",
2574 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2575 wait_connect
=False, scan_freq
="2412")
2576 for i
in range(0, 3):
2577 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2579 raise Exception("Association and EAP start timed out")
2580 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2582 raise Exception("Did not report EAP method initialization failure")
2584 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2585 """WPA2-Enterprise connection using EAP-pwd"""
2586 check_eap_capa(dev
[0], "PWD")
2587 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2588 hapd
= hostapd
.add_ap(apdev
[0], params
)
2589 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2590 eap_reauth(dev
[0], "PWD")
2591 dev
[0].request("REMOVE_NETWORK all")
2593 eap_connect(dev
[1], hapd
, "PWD",
2594 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2595 password
="secret password",
2598 logger
.info("Negative test with incorrect password")
2599 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2600 expect_failure
=True, local_error_report
=True)
2602 eap_connect(dev
[0], hapd
, "PWD",
2603 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2604 password
="secret password",
2607 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2608 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2609 check_eap_capa(dev
[0], "PWD")
2610 skip_with_fips(dev
[0])
2611 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2612 hapd
= hostapd
.add_ap(apdev
[0], params
)
2613 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2614 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2615 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2616 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2617 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2618 expect_failure
=True, local_error_report
=True)
2620 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2621 """WPA2-Enterprise connection using various EAP-pwd groups"""
2622 check_eap_capa(dev
[0], "PWD")
2623 tls
= dev
[0].request("GET tls_library")
2624 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2625 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2626 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2627 groups
= [ 19, 20, 21, 25, 26 ]
2628 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2629 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2630 groups
+= [ 27, 28, 29, 30 ]
2632 logger
.info("Group %d" % i
)
2633 params
['pwd_group'] = str(i
)
2634 hapd
= hostapd
.add_ap(apdev
[0], params
)
2636 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2637 password
="secret password")
2638 dev
[0].request("REMOVE_NETWORK all")
2639 dev
[0].wait_disconnected()
2640 dev
[0].dump_monitor()
2642 if "BoringSSL" in tls
and i
in [ 25 ]:
2643 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2644 dev
[0].request("DISCONNECT")
2646 dev
[0].request("REMOVE_NETWORK all")
2647 dev
[0].dump_monitor()
2651 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2652 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2653 check_eap_capa(dev
[0], "PWD")
2654 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2655 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2656 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2657 params
['pwd_group'] = "0"
2658 hostapd
.add_ap(apdev
[0], params
)
2659 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2660 identity
="pwd user", password
="secret password",
2661 scan_freq
="2412", wait_connect
=False)
2662 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2664 raise Exception("Timeout on EAP failure report")
2666 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2667 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2668 check_eap_capa(dev
[0], "PWD")
2669 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2670 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2671 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2672 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2673 "pwd_group": "19", "fragment_size": "40" }
2674 hapd
= hostapd
.add_ap(apdev
[0], params
)
2675 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2677 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2678 """WPA2-Enterprise connection using EAP-GPSK"""
2679 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2680 hapd
= hostapd
.add_ap(apdev
[0], params
)
2681 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2682 password
="abcdefghijklmnop0123456789abcdef")
2683 eap_reauth(dev
[0], "GPSK")
2685 logger
.info("Test forced algorithm selection")
2686 for phase1
in [ "cipher=1", "cipher=2" ]:
2687 dev
[0].set_network_quoted(id, "phase1", phase1
)
2688 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2690 raise Exception("EAP success timed out")
2691 dev
[0].wait_connected(timeout
=10)
2693 logger
.info("Test failed algorithm negotiation")
2694 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2697 raise Exception("EAP failure timed out")
2699 logger
.info("Negative test with incorrect password")
2700 dev
[0].request("REMOVE_NETWORK all")
2701 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2702 password
="ffcdefghijklmnop0123456789abcdef",
2703 expect_failure
=True)
2705 def test_ap_wpa2_eap_sake(dev
, apdev
):
2706 """WPA2-Enterprise connection using EAP-SAKE"""
2707 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2708 hapd
= hostapd
.add_ap(apdev
[0], params
)
2709 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2710 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2711 eap_reauth(dev
[0], "SAKE")
2713 logger
.info("Negative test with incorrect password")
2714 dev
[0].request("REMOVE_NETWORK all")
2715 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2716 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2717 expect_failure
=True)
2719 def test_ap_wpa2_eap_eke(dev
, apdev
):
2720 """WPA2-Enterprise connection using EAP-EKE"""
2721 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2722 hapd
= hostapd
.add_ap(apdev
[0], params
)
2723 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2724 eap_reauth(dev
[0], "EKE")
2726 logger
.info("Test forced algorithm selection")
2727 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2728 "dhgroup=4 encr=1 prf=2 mac=2",
2729 "dhgroup=3 encr=1 prf=2 mac=2",
2730 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2731 dev
[0].set_network_quoted(id, "phase1", phase1
)
2732 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2734 raise Exception("EAP success timed out")
2735 dev
[0].wait_connected(timeout
=10)
2737 logger
.info("Test failed algorithm negotiation")
2738 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2739 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2741 raise Exception("EAP failure timed out")
2743 logger
.info("Negative test with incorrect password")
2744 dev
[0].request("REMOVE_NETWORK all")
2745 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2746 expect_failure
=True)
2748 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2749 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2750 if not params
['long']:
2751 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2752 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2753 hostapd
.add_ap(apdev
[0], params
)
2756 for i
in range(100):
2758 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2759 identity
="eke user", password
="hello",
2760 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2761 scan_freq
="2412", wait_connect
=False)
2763 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2764 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2766 raise Exception("No connected/disconnected event")
2767 if "CTRL-EVENT-DISCONNECTED" in ev
:
2769 # The RADIUS server limits on active sessions can be hit when
2770 # going through this test case, so try to give some more time
2771 # for the server to remove sessions.
2772 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2773 dev
[j
].request("REMOVE_NETWORK all")
2777 dev
[j
].request("REMOVE_NETWORK all")
2778 dev
[j
].wait_disconnected()
2779 dev
[j
].dump_monitor()
2780 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2782 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2783 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2784 params
= int_eap_server_params()
2785 params
['server_id'] = 'example.server@w1.fi'
2786 hapd
= hostapd
.add_ap(apdev
[0], params
)
2787 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2789 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2790 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2791 params
= int_eap_server_params()
2792 hapd
= hostapd
.add_ap(apdev
[0], params
)
2793 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2795 for count
,func
in [ (1, "eap_eke_build_commit"),
2796 (2, "eap_eke_build_commit"),
2797 (3, "eap_eke_build_commit"),
2798 (1, "eap_eke_build_confirm"),
2799 (2, "eap_eke_build_confirm"),
2800 (1, "eap_eke_process_commit"),
2801 (2, "eap_eke_process_commit"),
2802 (1, "eap_eke_process_confirm"),
2803 (1, "eap_eke_process_identity"),
2804 (2, "eap_eke_process_identity"),
2805 (3, "eap_eke_process_identity"),
2806 (4, "eap_eke_process_identity") ]:
2807 with
alloc_fail(hapd
, count
, func
):
2808 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2809 expect_failure
=True)
2810 dev
[0].request("REMOVE_NETWORK all")
2812 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2813 (1, "eap_eke_get_session_id", "hello"),
2814 (1, "eap_eke_getKey", "hello"),
2815 (1, "eap_eke_build_msg", "hello"),
2816 (1, "eap_eke_build_failure", "wrong"),
2817 (1, "eap_eke_build_identity", "hello"),
2818 (2, "eap_eke_build_identity", "hello") ]:
2819 with
alloc_fail(hapd
, count
, func
):
2820 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2821 eap
="EKE", identity
="eke user", password
=pw
,
2822 wait_connect
=False, scan_freq
="2412")
2823 # This would eventually time out, but we can stop after having
2824 # reached the allocation failure.
2827 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2829 dev
[0].request("REMOVE_NETWORK all")
2831 for count
in range(1, 1000):
2833 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2834 dev
[0].connect("test-wpa2-eap",
2835 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2836 eap
="EKE", identity
="eke user", password
=pw
,
2837 wait_connect
=False, scan_freq
="2412")
2838 # This would eventually time out, but we can stop after having
2839 # reached the allocation failure.
2842 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2844 dev
[0].request("REMOVE_NETWORK all")
2845 except Exception, e
:
2846 if str(e
) == "Allocation failure did not trigger":
2848 raise Exception("Too few allocation failures")
2849 logger
.info("%d allocation failures tested" % (count
- 1))
2853 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2854 """WPA2-Enterprise connection using EAP-IKEv2"""
2855 check_eap_capa(dev
[0], "IKEV2")
2856 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2857 hapd
= hostapd
.add_ap(apdev
[0], params
)
2858 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2859 password
="ike password")
2860 eap_reauth(dev
[0], "IKEV2")
2861 dev
[0].request("REMOVE_NETWORK all")
2862 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2863 password
="ike password", fragment_size
="50")
2865 logger
.info("Negative test with incorrect password")
2866 dev
[0].request("REMOVE_NETWORK all")
2867 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2868 password
="ike-password", expect_failure
=True)
2869 dev
[0].request("REMOVE_NETWORK all")
2871 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2872 password
="ike password", fragment_size
="0")
2873 dev
[0].request("REMOVE_NETWORK all")
2874 dev
[0].wait_disconnected()
2876 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2877 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2878 check_eap_capa(dev
[0], "IKEV2")
2879 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2880 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2881 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2882 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2883 "fragment_size": "50" }
2884 hapd
= hostapd
.add_ap(apdev
[0], params
)
2885 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2886 password
="ike password")
2887 eap_reauth(dev
[0], "IKEV2")
2889 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2890 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2891 check_eap_capa(dev
[0], "IKEV2")
2892 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2893 hostapd
.add_ap(apdev
[0], params
)
2895 tests
= [ (1, "dh_init"),
2897 (1, "dh_derive_shared") ]
2898 for count
, func
in tests
:
2899 with
alloc_fail(dev
[0], count
, func
):
2900 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2901 identity
="ikev2 user", password
="ike password",
2902 wait_connect
=False, scan_freq
="2412")
2903 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2905 raise Exception("EAP method not selected")
2907 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2910 dev
[0].request("REMOVE_NETWORK all")
2912 tls
= dev
[0].request("GET tls_library")
2913 if not tls
.startswith("wolfSSL"):
2914 tests
= [ (1, "os_get_random;dh_init") ]
2916 tests
= [ (1, "crypto_dh_init;dh_init") ]
2917 for count
, func
in tests
:
2918 with
fail_test(dev
[0], count
, func
):
2919 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2920 identity
="ikev2 user", password
="ike password",
2921 wait_connect
=False, scan_freq
="2412")
2922 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2924 raise Exception("EAP method not selected")
2926 if "0:" in dev
[0].request("GET_FAIL"):
2929 dev
[0].request("REMOVE_NETWORK all")
2931 def test_ap_wpa2_eap_pax(dev
, apdev
):
2932 """WPA2-Enterprise connection using EAP-PAX"""
2933 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2934 hapd
= hostapd
.add_ap(apdev
[0], params
)
2935 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2936 password_hex
="0123456789abcdef0123456789abcdef")
2937 eap_reauth(dev
[0], "PAX")
2939 logger
.info("Negative test with incorrect password")
2940 dev
[0].request("REMOVE_NETWORK all")
2941 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2942 password_hex
="ff23456789abcdef0123456789abcdef",
2943 expect_failure
=True)
2945 def test_ap_wpa2_eap_psk(dev
, apdev
):
2946 """WPA2-Enterprise connection using EAP-PSK"""
2947 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2948 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2949 params
["ieee80211w"] = "2"
2950 hapd
= hostapd
.add_ap(apdev
[0], params
)
2951 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2952 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2953 eap_reauth(dev
[0], "PSK", sha256
=True)
2954 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2955 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2957 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2958 if 'flags' not in bss
:
2959 raise Exception("Could not get BSS flags from BSS table")
2960 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2961 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2963 logger
.info("Negative test with incorrect password")
2964 dev
[0].request("REMOVE_NETWORK all")
2965 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2966 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2967 expect_failure
=True)
2969 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2970 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2971 skip_with_fips(dev
[0])
2972 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2973 hostapd
.add_ap(apdev
[0], params
)
2974 tests
= [ (1, "=aes_128_eax_encrypt"),
2975 (1, "=aes_128_eax_decrypt") ]
2976 for count
, func
in tests
:
2977 with
alloc_fail(dev
[0], count
, func
):
2978 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2979 identity
="psk.user@example.com",
2980 password_hex
="0123456789abcdef0123456789abcdef",
2981 wait_connect
=False, scan_freq
="2412")
2982 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2984 raise Exception("EAP method not selected")
2985 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2986 note
="Failure not triggered: %d:%s" % (count
, func
))
2987 dev
[0].request("REMOVE_NETWORK all")
2988 dev
[0].wait_disconnected()
2990 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
2991 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2992 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2993 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2994 (1, "omac1_aes_vector"),
2995 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2996 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2997 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2998 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
2999 for count
, func
in tests
:
3000 with
fail_test(dev
[0], count
, func
):
3001 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3002 identity
="psk.user@example.com",
3003 password_hex
="0123456789abcdef0123456789abcdef",
3004 wait_connect
=False, scan_freq
="2412")
3005 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3007 raise Exception("EAP method not selected")
3008 wait_fail_trigger(dev
[0], "GET_FAIL",
3009 note
="Failure not triggered: %d:%s" % (count
, func
))
3010 dev
[0].request("REMOVE_NETWORK all")
3011 dev
[0].wait_disconnected()
3013 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3014 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3015 identity
="psk.user@example.com",
3016 password_hex
="0123456789abcdef0123456789abcdef",
3017 wait_connect
=False, scan_freq
="2412")
3018 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3020 raise Exception("EAP method failure not reported")
3021 dev
[0].request("REMOVE_NETWORK all")
3022 dev
[0].wait_disconnected()
3024 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3025 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3026 check_eap_capa(dev
[0], "MSCHAPV2")
3027 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3028 hapd
= hostapd
.add_ap(apdev
[0], params
)
3029 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3030 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3031 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3033 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3034 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3035 eap_reauth(dev
[0], "PEAP", rsn
=False)
3036 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3037 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3038 status
= dev
[0].get_status(extra
="VERBOSE")
3039 if 'portControl' not in status
:
3040 raise Exception("portControl missing from STATUS-VERBOSE")
3041 if status
['portControl'] != 'Auto':
3042 raise Exception("Unexpected portControl value: " + status
['portControl'])
3043 if 'eap_session_id' not in status
:
3044 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3045 if not status
['eap_session_id'].startswith("19"):
3046 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3048 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3049 """WPA2-Enterprise connection using interactive identity/password entry"""
3050 check_eap_capa(dev
[0], "MSCHAPV2")
3051 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3052 hapd
= hostapd
.add_ap(apdev
[0], params
)
3054 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3055 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3057 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3058 "TTLS", "ttls", None, "auth=MSCHAPV2",
3059 "DOMAIN\mschapv2 user", "password"),
3060 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3061 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3062 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3063 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3064 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3065 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3066 ("Connection with dynamic PEAP/EAP-GTC password entry",
3067 "PEAP", None, "user", "auth=GTC", None, "password") ]
3068 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3070 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3071 anonymous_identity
=anon
, identity
=identity
,
3072 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3073 wait_connect
=False, scan_freq
="2412")
3075 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3077 raise Exception("Request for identity timed out")
3078 id = ev
.split(':')[0].split('-')[-1]
3079 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3080 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3082 raise Exception("Request for password timed out")
3083 id = ev
.split(':')[0].split('-')[-1]
3084 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3085 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3086 dev
[0].wait_connected(timeout
=10)
3087 dev
[0].request("REMOVE_NETWORK all")
3089 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3090 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3091 check_eap_capa(dev
[0], "MSCHAPV2")
3092 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3093 hapd
= hostapd
.add_ap(apdev
[0], params
)
3095 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3096 only_add_network
=True)
3098 req_id
= "DOMAIN\mschapv2 user"
3099 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3100 anonymous_identity
="ttls", identity
=None,
3101 password
="password",
3102 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3103 wait_connect
=False, scan_freq
="2412")
3104 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3106 raise Exception("Request for identity timed out")
3107 id = ev
.split(':')[0].split('-')[-1]
3108 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3109 dev
[0].wait_connected(timeout
=10)
3111 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3112 raise Exception("Failed to enable network")
3113 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3115 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3116 dev
[0].request("REMOVE_NETWORK all")
3118 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3119 """WPA2-Enterprise connection using EAP vendor test"""
3120 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3121 hapd
= hostapd
.add_ap(apdev
[0], params
)
3122 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3123 eap_reauth(dev
[0], "VENDOR-TEST")
3124 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3127 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3128 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3129 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3130 hostapd
.add_ap(apdev
[0], params
)
3132 tests
= [ "eap_vendor_test_init",
3133 "eap_msg_alloc;eap_vendor_test_process",
3134 "eap_vendor_test_getKey" ]
3136 with
alloc_fail(dev
[0], 1, func
):
3137 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3139 eap
="VENDOR-TEST", identity
="vendor-test",
3141 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3142 dev
[0].request("REMOVE_NETWORK all")
3143 dev
[0].wait_disconnected()
3145 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3146 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3147 check_eap_capa(dev
[0], "FAST")
3148 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3149 hapd
= hostapd
.add_ap(apdev
[0], params
)
3150 eap_connect(dev
[0], hapd
, "FAST", "user",
3151 anonymous_identity
="FAST", password
="password",
3152 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3153 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3154 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3155 res
= eap_reauth(dev
[0], "FAST")
3156 if res
['tls_session_reused'] != '1':
3157 raise Exception("EAP-FAST could not use PAC session ticket")
3159 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3160 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3161 check_eap_capa(dev
[0], "FAST")
3162 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3163 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3164 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3165 hapd
= hostapd
.add_ap(apdev
[0], params
)
3168 eap_connect(dev
[0], hapd
, "FAST", "user",
3169 anonymous_identity
="FAST", password
="password",
3170 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3171 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3172 with
open(pac_file
, "r") as f
:
3174 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3175 raise Exception("PAC file header missing")
3176 if "PAC-Key=" not in data
:
3177 raise Exception("PAC-Key missing from PAC file")
3178 dev
[0].request("REMOVE_NETWORK all")
3179 eap_connect(dev
[0], hapd
, "FAST", "user",
3180 anonymous_identity
="FAST", password
="password",
3181 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3184 eap_connect(dev
[1], hapd
, "FAST", "user",
3185 anonymous_identity
="FAST", password
="password",
3186 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3187 phase1
="fast_provisioning=1 fast_pac_format=binary",
3189 dev
[1].request("REMOVE_NETWORK all")
3190 eap_connect(dev
[1], hapd
, "FAST", "user",
3191 anonymous_identity
="FAST", password
="password",
3192 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3193 phase1
="fast_pac_format=binary",
3201 os
.remove(pac_file2
)
3205 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3206 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3207 check_eap_capa(dev
[0], "FAST")
3208 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3209 hapd
= hostapd
.add_ap(apdev
[0], params
)
3210 eap_connect(dev
[0], hapd
, "FAST", "user",
3211 anonymous_identity
="FAST", password
="password",
3212 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3213 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3214 pac_file
="blob://fast_pac_bin")
3215 res
= eap_reauth(dev
[0], "FAST")
3216 if res
['tls_session_reused'] != '1':
3217 raise Exception("EAP-FAST could not use PAC session ticket")
3219 # Verify fast_max_pac_list_len=0 special case
3220 dev
[0].request("REMOVE_NETWORK all")
3221 dev
[0].wait_disconnected()
3222 eap_connect(dev
[0], hapd
, "FAST", "user",
3223 anonymous_identity
="FAST", password
="password",
3224 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3225 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3226 pac_file
="blob://fast_pac_bin")
3228 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3229 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3230 check_eap_capa(dev
[0], "FAST")
3231 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3232 hostapd
.add_ap(apdev
[0], params
)
3234 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3235 identity
="user", anonymous_identity
="FAST",
3236 password
="password",
3237 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3238 pac_file
="blob://fast_pac_not_in_use",
3239 wait_connect
=False, scan_freq
="2412")
3240 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3242 raise Exception("Timeout on EAP failure report")
3243 dev
[0].request("REMOVE_NETWORK all")
3245 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3246 identity
="user", anonymous_identity
="FAST",
3247 password
="password",
3248 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3249 wait_connect
=False, scan_freq
="2412")
3250 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3252 raise Exception("Timeout on EAP failure report")
3254 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3255 """EAP-FAST and binary PAC errors"""
3256 check_eap_capa(dev
[0], "FAST")
3257 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3258 hapd
= hostapd
.add_ap(apdev
[0], params
)
3260 tests
= [ (1, "=eap_fast_save_pac_bin"),
3261 (1, "eap_fast_write_pac"),
3262 (2, "eap_fast_write_pac"), ]
3263 for count
, func
in tests
:
3264 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3265 raise Exception("Could not set blob")
3267 with
alloc_fail(dev
[0], count
, func
):
3268 eap_connect(dev
[0], hapd
, "FAST", "user",
3269 anonymous_identity
="FAST", password
="password",
3270 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3271 phase1
="fast_provisioning=1 fast_pac_format=binary",
3272 pac_file
="blob://fast_pac_bin_errors")
3273 dev
[0].request("REMOVE_NETWORK all")
3274 dev
[0].wait_disconnected()
3276 tests
= [ "00", "000000000000", "6ae4920c0001",
3278 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3279 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3280 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3281 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3283 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3284 raise Exception("Could not set blob")
3286 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3287 identity
="user", anonymous_identity
="FAST",
3288 password
="password",
3289 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3290 phase1
="fast_provisioning=1 fast_pac_format=binary",
3291 pac_file
="blob://fast_pac_bin_errors",
3292 scan_freq
="2412", wait_connect
=False)
3293 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3296 raise Exception("Failure not reported")
3297 dev
[0].request("REMOVE_NETWORK all")
3298 dev
[0].wait_disconnected()
3300 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3301 tests
= [ (1, "eap_fast_load_pac_bin"),
3302 (2, "eap_fast_load_pac_bin"),
3303 (3, "eap_fast_load_pac_bin") ]
3304 for count
, func
in tests
:
3305 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3306 raise Exception("Could not set blob")
3308 with
alloc_fail(dev
[0], count
, func
):
3309 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3310 identity
="user", anonymous_identity
="FAST",
3311 password
="password",
3312 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3313 phase1
="fast_provisioning=1 fast_pac_format=binary",
3314 pac_file
="blob://fast_pac_bin_errors",
3315 scan_freq
="2412", wait_connect
=False)
3316 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3319 raise Exception("Failure not reported")
3320 dev
[0].request("REMOVE_NETWORK all")
3321 dev
[0].wait_disconnected()
3323 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3324 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3325 raise Exception("Could not set blob")
3327 eap_connect(dev
[0], hapd
, "FAST", "user",
3328 anonymous_identity
="FAST", password
="password",
3329 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3330 phase1
="fast_provisioning=1 fast_pac_format=binary",
3331 pac_file
="blob://fast_pac_bin_errors")
3332 dev
[0].request("REMOVE_NETWORK all")
3333 dev
[0].wait_disconnected()
3335 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3336 tests
= [ (1, "eap_fast_pac_get_a_id"),
3337 (2, "eap_fast_pac_get_a_id") ]
3338 for count
, func
in tests
:
3339 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3340 raise Exception("Could not set blob")
3341 with
alloc_fail(dev
[0], count
, func
):
3342 eap_connect(dev
[0], hapd
, "FAST", "user",
3343 anonymous_identity
="FAST", password
="password",
3344 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3345 phase1
="fast_provisioning=1 fast_pac_format=binary",
3346 pac_file
="blob://fast_pac_bin_errors")
3347 dev
[0].request("REMOVE_NETWORK all")
3348 dev
[0].wait_disconnected()
3350 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3351 """EAP-FAST and text PAC errors"""
3352 check_eap_capa(dev
[0], "FAST")
3353 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3354 hostapd
.add_ap(apdev
[0], params
)
3356 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3357 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3358 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3359 (1, "eap_fast_parse_start"),
3360 (1, "eap_fast_save_pac") ]
3361 for count
, func
in tests
:
3362 dev
[0].request("FLUSH")
3363 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3364 raise Exception("Could not set blob")
3366 with
alloc_fail(dev
[0], count
, func
):
3367 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3368 identity
="user", anonymous_identity
="FAST",
3369 password
="password",
3370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3371 phase1
="fast_provisioning=1",
3372 pac_file
="blob://fast_pac_text_errors",
3373 scan_freq
="2412", wait_connect
=False)
3374 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3375 dev
[0].request("REMOVE_NETWORK all")
3376 dev
[0].wait_disconnected()
3378 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3382 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3383 raise Exception("Could not set blob")
3385 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3386 identity
="user", anonymous_identity
="FAST",
3387 password
="password",
3388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3389 phase1
="fast_provisioning=1",
3390 pac_file
="blob://fast_pac_text_errors",
3391 scan_freq
="2412", wait_connect
=False)
3392 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3394 raise Exception("Failure not reported")
3395 dev
[0].request("REMOVE_NETWORK all")
3396 dev
[0].wait_disconnected()
3398 dev
[0].request("FLUSH")
3399 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3400 raise Exception("Could not set blob")
3402 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3404 params
= int_eap_server_params()
3405 params
['ssid'] = "test-wpa2-eap-2"
3406 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3407 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3408 params
['eap_fast_a_id_info'] = "test server %d" % i
3410 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3412 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3413 identity
="user", anonymous_identity
="FAST",
3414 password
="password",
3415 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3416 phase1
="fast_provisioning=1",
3417 pac_file
="blob://fast_pac_text_errors",
3418 scan_freq
="2412", wait_connect
=False)
3419 dev
[0].wait_connected()
3420 dev
[0].request("REMOVE_NETWORK all")
3421 dev
[0].wait_disconnected()
3425 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3426 """EAP-FAST and PAC list truncation"""
3427 check_eap_capa(dev
[0], "FAST")
3428 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3429 raise Exception("Could not set blob")
3431 params
= int_eap_server_params()
3432 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3433 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3434 params
['eap_fast_a_id_info'] = "test server %d" % i
3435 hapd
= hostapd
.add_ap(apdev
[0], params
)
3437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3438 identity
="user", anonymous_identity
="FAST",
3439 password
="password",
3440 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3441 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3442 pac_file
="blob://fast_pac_truncate",
3443 scan_freq
="2412", wait_connect
=False)
3444 dev
[0].wait_connected()
3445 dev
[0].request("REMOVE_NETWORK all")
3446 dev
[0].wait_disconnected()
3450 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3451 """EAP-FAST and PAC refresh"""
3452 check_eap_capa(dev
[0], "FAST")
3453 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3454 raise Exception("Could not set blob")
3456 params
= int_eap_server_params()
3457 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3458 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3459 params
['eap_fast_a_id_info'] = "test server %d" % i
3460 params
['pac_key_refresh_time'] = "1"
3461 params
['pac_key_lifetime'] = "10"
3462 hapd
= hostapd
.add_ap(apdev
[0], params
)
3464 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3465 identity
="user", anonymous_identity
="FAST",
3466 password
="password",
3467 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3468 phase1
="fast_provisioning=1",
3469 pac_file
="blob://fast_pac_refresh",
3470 scan_freq
="2412", wait_connect
=False)
3471 dev
[0].wait_connected()
3472 dev
[0].request("REMOVE_NETWORK all")
3473 dev
[0].wait_disconnected()
3478 params
= int_eap_server_params()
3479 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3480 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3481 params
['eap_fast_a_id_info'] = "test server %d" % i
3482 params
['pac_key_refresh_time'] = "10"
3483 params
['pac_key_lifetime'] = "10"
3484 hapd
= hostapd
.add_ap(apdev
[0], params
)
3486 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3487 identity
="user", anonymous_identity
="FAST",
3488 password
="password",
3489 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3490 phase1
="fast_provisioning=1",
3491 pac_file
="blob://fast_pac_refresh",
3492 scan_freq
="2412", wait_connect
=False)
3493 dev
[0].wait_connected()
3494 dev
[0].request("REMOVE_NETWORK all")
3495 dev
[0].wait_disconnected()
3499 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3500 """EAP-FAST and PAC lifetime"""
3501 check_eap_capa(dev
[0], "FAST")
3502 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3503 raise Exception("Could not set blob")
3506 params
= int_eap_server_params()
3507 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3508 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3509 params
['eap_fast_a_id_info'] = "test server %d" % i
3510 params
['pac_key_refresh_time'] = "0"
3511 params
['pac_key_lifetime'] = "2"
3512 hapd
= hostapd
.add_ap(apdev
[0], params
)
3514 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3515 identity
="user", anonymous_identity
="FAST",
3516 password
="password",
3517 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3518 phase1
="fast_provisioning=2",
3519 pac_file
="blob://fast_pac_refresh",
3520 scan_freq
="2412", wait_connect
=False)
3521 dev
[0].wait_connected()
3522 dev
[0].request("DISCONNECT")
3523 dev
[0].wait_disconnected()
3526 dev
[0].request("PMKSA_FLUSH")
3527 dev
[0].request("RECONNECT")
3528 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3530 raise Exception("No EAP-Failure seen after expired PAC")
3531 dev
[0].request("DISCONNECT")
3532 dev
[0].wait_disconnected()
3534 dev
[0].select_network(id)
3535 dev
[0].wait_connected()
3536 dev
[0].request("REMOVE_NETWORK all")
3537 dev
[0].wait_disconnected()
3539 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3540 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3541 check_eap_capa(dev
[0], "FAST")
3542 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3543 hapd
= hostapd
.add_ap(apdev
[0], params
)
3544 eap_connect(dev
[0], hapd
, "FAST", "user",
3545 anonymous_identity
="FAST", password
="password",
3546 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3547 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3548 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3549 res
= eap_reauth(dev
[0], "FAST")
3550 if res
['tls_session_reused'] != '1':
3551 raise Exception("EAP-FAST could not use PAC session ticket")
3553 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3554 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3555 check_eap_capa(dev
[0], "FAST")
3556 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3557 hapd
= hostapd
.add_ap(apdev
[0], params
)
3558 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3559 anonymous_identity
="FAST", password
="password",
3560 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3561 phase1
="fast_provisioning=2",
3562 pac_file
="blob://fast_pac_auth")
3563 dev
[0].set_network_quoted(id, "identity", "user2")
3564 dev
[0].wait_disconnected()
3565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3567 raise Exception("EAP-FAST not started")
3568 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3570 raise Exception("EAP failure not reported")
3571 dev
[0].wait_disconnected()
3573 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3574 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3575 check_eap_capa(dev
[0], "FAST")
3576 tls
= dev
[0].request("GET tls_library")
3577 if tls
.startswith("OpenSSL"):
3578 func
= "tls_connection_get_eap_fast_key"
3580 elif tls
.startswith("internal"):
3581 func
= "tls_connection_prf"
3584 raise HwsimSkip("Unsupported TLS library")
3585 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3586 hapd
= hostapd
.add_ap(apdev
[0], params
)
3587 with
alloc_fail(dev
[0], count
, func
):
3588 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3589 identity
="user", anonymous_identity
="FAST",
3590 password
="password", ca_cert
="auth_serv/ca.pem",
3592 phase1
="fast_provisioning=2",
3593 pac_file
="blob://fast_pac_auth",
3594 wait_connect
=False, scan_freq
="2412")
3595 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3597 raise Exception("EAP failure not reported")
3598 dev
[0].request("DISCONNECT")
3600 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3601 """EAP-FAST/MSCHAPv2 and server OOM"""
3602 check_eap_capa(dev
[0], "FAST")
3604 params
= int_eap_server_params()
3605 params
['dh_file'] = 'auth_serv/dh.conf'
3606 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3607 params
['eap_fast_a_id'] = '1011'
3608 params
['eap_fast_a_id_info'] = 'another test server'
3609 hapd
= hostapd
.add_ap(apdev
[0], params
)
3611 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3612 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3613 anonymous_identity
="FAST", password
="password",
3614 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3615 phase1
="fast_provisioning=1",
3616 pac_file
="blob://fast_pac",
3617 expect_failure
=True)
3618 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3620 raise Exception("No EAP failure reported")
3621 dev
[0].wait_disconnected()
3622 dev
[0].request("DISCONNECT")
3624 dev
[0].select_network(id, freq
="2412")
3626 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3627 """EAP-FAST and different TLS cipher suites"""
3628 check_eap_capa(dev
[0], "FAST")
3629 tls
= dev
[0].request("GET tls_library")
3630 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3631 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3633 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3634 hapd
= hostapd
.add_ap(apdev
[0], params
)
3636 dev
[0].request("SET blob fast_pac_ciphers ")
3637 eap_connect(dev
[0], hapd
, "FAST", "user",
3638 anonymous_identity
="FAST", password
="password",
3639 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3640 phase1
="fast_provisioning=2",
3641 pac_file
="blob://fast_pac_ciphers")
3642 res
= dev
[0].get_status_field('EAP TLS cipher')
3643 dev
[0].request("REMOVE_NETWORK all")
3644 dev
[0].wait_disconnected()
3645 if res
!= "DHE-RSA-AES256-SHA":
3646 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3648 tests
= [ "DHE-RSA-AES128-SHA",
3652 "DHE-RSA-AES256-SHA" ]
3653 for cipher
in tests
:
3654 dev
[0].dump_monitor()
3655 logger
.info("Testing " + cipher
)
3657 eap_connect(dev
[0], hapd
, "FAST", "user",
3658 openssl_ciphers
=cipher
,
3659 anonymous_identity
="FAST", password
="password",
3660 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3661 pac_file
="blob://fast_pac_ciphers")
3662 except Exception, e
:
3663 if "Could not select EAP method" in str(e
) and cipher
== "RC4-SHA":
3664 tls
= dev
[0].request("GET tls_library")
3665 if "run=OpenSSL 1.1" in tls
:
3666 logger
.info("Allow failure due to missing TLS library support")
3667 dev
[0].request("REMOVE_NETWORK all")
3668 dev
[0].wait_disconnected()
3671 res
= dev
[0].get_status_field('EAP TLS cipher')
3672 dev
[0].request("REMOVE_NETWORK all")
3673 dev
[0].wait_disconnected()
3675 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3677 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3678 """EAP-FAST and provisioning options"""
3679 check_eap_capa(dev
[0], "FAST")
3680 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3681 raise Exception("Could not set blob")
3684 params
= int_eap_server_params()
3685 params
['disable_pmksa_caching'] = '1'
3686 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3687 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3688 params
['eap_fast_a_id_info'] = "test server %d" % i
3689 params
['eap_fast_prov'] = "0"
3690 hapd
= hostapd
.add_ap(apdev
[0], params
)
3692 logger
.info("Provisioning attempt while server has provisioning disabled")
3693 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3694 identity
="user", anonymous_identity
="FAST",
3695 password
="password",
3696 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3697 phase1
="fast_provisioning=2",
3698 pac_file
="blob://fast_pac_prov",
3699 scan_freq
="2412", wait_connect
=False)
3700 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3703 raise Exception("EAP result not reported")
3704 if "parameter='failure'" not in ev
:
3705 raise Exception("Unexpected EAP result: " + ev
)
3706 dev
[0].wait_disconnected()
3707 dev
[0].request("DISCONNECT")
3708 dev
[0].dump_monitor()
3711 logger
.info("Authenticated provisioning")
3712 hapd
.set("eap_fast_prov", "2")
3715 dev
[0].select_network(id, freq
="2412")
3716 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3719 raise Exception("EAP result not reported")
3720 if "parameter='success'" not in ev
:
3721 raise Exception("Unexpected EAP result: " + ev
)
3722 dev
[0].wait_connected()
3723 dev
[0].request("DISCONNECT")
3724 dev
[0].wait_disconnected()
3725 dev
[0].dump_monitor()
3728 logger
.info("Provisioning disabled - using previously provisioned PAC")
3729 hapd
.set("eap_fast_prov", "0")
3732 dev
[0].select_network(id, freq
="2412")
3733 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3736 raise Exception("EAP result not reported")
3737 if "parameter='success'" not in ev
:
3738 raise Exception("Unexpected EAP result: " + ev
)
3739 dev
[0].wait_connected()
3740 dev
[0].request("DISCONNECT")
3741 dev
[0].wait_disconnected()
3742 dev
[0].dump_monitor()
3744 logger
.info("Drop PAC and verify connection failure")
3745 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3746 raise Exception("Could not set blob")
3748 dev
[0].select_network(id, freq
="2412")
3749 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3752 raise Exception("EAP result not reported")
3753 if "parameter='failure'" not in ev
:
3754 raise Exception("Unexpected EAP result: " + ev
)
3755 dev
[0].wait_disconnected()
3756 dev
[0].request("DISCONNECT")
3757 dev
[0].dump_monitor()
3760 logger
.info("Anonymous provisioning")
3761 hapd
.set("eap_fast_prov", "1")
3763 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3764 dev
[0].select_network(id, freq
="2412")
3765 # Anonymous provisioning results in EAP-Failure first
3766 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3769 raise Exception("EAP result not reported")
3770 if "parameter='failure'" not in ev
:
3771 raise Exception("Unexpected EAP result: " + ev
)
3772 dev
[0].wait_disconnected()
3773 # And then the actual data connection
3774 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3777 raise Exception("EAP result not reported")
3778 if "parameter='success'" not in ev
:
3779 raise Exception("Unexpected EAP result: " + ev
)
3780 dev
[0].wait_connected()
3781 dev
[0].request("DISCONNECT")
3782 dev
[0].wait_disconnected()
3783 dev
[0].dump_monitor()
3786 logger
.info("Provisioning disabled - using previously provisioned PAC")
3787 hapd
.set("eap_fast_prov", "0")
3790 dev
[0].select_network(id, freq
="2412")
3791 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3794 raise Exception("EAP result not reported")
3795 if "parameter='success'" not in ev
:
3796 raise Exception("Unexpected EAP result: " + ev
)
3797 dev
[0].wait_connected()
3798 dev
[0].request("DISCONNECT")
3799 dev
[0].wait_disconnected()
3800 dev
[0].dump_monitor()
3802 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3803 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3804 check_ocsp_support(dev
[0])
3805 check_pkcs12_support(dev
[0])
3806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3807 hapd
= hostapd
.add_ap(apdev
[0], params
)
3808 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3809 private_key
="auth_serv/user.pkcs12",
3810 private_key_passwd
="whatever", ocsp
=2)
3812 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3813 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3814 check_ocsp_multi_support(dev
[0])
3815 check_pkcs12_support(dev
[0])
3817 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3818 hapd
= hostapd
.add_ap(apdev
[0], params
)
3819 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3820 private_key
="auth_serv/user.pkcs12",
3821 private_key_passwd
="whatever", ocsp
=2)
3823 def int_eap_server_params():
3824 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3825 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3826 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3827 "ca_cert": "auth_serv/ca.pem",
3828 "server_cert": "auth_serv/server.pem",
3829 "private_key": "auth_serv/server.key",
3830 "dh_file": "auth_serv/dh.conf" }
3833 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3834 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3835 check_ocsp_support(dev
[0])
3836 check_pkcs12_support(dev
[0])
3837 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3838 if not os
.path
.exists(ocsp
):
3839 raise HwsimSkip("No OCSP response available")
3840 params
= int_eap_server_params()
3841 params
["ocsp_stapling_response"] = ocsp
3842 hostapd
.add_ap(apdev
[0], params
)
3843 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3844 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3845 private_key
="auth_serv/user.pkcs12",
3846 private_key_passwd
="whatever", ocsp
=2,
3849 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3850 """EAP-TLS and CA signed OCSP response (good)"""
3851 check_ocsp_support(dev
[0])
3852 check_pkcs12_support(dev
[0])
3853 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3854 if not os
.path
.exists(ocsp
):
3855 raise HwsimSkip("No OCSP response available")
3856 params
= int_eap_server_params()
3857 params
["ocsp_stapling_response"] = ocsp
3858 hostapd
.add_ap(apdev
[0], params
)
3859 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3860 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3861 private_key
="auth_serv/user.pkcs12",
3862 private_key_passwd
="whatever", ocsp
=2,
3865 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3866 """EAP-TLS and CA signed OCSP response (revoked)"""
3867 check_ocsp_support(dev
[0])
3868 check_pkcs12_support(dev
[0])
3869 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3870 if not os
.path
.exists(ocsp
):
3871 raise HwsimSkip("No OCSP response available")
3872 params
= int_eap_server_params()
3873 params
["ocsp_stapling_response"] = ocsp
3874 hostapd
.add_ap(apdev
[0], params
)
3875 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3876 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3877 private_key
="auth_serv/user.pkcs12",
3878 private_key_passwd
="whatever", ocsp
=2,
3879 wait_connect
=False, scan_freq
="2412")
3882 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3884 raise Exception("Timeout on EAP status")
3885 if 'bad certificate status response' in ev
:
3887 if 'certificate revoked' in ev
:
3891 raise Exception("Unexpected number of EAP status messages")
3893 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3895 raise Exception("Timeout on EAP failure report")
3897 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3898 """EAP-TLS and CA signed OCSP response (unknown)"""
3899 check_ocsp_support(dev
[0])
3900 check_pkcs12_support(dev
[0])
3901 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3902 if not os
.path
.exists(ocsp
):
3903 raise HwsimSkip("No OCSP response available")
3904 params
= int_eap_server_params()
3905 params
["ocsp_stapling_response"] = ocsp
3906 hostapd
.add_ap(apdev
[0], params
)
3907 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3908 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3909 private_key
="auth_serv/user.pkcs12",
3910 private_key_passwd
="whatever", ocsp
=2,
3911 wait_connect
=False, scan_freq
="2412")
3914 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3916 raise Exception("Timeout on EAP status")
3917 if 'bad certificate status response' in ev
:
3921 raise Exception("Unexpected number of EAP status messages")
3923 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3925 raise Exception("Timeout on EAP failure report")
3927 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3928 """EAP-TLS and server signed OCSP response"""
3929 check_ocsp_support(dev
[0])
3930 check_pkcs12_support(dev
[0])
3931 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3932 if not os
.path
.exists(ocsp
):
3933 raise HwsimSkip("No OCSP response available")
3934 params
= int_eap_server_params()
3935 params
["ocsp_stapling_response"] = ocsp
3936 hostapd
.add_ap(apdev
[0], params
)
3937 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3938 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3939 private_key
="auth_serv/user.pkcs12",
3940 private_key_passwd
="whatever", ocsp
=2,
3941 wait_connect
=False, scan_freq
="2412")
3944 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3946 raise Exception("Timeout on EAP status")
3947 if 'bad certificate status response' in ev
:
3951 raise Exception("Unexpected number of EAP status messages")
3953 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3955 raise Exception("Timeout on EAP failure report")
3957 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3958 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3959 check_ocsp_support(dev
[0])
3960 check_pkcs12_support(dev
[0])
3961 params
= int_eap_server_params()
3962 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3963 hostapd
.add_ap(apdev
[0], params
)
3964 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3965 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3966 private_key
="auth_serv/user.pkcs12",
3967 private_key_passwd
="whatever", ocsp
=2,
3968 wait_connect
=False, scan_freq
="2412")
3971 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3973 raise Exception("Timeout on EAP status")
3974 if 'bad certificate status response' in ev
:
3978 raise Exception("Unexpected number of EAP status messages")
3980 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3982 raise Exception("Timeout on EAP failure report")
3984 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3985 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3986 check_ocsp_support(dev
[0])
3987 check_pkcs12_support(dev
[0])
3988 params
= int_eap_server_params()
3989 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3990 hostapd
.add_ap(apdev
[0], params
)
3991 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3992 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3993 private_key
="auth_serv/user.pkcs12",
3994 private_key_passwd
="whatever", ocsp
=2,
3995 wait_connect
=False, scan_freq
="2412")
3998 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4000 raise Exception("Timeout on EAP status")
4001 if 'bad certificate status response' in ev
:
4005 raise Exception("Unexpected number of EAP status messages")
4007 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4009 raise Exception("Timeout on EAP failure report")
4011 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4012 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4013 check_ocsp_support(dev
[0])
4014 check_pkcs12_support(dev
[0])
4015 params
= int_eap_server_params()
4016 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4017 hostapd
.add_ap(apdev
[0], params
)
4018 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4019 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4020 private_key
="auth_serv/user.pkcs12",
4021 private_key_passwd
="whatever", ocsp
=2,
4022 wait_connect
=False, scan_freq
="2412")
4025 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4027 raise Exception("Timeout on EAP status")
4028 if 'bad certificate status response' in ev
:
4032 raise Exception("Unexpected number of EAP status messages")
4034 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4036 raise Exception("Timeout on EAP failure report")
4038 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4039 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4040 check_ocsp_support(dev
[0])
4041 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4042 if not os
.path
.exists(ocsp
):
4043 raise HwsimSkip("No OCSP response available")
4044 params
= int_eap_server_params()
4045 params
["ocsp_stapling_response"] = ocsp
4046 hostapd
.add_ap(apdev
[0], params
)
4047 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4048 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4049 anonymous_identity
="ttls", password
="password",
4050 phase2
="auth=PAP", ocsp
=2,
4051 wait_connect
=False, scan_freq
="2412")
4054 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4056 raise Exception("Timeout on EAP status")
4057 if 'bad certificate status response' in ev
:
4059 if 'certificate revoked' in ev
:
4063 raise Exception("Unexpected number of EAP status messages")
4065 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4067 raise Exception("Timeout on EAP failure report")
4069 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4070 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4071 check_ocsp_support(dev
[0])
4072 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4073 if not os
.path
.exists(ocsp
):
4074 raise HwsimSkip("No OCSP response available")
4075 params
= int_eap_server_params()
4076 params
["ocsp_stapling_response"] = ocsp
4077 hostapd
.add_ap(apdev
[0], params
)
4078 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4079 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4080 anonymous_identity
="ttls", password
="password",
4081 phase2
="auth=PAP", ocsp
=2,
4082 wait_connect
=False, scan_freq
="2412")
4085 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4087 raise Exception("Timeout on EAP status")
4088 if 'bad certificate status response' in ev
:
4092 raise Exception("Unexpected number of EAP status messages")
4094 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4096 raise Exception("Timeout on EAP failure report")
4098 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4099 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4100 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4101 if not os
.path
.exists(ocsp
):
4102 raise HwsimSkip("No OCSP response available")
4103 params
= int_eap_server_params()
4104 params
["ocsp_stapling_response"] = ocsp
4105 hostapd
.add_ap(apdev
[0], params
)
4106 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4107 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4108 anonymous_identity
="ttls", password
="password",
4109 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4111 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4112 """EAP-TLS with intermediate server/user CA"""
4113 params
= int_eap_server_params()
4114 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4115 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4116 params
["private_key"] = "auth_serv/iCA-server/server.key"
4117 hostapd
.add_ap(apdev
[0], params
)
4118 tls
= dev
[0].request("GET tls_library")
4120 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4121 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4123 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4124 client_cert
= "auth_serv/iCA-user/user.pem"
4125 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4126 identity
="tls user",
4128 client_cert
=client_cert
,
4129 private_key
="auth_serv/iCA-user/user.key",
4132 def root_ocsp(cert
):
4133 ca
= "auth_serv/ca.pem"
4135 fd2
, fn2
= tempfile
.mkstemp()
4138 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4139 "-cert", cert
, "-no_nonce", "-text" ]
4140 logger
.info(' '.join(arg
))
4141 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4142 stderr
=subprocess
.PIPE
)
4143 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4147 if cmd
.returncode
!= 0:
4148 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4149 logger
.info("OCSP request:\n" + res
)
4151 fd
, fn
= tempfile
.mkstemp()
4153 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4154 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4155 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4156 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4158 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4159 stderr
=subprocess
.PIPE
)
4160 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4164 if cmd
.returncode
!= 0:
4165 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4166 logger
.info("OCSP response:\n" + res
)
4170 def ica_ocsp(cert
, md
="-sha256"):
4171 prefix
= "auth_serv/iCA-server/"
4172 ca
= prefix
+ "cacert.pem"
4173 cert
= prefix
+ cert
4175 fd2
, fn2
= tempfile
.mkstemp()
4178 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4179 "-cert", cert
, "-no_nonce", "-text" ]
4180 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4181 stderr
=subprocess
.PIPE
)
4182 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4186 if cmd
.returncode
!= 0:
4187 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4188 logger
.info("OCSP request:\n" + res
)
4190 fd
, fn
= tempfile
.mkstemp()
4192 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4193 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4194 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4195 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4197 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4198 stderr
=subprocess
.PIPE
)
4199 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4203 if cmd
.returncode
!= 0:
4204 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4205 logger
.info("OCSP response:\n" + res
)
4209 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4210 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4211 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4213 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4214 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4215 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4217 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4218 params
= int_eap_server_params()
4219 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4220 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4221 params
["private_key"] = "auth_serv/iCA-server/server.key"
4222 fn
= ica_ocsp("server.pem", md
)
4223 params
["ocsp_stapling_response"] = fn
4225 hostapd
.add_ap(apdev
[0], params
)
4226 tls
= dev
[0].request("GET tls_library")
4228 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4229 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4231 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4232 client_cert
= "auth_serv/iCA-user/user.pem"
4233 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4234 identity
="tls user",
4236 client_cert
=client_cert
,
4237 private_key
="auth_serv/iCA-user/user.key",
4238 scan_freq
="2412", ocsp
=2)
4242 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4243 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4244 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4247 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4248 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4249 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4252 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4253 params
= int_eap_server_params()
4254 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4255 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4256 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4257 fn
= ica_ocsp("server-revoked.pem", md
)
4258 params
["ocsp_stapling_response"] = fn
4260 hostapd
.add_ap(apdev
[0], params
)
4261 tls
= dev
[0].request("GET tls_library")
4263 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4264 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4266 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4267 client_cert
= "auth_serv/iCA-user/user.pem"
4268 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4269 identity
="tls user",
4271 client_cert
=client_cert
,
4272 private_key
="auth_serv/iCA-user/user.key",
4273 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4276 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4277 "CTRL-EVENT-EAP-SUCCESS"])
4279 raise Exception("Timeout on EAP status")
4280 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4281 raise Exception("Unexpected EAP-Success")
4282 if 'bad certificate status response' in ev
:
4284 if 'certificate revoked' in ev
:
4288 raise Exception("Unexpected number of EAP status messages")
4290 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4292 raise Exception("Timeout on EAP failure report")
4293 dev
[0].request("REMOVE_NETWORK all")
4294 dev
[0].wait_disconnected()
4298 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4299 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4300 check_ocsp_support(dev
[0])
4301 check_ocsp_multi_support(dev
[0])
4303 params
= int_eap_server_params()
4304 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4305 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4306 params
["private_key"] = "auth_serv/iCA-server/server.key"
4307 fn
= ica_ocsp("server.pem")
4308 params
["ocsp_stapling_response"] = fn
4310 hostapd
.add_ap(apdev
[0], params
)
4311 tls
= dev
[0].request("GET tls_library")
4313 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4314 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4316 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4317 client_cert
= "auth_serv/iCA-user/user.pem"
4318 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4319 identity
="tls user",
4321 client_cert
=client_cert
,
4322 private_key
="auth_serv/iCA-user/user.key",
4323 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4326 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4327 "CTRL-EVENT-EAP-SUCCESS"])
4329 raise Exception("Timeout on EAP status")
4330 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4331 raise Exception("Unexpected EAP-Success")
4332 if 'bad certificate status response' in ev
:
4334 if 'certificate revoked' in ev
:
4338 raise Exception("Unexpected number of EAP status messages")
4340 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4342 raise Exception("Timeout on EAP failure report")
4343 dev
[0].request("REMOVE_NETWORK all")
4344 dev
[0].wait_disconnected()
4348 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4349 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4350 check_ocsp_support(dev
[0])
4351 check_ocsp_multi_support(dev
[0])
4353 params
= int_eap_server_params()
4354 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4355 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4356 params
["private_key"] = "auth_serv/iCA-server/server.key"
4357 fn
= ica_ocsp("server.pem")
4358 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4359 params
["ocsp_stapling_response"] = fn
4361 with
open(fn
, "r") as f
:
4362 resp_server
= f
.read()
4363 with
open(fn2
, "r") as f
:
4366 fd3
, fn3
= tempfile
.mkstemp()
4368 f
= os
.fdopen(fd3
, 'w')
4369 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4370 f
.write(resp_server
)
4371 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4375 params
["ocsp_stapling_response_multi"] = fn3
4377 hostapd
.add_ap(apdev
[0], params
)
4378 tls
= dev
[0].request("GET tls_library")
4380 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4381 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4383 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4384 client_cert
= "auth_serv/iCA-user/user.pem"
4385 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4386 identity
="tls user",
4388 client_cert
=client_cert
,
4389 private_key
="auth_serv/iCA-user/user.key",
4390 scan_freq
="2412", ocsp
=3)
4391 dev
[0].request("REMOVE_NETWORK all")
4392 dev
[0].wait_disconnected()
4398 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4399 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4400 check_ocsp_support(dev
[0])
4401 check_ocsp_multi_support(dev
[0])
4402 check_pkcs12_support(dev
[0])
4404 ocsp_revoked
= os
.path
.join(params
['logdir'],
4405 "ocsp-resp-ca-signed-revoked.der")
4406 if not os
.path
.exists(ocsp_revoked
):
4407 raise HwsimSkip("No OCSP response (revoked) available")
4408 ocsp_unknown
= os
.path
.join(params
['logdir'],
4409 "ocsp-resp-ca-signed-unknown.der")
4410 if not os
.path
.exists(ocsp_unknown
):
4411 raise HwsimSkip("No OCSP response(unknown) available")
4413 with
open(ocsp_revoked
, "r") as f
:
4414 resp_revoked
= f
.read()
4415 with
open(ocsp_unknown
, "r") as f
:
4416 resp_unknown
= f
.read()
4418 fd
, fn
= tempfile
.mkstemp()
4420 # This is not really a valid order of the OCSPResponse items in the
4421 # list, but this works for now to verify parsing and processing of
4422 # multiple responses.
4423 f
= os
.fdopen(fd
, 'w')
4424 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4425 f
.write(resp_unknown
)
4426 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4427 f
.write(resp_revoked
)
4428 f
.write(struct
.pack(">L", 0)[1:4])
4429 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4430 f
.write(resp_unknown
)
4433 params
= int_eap_server_params()
4434 params
["ocsp_stapling_response_multi"] = fn
4435 hostapd
.add_ap(apdev
[0], params
)
4436 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4437 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4438 private_key
="auth_serv/user.pkcs12",
4439 private_key_passwd
="whatever", ocsp
=1,
4440 wait_connect
=False, scan_freq
="2412")
4443 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4444 "CTRL-EVENT-EAP-SUCCESS"])
4446 raise Exception("Timeout on EAP status")
4447 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4448 raise Exception("Unexpected EAP-Success")
4449 if 'bad certificate status response' in ev
:
4451 if 'certificate revoked' in ev
:
4455 raise Exception("Unexpected number of EAP status messages")
4459 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4460 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4461 check_domain_match_full(dev
[0])
4462 check_pkcs12_support(dev
[0])
4463 params
= int_eap_server_params()
4464 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4465 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4466 hostapd
.add_ap(apdev
[0], params
)
4467 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4468 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4469 private_key
="auth_serv/user.pkcs12",
4470 private_key_passwd
="whatever",
4471 domain_suffix_match
="server3.w1.fi",
4474 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4475 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4476 check_domain_match(dev
[0])
4477 check_pkcs12_support(dev
[0])
4478 params
= int_eap_server_params()
4479 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4480 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4481 hostapd
.add_ap(apdev
[0], params
)
4482 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4483 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4484 private_key
="auth_serv/user.pkcs12",
4485 private_key_passwd
="whatever",
4486 domain_match
="server3.w1.fi",
4489 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4490 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4491 check_domain_match_full(dev
[0])
4492 check_pkcs12_support(dev
[0])
4493 params
= int_eap_server_params()
4494 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4495 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4496 hostapd
.add_ap(apdev
[0], params
)
4497 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4498 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4499 private_key
="auth_serv/user.pkcs12",
4500 private_key_passwd
="whatever",
4501 domain_suffix_match
="w1.fi",
4504 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4505 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4506 check_domain_suffix_match(dev
[0])
4507 check_pkcs12_support(dev
[0])
4508 params
= int_eap_server_params()
4509 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4510 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4511 hostapd
.add_ap(apdev
[0], params
)
4512 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4513 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4514 private_key
="auth_serv/user.pkcs12",
4515 private_key_passwd
="whatever",
4516 domain_suffix_match
="example.com",
4519 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4520 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4521 private_key
="auth_serv/user.pkcs12",
4522 private_key_passwd
="whatever",
4523 domain_suffix_match
="erver3.w1.fi",
4526 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4528 raise Exception("Timeout on EAP failure report")
4529 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4531 raise Exception("Timeout on EAP failure report (2)")
4533 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4534 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4535 check_domain_match(dev
[0])
4536 check_pkcs12_support(dev
[0])
4537 params
= int_eap_server_params()
4538 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4539 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4540 hostapd
.add_ap(apdev
[0], params
)
4541 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4542 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4543 private_key
="auth_serv/user.pkcs12",
4544 private_key_passwd
="whatever",
4545 domain_match
="example.com",
4548 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4549 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4550 private_key
="auth_serv/user.pkcs12",
4551 private_key_passwd
="whatever",
4552 domain_match
="w1.fi",
4555 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4557 raise Exception("Timeout on EAP failure report")
4558 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4560 raise Exception("Timeout on EAP failure report (2)")
4562 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4563 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4564 skip_with_fips(dev
[0])
4565 params
= int_eap_server_params()
4566 params
["server_cert"] = "auth_serv/server-expired.pem"
4567 params
["private_key"] = "auth_serv/server-expired.key"
4568 hostapd
.add_ap(apdev
[0], params
)
4569 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4570 identity
="mschap user", password
="password",
4571 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4574 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4576 raise Exception("Timeout on EAP certificate error report")
4577 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4578 raise Exception("Unexpected failure reason: " + ev
)
4579 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4581 raise Exception("Timeout on EAP failure report")
4583 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4584 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4585 skip_with_fips(dev
[0])
4586 params
= int_eap_server_params()
4587 params
["server_cert"] = "auth_serv/server-expired.pem"
4588 params
["private_key"] = "auth_serv/server-expired.key"
4589 hostapd
.add_ap(apdev
[0], params
)
4590 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4591 identity
="mschap user", password
="password",
4592 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4593 phase1
="tls_disable_time_checks=1",
4596 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4597 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4598 skip_with_fips(dev
[0])
4599 params
= int_eap_server_params()
4600 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4601 params
["private_key"] = "auth_serv/server-long-duration.key"
4602 hostapd
.add_ap(apdev
[0], params
)
4603 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4604 identity
="mschap user", password
="password",
4605 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4608 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4609 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4610 skip_with_fips(dev
[0])
4611 params
= int_eap_server_params()
4612 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4613 params
["private_key"] = "auth_serv/server-eku-client.key"
4614 hostapd
.add_ap(apdev
[0], params
)
4615 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4616 identity
="mschap user", password
="password",
4617 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4620 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4622 raise Exception("Timeout on EAP failure report")
4624 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4625 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4626 skip_with_fips(dev
[0])
4627 params
= int_eap_server_params()
4628 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4629 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4630 hostapd
.add_ap(apdev
[0], params
)
4631 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4632 identity
="mschap user", password
="password",
4633 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4636 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4637 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4638 skip_with_fips(dev
[0])
4639 params
= int_eap_server_params()
4640 del params
["server_cert"]
4641 params
["private_key"] = "auth_serv/server.pkcs12"
4642 hostapd
.add_ap(apdev
[0], params
)
4643 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4644 identity
="mschap user", password
="password",
4645 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4648 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4649 """EAP-TTLS and server PKCS#12 file with extra certs"""
4650 skip_with_fips(dev
[0])
4651 params
= int_eap_server_params()
4652 del params
["server_cert"]
4653 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4654 params
["private_key_passwd"] = "whatever"
4655 hostapd
.add_ap(apdev
[0], params
)
4656 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4657 identity
="mschap user", password
="password",
4658 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4661 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4662 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4663 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4664 hapd
= hostapd
.add_ap(apdev
[0], params
)
4665 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4666 anonymous_identity
="ttls", password
="password",
4667 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4668 dh_file
="auth_serv/dh.conf")
4670 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4671 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4672 check_dh_dsa_support(dev
[0])
4673 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4674 hapd
= hostapd
.add_ap(apdev
[0], params
)
4675 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4676 anonymous_identity
="ttls", password
="password",
4677 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4678 dh_file
="auth_serv/dsaparam.pem")
4680 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4681 """EAP-TTLS and DH params file not found"""
4682 skip_with_fips(dev
[0])
4683 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4684 hostapd
.add_ap(apdev
[0], params
)
4685 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4686 identity
="mschap user", password
="password",
4687 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4688 dh_file
="auth_serv/dh-no-such-file.conf",
4689 scan_freq
="2412", wait_connect
=False)
4690 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4692 raise Exception("EAP failure timed out")
4693 dev
[0].request("REMOVE_NETWORK all")
4694 dev
[0].wait_disconnected()
4696 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4697 """EAP-TTLS and invalid DH params file"""
4698 skip_with_fips(dev
[0])
4699 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4700 hostapd
.add_ap(apdev
[0], params
)
4701 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4702 identity
="mschap user", password
="password",
4703 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4704 dh_file
="auth_serv/ca.pem",
4705 scan_freq
="2412", wait_connect
=False)
4706 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4708 raise Exception("EAP failure timed out")
4709 dev
[0].request("REMOVE_NETWORK all")
4710 dev
[0].wait_disconnected()
4712 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4713 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4715 hapd
= hostapd
.add_ap(apdev
[0], params
)
4716 dh
= read_pem("auth_serv/dh2.conf")
4717 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4718 raise Exception("Could not set dhparams blob")
4719 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4720 anonymous_identity
="ttls", password
="password",
4721 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4722 dh_file
="blob://dhparams")
4724 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4725 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4726 params
= int_eap_server_params()
4727 params
["dh_file"] = "auth_serv/dh2.conf"
4728 hapd
= hostapd
.add_ap(apdev
[0], params
)
4729 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4730 anonymous_identity
="ttls", password
="password",
4731 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4733 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4734 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4735 params
= int_eap_server_params()
4736 params
["dh_file"] = "auth_serv/dsaparam.pem"
4737 hapd
= hostapd
.add_ap(apdev
[0], params
)
4738 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4739 anonymous_identity
="ttls", password
="password",
4740 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4742 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4743 """EAP-TLS server and dhparams file not found"""
4744 params
= int_eap_server_params()
4745 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4746 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4747 if "FAIL" not in hapd
.request("ENABLE"):
4748 raise Exception("Invalid configuration accepted")
4750 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4751 """EAP-TLS server and invalid dhparams file"""
4752 params
= int_eap_server_params()
4753 params
["dh_file"] = "auth_serv/ca.pem"
4754 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4755 if "FAIL" not in hapd
.request("ENABLE"):
4756 raise Exception("Invalid configuration accepted")
4758 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4759 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4760 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4761 params
['eap_reauth_period'] = '2'
4762 hapd
= hostapd
.add_ap(apdev
[0], params
)
4763 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4764 password_hex
="0123456789abcdef0123456789abcdef")
4765 logger
.info("Wait for reauthentication")
4766 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4768 raise Exception("Timeout on reauthentication")
4769 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4771 raise Exception("Timeout on reauthentication")
4772 for i
in range(0, 20):
4773 state
= dev
[0].get_status_field("wpa_state")
4774 if state
== "COMPLETED":
4777 if state
!= "COMPLETED":
4778 raise Exception("Reauthentication did not complete")
4780 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4781 """Optional displayable message in EAP Request-Identity"""
4782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4783 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4784 hapd
= hostapd
.add_ap(apdev
[0], params
)
4785 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4786 password_hex
="0123456789abcdef0123456789abcdef")
4788 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4789 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4790 check_hlr_auc_gw_support()
4791 params
= int_eap_server_params()
4792 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4793 params
['eap_sim_aka_result_ind'] = "1"
4794 hapd
= hostapd
.add_ap(apdev
[0], params
)
4796 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4797 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4798 phase1
="result_ind=1")
4799 eap_reauth(dev
[0], "SIM")
4800 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4801 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4803 dev
[0].request("REMOVE_NETWORK all")
4804 dev
[1].request("REMOVE_NETWORK all")
4806 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4807 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4808 phase1
="result_ind=1")
4809 eap_reauth(dev
[0], "AKA")
4810 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4811 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4813 dev
[0].request("REMOVE_NETWORK all")
4814 dev
[1].request("REMOVE_NETWORK all")
4816 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4817 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4818 phase1
="result_ind=1")
4819 eap_reauth(dev
[0], "AKA'")
4820 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4821 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4823 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4824 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4825 check_hlr_auc_gw_support()
4826 params
= int_eap_server_params()
4827 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4828 params
['eap_sim_db_timeout'] = "0"
4829 params
['disable_pmksa_caching'] = '1'
4830 hapd
= hostapd
.add_ap(apdev
[0], params
)
4832 # Run multiple iterations to make it more likely to hit the case where the
4833 # DB request times out and response is lost.
4835 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4836 identity
="1232010000000000",
4837 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4838 wait_connect
=False, scan_freq
="2412")
4839 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4840 "CTRL-EVENT-DISCONNECTED" ],
4843 raise Exception("No connection result")
4844 dev
[0].request("REMOVE_NETWORK all")
4845 if "CTRL-EVENT-DISCONNECTED" in ev
:
4847 dev
[0].wait_disconnected()
4850 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4851 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4852 skip_with_fips(dev
[0])
4853 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4854 hostapd
.add_ap(apdev
[0], params
)
4855 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4856 eap
="TTLS", identity
="mschap user",
4857 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4858 anonymous_identity
="ttls", password
="password",
4859 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4861 ev
= dev
[0].wait_event(["EAP: more than",
4862 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4863 if ev
is None or "EAP: more than" not in ev
:
4864 raise Exception("EAP roundtrip limit not reached")
4866 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4867 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4868 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4869 hostapd
.add_ap(apdev
[0], params
)
4870 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4871 eap
="PSK", identity
="vendor-test",
4872 password_hex
="ff23456789abcdef0123456789abcdef",
4876 for i
in range(0, 5):
4877 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4879 raise Exception("Association and EAP start timed out")
4880 if "refuse proposed method" in ev
:
4884 raise Exception("Unexpected EAP status: " + ev
)
4886 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4888 raise Exception("EAP failure timed out")
4890 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4891 """WPA2-Enterprise connection using SQLite for user DB"""
4892 skip_with_fips(dev
[0])
4896 raise HwsimSkip("No sqlite3 module available")
4897 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4902 con
= sqlite3
.connect(dbfile
)
4905 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4906 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4907 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4908 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4909 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4910 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4911 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4912 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4915 params
= int_eap_server_params()
4916 params
["eap_user_file"] = "sqlite:" + dbfile
4917 hapd
= hostapd
.add_ap(apdev
[0], params
)
4918 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4919 anonymous_identity
="ttls", password
="password",
4920 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4921 dev
[0].request("REMOVE_NETWORK all")
4922 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4923 anonymous_identity
="ttls", password
="password",
4924 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4925 dev
[1].request("REMOVE_NETWORK all")
4926 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4927 anonymous_identity
="ttls", password
="password",
4928 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4929 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4930 anonymous_identity
="ttls", password
="password",
4931 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4935 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4936 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4937 params
= int_eap_server_params()
4938 hostapd
.add_ap(apdev
[0], params
)
4939 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4940 identity
="\x80", password
="password", wait_connect
=False)
4941 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4942 identity
="a\x80", password
="password", wait_connect
=False)
4943 for i
in range(0, 2):
4944 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4946 raise Exception("Association and EAP start timed out")
4947 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4949 raise Exception("EAP method selection timed out")
4951 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4952 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4953 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4954 hostapd
.add_ap(apdev
[0], params
)
4955 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4956 identity
="\x80", password
="password", wait_connect
=False)
4957 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4958 identity
="a\x80", password
="password", wait_connect
=False)
4959 for i
in range(0, 2):
4960 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4962 raise Exception("Association and EAP start timed out")
4963 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4965 raise Exception("EAP method selection timed out")
4967 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4968 """OpenSSL cipher suite configuration on wpa_supplicant"""
4969 tls
= dev
[0].request("GET tls_library")
4970 if not tls
.startswith("OpenSSL"):
4971 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4972 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4973 hapd
= hostapd
.add_ap(apdev
[0], params
)
4974 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4975 anonymous_identity
="ttls", password
="password",
4976 openssl_ciphers
="AES128",
4977 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4978 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4979 anonymous_identity
="ttls", password
="password",
4980 openssl_ciphers
="EXPORT",
4981 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4982 expect_failure
=True, maybe_local_error
=True)
4983 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4984 identity
="pap user", anonymous_identity
="ttls",
4985 password
="password",
4986 openssl_ciphers
="FOO",
4987 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4989 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4991 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4992 dev
[2].request("DISCONNECT")
4994 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
4995 """OpenSSL cipher suite configuration on hostapd"""
4996 tls
= dev
[0].request("GET tls_library")
4997 if not tls
.startswith("OpenSSL"):
4998 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
4999 params
= int_eap_server_params()
5000 params
['openssl_ciphers'] = "AES256"
5001 hapd
= hostapd
.add_ap(apdev
[0], params
)
5002 tls
= hapd
.request("GET tls_library")
5003 if not tls
.startswith("OpenSSL"):
5004 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5005 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5006 anonymous_identity
="ttls", password
="password",
5007 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5008 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5009 anonymous_identity
="ttls", password
="password",
5010 openssl_ciphers
="AES128",
5011 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5012 expect_failure
=True)
5013 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5014 anonymous_identity
="ttls", password
="password",
5015 openssl_ciphers
="HIGH:!ADH",
5016 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5018 params
['openssl_ciphers'] = "FOO"
5019 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5020 if "FAIL" not in hapd2
.request("ENABLE"):
5021 raise Exception("Invalid openssl_ciphers value accepted")
5023 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5024 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5025 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5026 hapd
= hostapd
.add_ap(apdev
[0], p
)
5027 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5028 pid
= find_wpas_process(dev
[0])
5029 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5030 anonymous_identity
="ttls", password
=password
,
5031 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5032 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5033 # event has been delivered, so verify that wpa_supplicant has returned to
5034 # eloop before reading process memory.
5037 buf
= read_process_memory(pid
, password
)
5039 dev
[0].request("DISCONNECT")
5040 dev
[0].wait_disconnected()
5048 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5049 for l
in f
.readlines():
5050 if "EAP-TTLS: Derived key - hexdump" in l
:
5051 val
= l
.strip().split(':')[3].replace(' ', '')
5052 msk
= binascii
.unhexlify(val
)
5053 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
5054 val
= l
.strip().split(':')[3].replace(' ', '')
5055 emsk
= binascii
.unhexlify(val
)
5056 if "WPA: PMK - hexdump" in l
:
5057 val
= l
.strip().split(':')[3].replace(' ', '')
5058 pmk
= binascii
.unhexlify(val
)
5059 if "WPA: PTK - hexdump" in l
:
5060 val
= l
.strip().split(':')[3].replace(' ', '')
5061 ptk
= binascii
.unhexlify(val
)
5062 if "WPA: Group Key - hexdump" in l
:
5063 val
= l
.strip().split(':')[3].replace(' ', '')
5064 gtk
= binascii
.unhexlify(val
)
5065 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5066 raise Exception("Could not find keys from debug log")
5068 raise Exception("Unexpected GTK length")
5074 fname
= os
.path
.join(params
['logdir'],
5075 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5077 logger
.info("Checking keys in memory while associated")
5078 get_key_locations(buf
, password
, "Password")
5079 get_key_locations(buf
, pmk
, "PMK")
5080 get_key_locations(buf
, msk
, "MSK")
5081 get_key_locations(buf
, emsk
, "EMSK")
5082 if password
not in buf
:
5083 raise HwsimSkip("Password not found while associated")
5085 raise HwsimSkip("PMK not found while associated")
5087 raise Exception("KCK not found while associated")
5089 raise Exception("KEK not found while associated")
5091 # raise Exception("TK found from memory")
5093 logger
.info("Checking keys in memory after disassociation")
5094 buf
= read_process_memory(pid
, password
)
5096 # Note: Password is still present in network configuration
5097 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5099 get_key_locations(buf
, password
, "Password")
5100 get_key_locations(buf
, pmk
, "PMK")
5101 get_key_locations(buf
, msk
, "MSK")
5102 get_key_locations(buf
, emsk
, "EMSK")
5103 verify_not_present(buf
, kck
, fname
, "KCK")
5104 verify_not_present(buf
, kek
, fname
, "KEK")
5105 verify_not_present(buf
, tk
, fname
, "TK")
5107 get_key_locations(buf
, gtk
, "GTK")
5108 verify_not_present(buf
, gtk
, fname
, "GTK")
5110 dev
[0].request("PMKSA_FLUSH")
5111 dev
[0].set_network_quoted(id, "identity", "foo")
5112 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5113 buf
= read_process_memory(pid
, password
)
5114 get_key_locations(buf
, password
, "Password")
5115 get_key_locations(buf
, pmk
, "PMK")
5116 get_key_locations(buf
, msk
, "MSK")
5117 get_key_locations(buf
, emsk
, "EMSK")
5118 verify_not_present(buf
, pmk
, fname
, "PMK")
5120 dev
[0].request("REMOVE_NETWORK all")
5122 logger
.info("Checking keys in memory after network profile removal")
5123 buf
= read_process_memory(pid
, password
)
5125 get_key_locations(buf
, password
, "Password")
5126 get_key_locations(buf
, pmk
, "PMK")
5127 get_key_locations(buf
, msk
, "MSK")
5128 get_key_locations(buf
, emsk
, "EMSK")
5129 verify_not_present(buf
, password
, fname
, "password")
5130 verify_not_present(buf
, pmk
, fname
, "PMK")
5131 verify_not_present(buf
, kck
, fname
, "KCK")
5132 verify_not_present(buf
, kek
, fname
, "KEK")
5133 verify_not_present(buf
, tk
, fname
, "TK")
5134 verify_not_present(buf
, gtk
, fname
, "GTK")
5135 verify_not_present(buf
, msk
, fname
, "MSK")
5136 verify_not_present(buf
, emsk
, fname
, "EMSK")
5138 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5139 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5140 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5141 hapd
= hostapd
.add_ap(apdev
[0], params
)
5142 bssid
= apdev
[0]['bssid']
5143 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5144 anonymous_identity
="ttls", password
="password",
5145 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5147 # Send unexpected WEP EAPOL-Key; this gets dropped
5148 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5150 raise Exception("EAPOL_RX to wpa_supplicant failed")
5152 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5153 """WPA2-EAP and wpas interface in a bridge"""
5157 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5159 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5160 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5161 subprocess
.call(['brctl', 'delbr', br_ifname
])
5162 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5164 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5165 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5166 hapd
= hostapd
.add_ap(apdev
[0], params
)
5170 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5171 subprocess
.call(['brctl', 'addbr', br_ifname
])
5172 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5173 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5174 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5175 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5176 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5179 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5180 password_hex
="0123456789abcdef0123456789abcdef")
5182 eap_reauth(wpas
, "PAX")
5184 # Try again as a regression test for packet socket workaround
5185 eap_reauth(wpas
, "PAX")
5187 wpas
.request("DISCONNECT")
5188 wpas
.wait_disconnected()
5190 wpas
.request("RECONNECT")
5191 wpas
.wait_connected()
5194 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5195 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5196 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5197 hapd
= hostapd
.add_ap(apdev
[0], params
)
5198 key_mgmt
= hapd
.get_config()['key_mgmt']
5199 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5200 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5201 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5202 anonymous_identity
="ttls", password
="password",
5203 ca_cert
="auth_serv/ca.pem",
5204 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5205 eap_reauth(dev
[0], "TTLS")
5207 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5208 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5209 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5210 hapd
= hostapd
.add_ap(apdev
[0], params
)
5211 key_mgmt
= hapd
.get_config()['key_mgmt']
5212 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5213 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5214 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5215 anonymous_identity
="ttls", password
="password",
5216 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5218 eap_reauth(dev
[0], "TTLS")
5220 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5221 """EAP-TLS and server checking CRL"""
5222 params
= int_eap_server_params()
5223 params
['check_crl'] = '1'
5224 hapd
= hostapd
.add_ap(apdev
[0], params
)
5226 # check_crl=1 and no CRL available --> reject connection
5227 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5228 client_cert
="auth_serv/user.pem",
5229 private_key
="auth_serv/user.key", expect_failure
=True)
5230 dev
[0].request("REMOVE_NETWORK all")
5233 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5236 # check_crl=1 and valid CRL --> accept
5237 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5238 client_cert
="auth_serv/user.pem",
5239 private_key
="auth_serv/user.key")
5240 dev
[0].request("REMOVE_NETWORK all")
5243 hapd
.set("check_crl", "2")
5246 # check_crl=2 and valid CRL --> accept
5247 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5248 client_cert
="auth_serv/user.pem",
5249 private_key
="auth_serv/user.key")
5250 dev
[0].request("REMOVE_NETWORK all")
5252 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5253 """EAP-TLS and OOM"""
5254 check_subject_match_support(dev
[0])
5255 check_altsubject_match_support(dev
[0])
5256 check_domain_match(dev
[0])
5257 check_domain_match_full(dev
[0])
5259 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5260 hostapd
.add_ap(apdev
[0], params
)
5262 tests
= [ (1, "tls_connection_set_subject_match"),
5263 (2, "tls_connection_set_subject_match"),
5264 (3, "tls_connection_set_subject_match"),
5265 (4, "tls_connection_set_subject_match") ]
5266 for count
, func
in tests
:
5267 with
alloc_fail(dev
[0], count
, func
):
5268 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5269 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5270 client_cert
="auth_serv/user.pem",
5271 private_key
="auth_serv/user.key",
5272 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5273 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5274 domain_suffix_match
="server.w1.fi",
5275 domain_match
="server.w1.fi",
5276 wait_connect
=False, scan_freq
="2412")
5277 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5278 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5280 raise Exception("No passphrase request")
5281 dev
[0].request("REMOVE_NETWORK all")
5282 dev
[0].wait_disconnected()
5284 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5285 """WPA2-Enterprise connection using MAC ACL"""
5286 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5287 params
["macaddr_acl"] = "2"
5288 hapd
= hostapd
.add_ap(apdev
[0], params
)
5289 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5290 client_cert
="auth_serv/user.pem",
5291 private_key
="auth_serv/user.key")
5293 def test_ap_wpa2_eap_oom(dev
, apdev
):
5294 """EAP server and OOM"""
5295 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5296 hapd
= hostapd
.add_ap(apdev
[0], params
)
5297 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5299 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5300 # The first attempt fails, but STA will send EAPOL-Start to retry and
5302 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5303 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5304 client_cert
="auth_serv/user.pem",
5305 private_key
="auth_serv/user.key",
5308 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5309 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5310 client_cert
="auth_serv/user.pem",
5311 private_key
="auth_serv/user.key",
5313 ver
= dev
.get_status_field("eap_tls_version")
5315 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5317 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5318 """EAP-TLS and TLS version configuration"""
5319 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5320 hapd
= hostapd
.add_ap(apdev
[0], params
)
5322 tls
= dev
[0].request("GET tls_library")
5323 if tls
.startswith("OpenSSL"):
5324 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5325 check_tls_ver(dev
[0], hapd
,
5326 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5328 if tls
.startswith("wolfSSL"):
5329 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5330 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5331 check_tls_ver(dev
[0], hapd
,
5332 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5334 elif tls
.startswith("internal"):
5335 check_tls_ver(dev
[0], hapd
,
5336 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5337 check_tls_ver(dev
[1], hapd
,
5338 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5339 check_tls_ver(dev
[2], hapd
,
5340 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5342 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5343 """RSN element protocol testing for EAP cases on STA side"""
5344 bssid
= apdev
[0]['bssid']
5345 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5346 # This is the RSN element used normally by hostapd
5347 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5348 hapd
= hostapd
.add_ap(apdev
[0], params
)
5349 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5350 identity
="gpsk user",
5351 password
="abcdefghijklmnop0123456789abcdef",
5354 tests
= [ ('No RSN Capabilities field',
5355 '30120100000fac040100000fac040100000fac01'),
5356 ('No AKM Suite fields',
5357 '300c0100000fac040100000fac04'),
5358 ('No Pairwise Cipher Suite fields',
5359 '30060100000fac04'),
5360 ('No Group Data Cipher Suite field',
5362 for txt
,ie
in tests
:
5363 dev
[0].request("DISCONNECT")
5364 dev
[0].wait_disconnected()
5367 hapd
.set('own_ie_override', ie
)
5369 dev
[0].request("BSS_FLUSH 0")
5370 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5371 dev
[0].select_network(id, freq
=2412)
5372 dev
[0].wait_connected()
5374 dev
[0].request("DISCONNECT")
5375 dev
[0].wait_disconnected()
5376 dev
[0].flush_scan_cache()
5378 def check_tls_session_resumption_capa(dev
, hapd
):
5379 tls
= hapd
.request("GET tls_library")
5380 if not tls
.startswith("OpenSSL"):
5381 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
5383 tls
= dev
.request("GET tls_library")
5384 if not tls
.startswith("OpenSSL"):
5385 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5387 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5388 """EAP-TTLS/PAP session resumption"""
5389 params
= int_eap_server_params()
5390 params
['tls_session_lifetime'] = '60'
5391 hapd
= hostapd
.add_ap(apdev
[0], params
)
5392 check_tls_session_resumption_capa(dev
[0], hapd
)
5393 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5394 anonymous_identity
="ttls", password
="password",
5395 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5397 if dev
[0].get_status_field("tls_session_reused") != '0':
5398 raise Exception("Unexpected session resumption on the first connection")
5400 dev
[0].request("REAUTHENTICATE")
5401 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5403 raise Exception("EAP success timed out")
5404 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5406 raise Exception("Key handshake with the AP timed out")
5407 if dev
[0].get_status_field("tls_session_reused") != '1':
5408 raise Exception("Session resumption not used on the second connection")
5410 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5411 """EAP-TTLS/CHAP session resumption"""
5412 params
= int_eap_server_params()
5413 params
['tls_session_lifetime'] = '60'
5414 hapd
= hostapd
.add_ap(apdev
[0], params
)
5415 check_tls_session_resumption_capa(dev
[0], hapd
)
5416 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5417 anonymous_identity
="ttls", password
="password",
5418 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5419 if dev
[0].get_status_field("tls_session_reused") != '0':
5420 raise Exception("Unexpected session resumption on the first connection")
5422 dev
[0].request("REAUTHENTICATE")
5423 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5425 raise Exception("EAP success timed out")
5426 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5428 raise Exception("Key handshake with the AP timed out")
5429 if dev
[0].get_status_field("tls_session_reused") != '1':
5430 raise Exception("Session resumption not used on the second connection")
5432 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5433 """EAP-TTLS/MSCHAP session resumption"""
5434 check_domain_suffix_match(dev
[0])
5435 params
= int_eap_server_params()
5436 params
['tls_session_lifetime'] = '60'
5437 hapd
= hostapd
.add_ap(apdev
[0], params
)
5438 check_tls_session_resumption_capa(dev
[0], hapd
)
5439 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5440 anonymous_identity
="ttls", password
="password",
5441 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5442 domain_suffix_match
="server.w1.fi")
5443 if dev
[0].get_status_field("tls_session_reused") != '0':
5444 raise Exception("Unexpected session resumption on the first connection")
5446 dev
[0].request("REAUTHENTICATE")
5447 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5449 raise Exception("EAP success timed out")
5450 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5452 raise Exception("Key handshake with the AP timed out")
5453 if dev
[0].get_status_field("tls_session_reused") != '1':
5454 raise Exception("Session resumption not used on the second connection")
5456 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5457 """EAP-TTLS/MSCHAPv2 session resumption"""
5458 check_domain_suffix_match(dev
[0])
5459 check_eap_capa(dev
[0], "MSCHAPV2")
5460 params
= int_eap_server_params()
5461 params
['tls_session_lifetime'] = '60'
5462 hapd
= hostapd
.add_ap(apdev
[0], params
)
5463 check_tls_session_resumption_capa(dev
[0], hapd
)
5464 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5465 anonymous_identity
="ttls", password
="password",
5466 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5467 domain_suffix_match
="server.w1.fi")
5468 if dev
[0].get_status_field("tls_session_reused") != '0':
5469 raise Exception("Unexpected session resumption on the first connection")
5471 dev
[0].request("REAUTHENTICATE")
5472 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5474 raise Exception("EAP success timed out")
5475 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5477 raise Exception("Key handshake with the AP timed out")
5478 if dev
[0].get_status_field("tls_session_reused") != '1':
5479 raise Exception("Session resumption not used on the second connection")
5481 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5482 """EAP-TTLS/EAP-GTC session resumption"""
5483 params
= int_eap_server_params()
5484 params
['tls_session_lifetime'] = '60'
5485 hapd
= hostapd
.add_ap(apdev
[0], params
)
5486 check_tls_session_resumption_capa(dev
[0], hapd
)
5487 eap_connect(dev
[0], hapd
, "TTLS", "user",
5488 anonymous_identity
="ttls", password
="password",
5489 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5490 if dev
[0].get_status_field("tls_session_reused") != '0':
5491 raise Exception("Unexpected session resumption on the first connection")
5493 dev
[0].request("REAUTHENTICATE")
5494 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5496 raise Exception("EAP success timed out")
5497 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5499 raise Exception("Key handshake with the AP timed out")
5500 if dev
[0].get_status_field("tls_session_reused") != '1':
5501 raise Exception("Session resumption not used on the second connection")
5503 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5504 """EAP-TTLS session resumption disabled on server"""
5505 params
= int_eap_server_params()
5506 params
['tls_session_lifetime'] = '0'
5507 hapd
= hostapd
.add_ap(apdev
[0], params
)
5508 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5509 anonymous_identity
="ttls", password
="password",
5510 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5512 if dev
[0].get_status_field("tls_session_reused") != '0':
5513 raise Exception("Unexpected session resumption on the first connection")
5515 dev
[0].request("REAUTHENTICATE")
5516 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5518 raise Exception("EAP success timed out")
5519 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5521 raise Exception("Key handshake with the AP timed out")
5522 if dev
[0].get_status_field("tls_session_reused") != '0':
5523 raise Exception("Unexpected session resumption on the second connection")
5525 def test_eap_peap_session_resumption(dev
, apdev
):
5526 """EAP-PEAP session resumption"""
5527 check_eap_capa(dev
[0], "MSCHAPV2")
5528 params
= int_eap_server_params()
5529 params
['tls_session_lifetime'] = '60'
5530 hapd
= hostapd
.add_ap(apdev
[0], params
)
5531 check_tls_session_resumption_capa(dev
[0], hapd
)
5532 eap_connect(dev
[0], hapd
, "PEAP", "user",
5533 anonymous_identity
="peap", password
="password",
5534 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5535 if dev
[0].get_status_field("tls_session_reused") != '0':
5536 raise Exception("Unexpected session resumption on the first connection")
5538 dev
[0].request("REAUTHENTICATE")
5539 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5541 raise Exception("EAP success timed out")
5542 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5544 raise Exception("Key handshake with the AP timed out")
5545 if dev
[0].get_status_field("tls_session_reused") != '1':
5546 raise Exception("Session resumption not used on the second connection")
5548 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5549 """EAP-PEAP session resumption with crypto binding"""
5550 params
= int_eap_server_params()
5551 params
['tls_session_lifetime'] = '60'
5552 hapd
= hostapd
.add_ap(apdev
[0], params
)
5553 check_tls_session_resumption_capa(dev
[0], hapd
)
5554 eap_connect(dev
[0], hapd
, "PEAP", "user",
5555 anonymous_identity
="peap", password
="password",
5556 phase1
="peapver=0 crypto_binding=2",
5557 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5558 if dev
[0].get_status_field("tls_session_reused") != '0':
5559 raise Exception("Unexpected session resumption on the first connection")
5561 dev
[0].request("REAUTHENTICATE")
5562 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5564 raise Exception("EAP success timed out")
5565 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5567 raise Exception("Key handshake with the AP timed out")
5568 if dev
[0].get_status_field("tls_session_reused") != '1':
5569 raise Exception("Session resumption not used on the second connection")
5571 def test_eap_peap_no_session_resumption(dev
, apdev
):
5572 """EAP-PEAP session resumption disabled on server"""
5573 params
= int_eap_server_params()
5574 hapd
= hostapd
.add_ap(apdev
[0], params
)
5575 eap_connect(dev
[0], hapd
, "PEAP", "user",
5576 anonymous_identity
="peap", password
="password",
5577 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5578 if dev
[0].get_status_field("tls_session_reused") != '0':
5579 raise Exception("Unexpected session resumption on the first connection")
5581 dev
[0].request("REAUTHENTICATE")
5582 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5584 raise Exception("EAP success timed out")
5585 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5587 raise Exception("Key handshake with the AP timed out")
5588 if dev
[0].get_status_field("tls_session_reused") != '0':
5589 raise Exception("Unexpected session resumption on the second connection")
5591 def test_eap_tls_session_resumption(dev
, apdev
):
5592 """EAP-TLS session resumption"""
5593 params
= int_eap_server_params()
5594 params
['tls_session_lifetime'] = '60'
5595 hapd
= hostapd
.add_ap(apdev
[0], params
)
5596 check_tls_session_resumption_capa(dev
[0], hapd
)
5597 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5598 client_cert
="auth_serv/user.pem",
5599 private_key
="auth_serv/user.key")
5600 if dev
[0].get_status_field("tls_session_reused") != '0':
5601 raise Exception("Unexpected session resumption on the first connection")
5603 dev
[0].request("REAUTHENTICATE")
5604 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5606 raise Exception("EAP success timed out")
5607 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5609 raise Exception("Key handshake with the AP timed out")
5610 if dev
[0].get_status_field("tls_session_reused") != '1':
5611 raise Exception("Session resumption not used on the second connection")
5613 dev
[0].request("REAUTHENTICATE")
5614 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5616 raise Exception("EAP success timed out")
5617 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5619 raise Exception("Key handshake with the AP timed out")
5620 if dev
[0].get_status_field("tls_session_reused") != '1':
5621 raise Exception("Session resumption not used on the third connection")
5623 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5624 """EAP-TLS session resumption"""
5625 params
= int_eap_server_params()
5626 params
['tls_session_lifetime'] = '1'
5627 hapd
= hostapd
.add_ap(apdev
[0], params
)
5628 check_tls_session_resumption_capa(dev
[0], hapd
)
5629 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5630 client_cert
="auth_serv/user.pem",
5631 private_key
="auth_serv/user.key")
5632 if dev
[0].get_status_field("tls_session_reused") != '0':
5633 raise Exception("Unexpected session resumption on the first connection")
5635 # Allow multiple attempts since OpenSSL may not expire the cached entry
5640 dev
[0].request("REAUTHENTICATE")
5641 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5643 raise Exception("EAP success timed out")
5644 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5646 raise Exception("Key handshake with the AP timed out")
5647 if dev
[0].get_status_field("tls_session_reused") == '0':
5649 if dev
[0].get_status_field("tls_session_reused") != '0':
5650 raise Exception("Session resumption used after lifetime expiration")
5652 def test_eap_tls_no_session_resumption(dev
, apdev
):
5653 """EAP-TLS session resumption disabled on server"""
5654 params
= int_eap_server_params()
5655 hapd
= hostapd
.add_ap(apdev
[0], params
)
5656 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5657 client_cert
="auth_serv/user.pem",
5658 private_key
="auth_serv/user.key")
5659 if dev
[0].get_status_field("tls_session_reused") != '0':
5660 raise Exception("Unexpected session resumption on the first connection")
5662 dev
[0].request("REAUTHENTICATE")
5663 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5665 raise Exception("EAP success timed out")
5666 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5668 raise Exception("Key handshake with the AP timed out")
5669 if dev
[0].get_status_field("tls_session_reused") != '0':
5670 raise Exception("Unexpected session resumption on the second connection")
5672 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5673 """EAP-TLS session resumption (RADIUS)"""
5674 params
= { "ssid": "as", "beacon_int": "2000",
5675 "radius_server_clients": "auth_serv/radius_clients.conf",
5676 "radius_server_auth_port": '18128',
5678 "eap_user_file": "auth_serv/eap_user.conf",
5679 "ca_cert": "auth_serv/ca.pem",
5680 "server_cert": "auth_serv/server.pem",
5681 "private_key": "auth_serv/server.key",
5682 "tls_session_lifetime": "60" }
5683 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5684 check_tls_session_resumption_capa(dev
[0], authsrv
)
5686 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5687 params
['auth_server_port'] = "18128"
5688 hapd
= hostapd
.add_ap(apdev
[0], params
)
5689 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5690 client_cert
="auth_serv/user.pem",
5691 private_key
="auth_serv/user.key")
5692 if dev
[0].get_status_field("tls_session_reused") != '0':
5693 raise Exception("Unexpected session resumption on the first connection")
5695 dev
[0].request("REAUTHENTICATE")
5696 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5698 raise Exception("EAP success timed out")
5699 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5701 raise Exception("Key handshake with the AP timed out")
5702 if dev
[0].get_status_field("tls_session_reused") != '1':
5703 raise Exception("Session resumption not used on the second connection")
5705 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5706 """EAP-TLS session resumption disabled (RADIUS)"""
5707 params
= { "ssid": "as", "beacon_int": "2000",
5708 "radius_server_clients": "auth_serv/radius_clients.conf",
5709 "radius_server_auth_port": '18128',
5711 "eap_user_file": "auth_serv/eap_user.conf",
5712 "ca_cert": "auth_serv/ca.pem",
5713 "server_cert": "auth_serv/server.pem",
5714 "private_key": "auth_serv/server.key",
5715 "tls_session_lifetime": "0" }
5716 hostapd
.add_ap(apdev
[1], params
)
5718 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5719 params
['auth_server_port'] = "18128"
5720 hapd
= hostapd
.add_ap(apdev
[0], params
)
5721 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5722 client_cert
="auth_serv/user.pem",
5723 private_key
="auth_serv/user.key")
5724 if dev
[0].get_status_field("tls_session_reused") != '0':
5725 raise Exception("Unexpected session resumption on the first connection")
5727 dev
[0].request("REAUTHENTICATE")
5728 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5730 raise Exception("EAP success timed out")
5731 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5733 raise Exception("Key handshake with the AP timed out")
5734 if dev
[0].get_status_field("tls_session_reused") != '0':
5735 raise Exception("Unexpected session resumption on the second connection")
5737 def test_eap_mschapv2_errors(dev
, apdev
):
5738 """EAP-MSCHAPv2 error cases"""
5739 check_eap_capa(dev
[0], "MSCHAPV2")
5740 check_eap_capa(dev
[0], "FAST")
5742 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5743 hapd
= hostapd
.add_ap(apdev
[0], params
)
5744 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5745 identity
="phase1-user", password
="password",
5747 dev
[0].request("REMOVE_NETWORK all")
5748 dev
[0].wait_disconnected()
5750 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5751 (1, "nt_password_hash;mschapv2_derive_response"),
5752 (1, "nt_password_hash;=mschapv2_derive_response"),
5753 (1, "generate_nt_response;mschapv2_derive_response"),
5754 (1, "generate_authenticator_response;mschapv2_derive_response"),
5755 (1, "nt_password_hash;=mschapv2_derive_response"),
5756 (1, "get_master_key;mschapv2_derive_response"),
5757 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5758 for count
, func
in tests
:
5759 with
fail_test(dev
[0], count
, func
):
5760 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5761 identity
="phase1-user", password
="password",
5762 wait_connect
=False, scan_freq
="2412")
5763 wait_fail_trigger(dev
[0], "GET_FAIL")
5764 dev
[0].request("REMOVE_NETWORK all")
5765 dev
[0].wait_disconnected()
5767 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5768 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5769 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5770 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5771 for count
, func
in tests
:
5772 with
fail_test(dev
[0], count
, func
):
5773 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5774 identity
="phase1-user",
5775 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5776 wait_connect
=False, scan_freq
="2412")
5777 wait_fail_trigger(dev
[0], "GET_FAIL")
5778 dev
[0].request("REMOVE_NETWORK all")
5779 dev
[0].wait_disconnected()
5781 tests
= [ (1, "eap_mschapv2_init"),
5782 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5783 (1, "eap_msg_alloc;eap_mschapv2_success"),
5784 (1, "eap_mschapv2_getKey") ]
5785 for count
, func
in tests
:
5786 with
alloc_fail(dev
[0], count
, func
):
5787 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5788 identity
="phase1-user", password
="password",
5789 wait_connect
=False, scan_freq
="2412")
5790 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5791 dev
[0].request("REMOVE_NETWORK all")
5792 dev
[0].wait_disconnected()
5794 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5795 for count
, func
in tests
:
5796 with
alloc_fail(dev
[0], count
, func
):
5797 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5798 identity
="phase1-user", password
="wrong password",
5799 wait_connect
=False, scan_freq
="2412")
5800 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5801 dev
[0].request("REMOVE_NETWORK all")
5802 dev
[0].wait_disconnected()
5804 tests
= [ (2, "eap_mschapv2_init"),
5805 (3, "eap_mschapv2_init") ]
5806 for count
, func
in tests
:
5807 with
alloc_fail(dev
[0], count
, func
):
5808 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5809 anonymous_identity
="FAST", identity
="user",
5810 password
="password",
5811 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5812 phase1
="fast_provisioning=1",
5813 pac_file
="blob://fast_pac",
5814 wait_connect
=False, scan_freq
="2412")
5815 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5816 dev
[0].request("REMOVE_NETWORK all")
5817 dev
[0].wait_disconnected()
5819 def test_eap_gpsk_errors(dev
, apdev
):
5820 """EAP-GPSK error cases"""
5821 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5822 hapd
= hostapd
.add_ap(apdev
[0], params
)
5823 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5824 identity
="gpsk user",
5825 password
="abcdefghijklmnop0123456789abcdef",
5827 dev
[0].request("REMOVE_NETWORK all")
5828 dev
[0].wait_disconnected()
5830 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5831 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5833 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5835 (1, "eap_gpsk_derive_keys_helper", None),
5836 (2, "eap_gpsk_derive_keys_helper", None),
5837 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5839 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5841 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5842 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5843 (1, "eap_gpsk_derive_mid_helper", None) ]
5844 for count
, func
, phase1
in tests
:
5845 with
fail_test(dev
[0], count
, func
):
5846 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5847 identity
="gpsk user",
5848 password
="abcdefghijklmnop0123456789abcdef",
5850 wait_connect
=False, scan_freq
="2412")
5851 wait_fail_trigger(dev
[0], "GET_FAIL")
5852 dev
[0].request("REMOVE_NETWORK all")
5853 dev
[0].wait_disconnected()
5855 tests
= [ (1, "eap_gpsk_init"),
5856 (2, "eap_gpsk_init"),
5857 (3, "eap_gpsk_init"),
5858 (1, "eap_gpsk_process_id_server"),
5859 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5860 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5861 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5862 (1, "eap_gpsk_derive_keys"),
5863 (1, "eap_gpsk_derive_keys_helper"),
5864 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5865 (1, "eap_gpsk_getKey"),
5866 (1, "eap_gpsk_get_emsk"),
5867 (1, "eap_gpsk_get_session_id") ]
5868 for count
, func
in tests
:
5869 with
alloc_fail(dev
[0], count
, func
):
5870 dev
[0].request("ERP_FLUSH")
5871 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5872 identity
="gpsk user@domain", erp
="1",
5873 password
="abcdefghijklmnop0123456789abcdef",
5874 wait_connect
=False, scan_freq
="2412")
5875 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5876 dev
[0].request("REMOVE_NETWORK all")
5877 dev
[0].wait_disconnected()
5879 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5880 """EAP-SIM DB error cases"""
5881 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5886 hparams
= int_eap_server_params()
5887 hparams
['eap_sim_db'] = 'unix:' + sockpath
5888 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5890 # Initial test with hlr_auc_gw socket not available
5891 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5892 eap
="SIM", identity
="1232010000000000",
5893 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5894 scan_freq
="2412", wait_connect
=False)
5895 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
5897 raise Exception("EAP method specific error code not reported")
5898 if int(ev
.split()[1]) != 16384:
5899 raise Exception("Unexpected EAP method specific error code: " + ev
)
5900 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5902 raise Exception("EAP-Failure not reported")
5903 dev
[0].wait_disconnected()
5904 dev
[0].request("DISCONNECT")
5906 # Test with invalid responses and response timeout
5908 class test_handler(SocketServer
.DatagramRequestHandler
):
5910 data
= self
.request
[0].strip()
5911 socket
= self
.request
[1]
5912 logger
.debug("Received hlr_auc_gw request: " + data
)
5913 # EAP-SIM DB: Failed to parse response string
5914 socket
.sendto("FOO", self
.client_address
)
5915 # EAP-SIM DB: Failed to parse response string
5916 socket
.sendto("FOO 1", self
.client_address
)
5917 # EAP-SIM DB: Unknown external response
5918 socket
.sendto("FOO 1 2", self
.client_address
)
5919 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5921 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5924 dev
[0].select_network(id)
5925 server
.handle_request()
5926 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5928 raise Exception("EAP-Failure not reported")
5929 dev
[0].wait_disconnected()
5930 dev
[0].request("DISCONNECT")
5932 # Test with a valid response
5934 class test_handler2(SocketServer
.DatagramRequestHandler
):
5936 data
= self
.request
[0].strip()
5937 socket
= self
.request
[1]
5938 logger
.debug("Received hlr_auc_gw request: " + data
)
5939 fname
= os
.path
.join(params
['logdir'],
5940 'hlr_auc_gw.milenage_db')
5941 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5943 stdout
=subprocess
.PIPE
)
5944 res
= cmd
.stdout
.read().strip()
5946 logger
.debug("hlr_auc_gw response: " + res
)
5947 socket
.sendto(res
, self
.client_address
)
5949 server
.RequestHandlerClass
= test_handler2
5951 dev
[0].select_network(id)
5952 server
.handle_request()
5953 dev
[0].wait_connected()
5954 dev
[0].request("DISCONNECT")
5955 dev
[0].wait_disconnected()
5957 def test_eap_tls_sha512(dev
, apdev
, params
):
5958 """EAP-TLS with SHA512 signature"""
5959 params
= int_eap_server_params()
5960 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5961 params
["server_cert"] = "auth_serv/sha512-server.pem"
5962 params
["private_key"] = "auth_serv/sha512-server.key"
5963 hostapd
.add_ap(apdev
[0], params
)
5965 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5966 identity
="tls user sha512",
5967 ca_cert
="auth_serv/sha512-ca.pem",
5968 client_cert
="auth_serv/sha512-user.pem",
5969 private_key
="auth_serv/sha512-user.key",
5971 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5972 identity
="tls user sha512",
5973 ca_cert
="auth_serv/sha512-ca.pem",
5974 client_cert
="auth_serv/sha384-user.pem",
5975 private_key
="auth_serv/sha384-user.key",
5978 def test_eap_tls_sha384(dev
, apdev
, params
):
5979 """EAP-TLS with SHA384 signature"""
5980 params
= int_eap_server_params()
5981 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5982 params
["server_cert"] = "auth_serv/sha384-server.pem"
5983 params
["private_key"] = "auth_serv/sha384-server.key"
5984 hostapd
.add_ap(apdev
[0], params
)
5986 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5987 identity
="tls user sha512",
5988 ca_cert
="auth_serv/sha512-ca.pem",
5989 client_cert
="auth_serv/sha512-user.pem",
5990 private_key
="auth_serv/sha512-user.key",
5992 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5993 identity
="tls user sha512",
5994 ca_cert
="auth_serv/sha512-ca.pem",
5995 client_cert
="auth_serv/sha384-user.pem",
5996 private_key
="auth_serv/sha384-user.key",
5999 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6000 """WPA2-Enterprise AP and association request RSN IE differences"""
6001 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6002 hostapd
.add_ap(apdev
[0], params
)
6004 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6005 params
["ieee80211w"] = "2"
6006 hostapd
.add_ap(apdev
[1], params
)
6008 # Success cases with optional RSN IE fields removed one by one
6009 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6010 "30140100000fac040100000fac040100000fac010000"),
6011 ("Extra PMKIDCount field in RSN IE",
6012 "30160100000fac040100000fac040100000fac0100000000"),
6013 ("Extra Group Management Cipher Suite in RSN IE",
6014 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6015 ("Extra undefined extension field in RSN IE",
6016 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6017 ("RSN IE without RSN Capabilities",
6018 "30120100000fac040100000fac040100000fac01"),
6019 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6020 ("RSN IE without pairwise", "30060100000fac04"),
6021 ("RSN IE without group", "30020100") ]
6022 for title
, ie
in tests
:
6024 set_test_assoc_ie(dev
[0], ie
)
6025 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6026 identity
="gpsk user",
6027 password
="abcdefghijklmnop0123456789abcdef",
6029 dev
[0].request("REMOVE_NETWORK all")
6030 dev
[0].wait_disconnected()
6032 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6033 "30140100000fac040100000fac040100000fac01cc00"),
6034 ("Group management cipher included in assoc req RSN IE",
6035 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6036 for title
, ie
in tests
:
6038 set_test_assoc_ie(dev
[0], ie
)
6039 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6040 eap
="GPSK", identity
="gpsk user",
6041 password
="abcdefghijklmnop0123456789abcdef",
6043 dev
[0].request("REMOVE_NETWORK all")
6044 dev
[0].wait_disconnected()
6046 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
6047 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6048 for title
, ie
, status
in tests
:
6050 set_test_assoc_ie(dev
[0], ie
)
6051 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6052 identity
="gpsk user",
6053 password
="abcdefghijklmnop0123456789abcdef",
6054 scan_freq
="2412", wait_connect
=False)
6055 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6057 raise Exception("Association rejection not reported")
6058 if "status_code=" + str(status
) not in ev
:
6059 raise Exception("Unexpected status code: " + ev
)
6060 dev
[0].request("REMOVE_NETWORK all")
6061 dev
[0].dump_monitor()
6063 tests
= [ ("Management frame protection not enabled",
6064 "30140100000fac040100000fac040100000fac010000", 31),
6065 ("Unsupported management group cipher",
6066 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46) ]
6067 for title
, ie
, status
in tests
:
6069 set_test_assoc_ie(dev
[0], ie
)
6070 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6071 eap
="GPSK", identity
="gpsk user",
6072 password
="abcdefghijklmnop0123456789abcdef",
6073 scan_freq
="2412", wait_connect
=False)
6074 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6076 raise Exception("Association rejection not reported")
6077 if "status_code=" + str(status
) not in ev
:
6078 raise Exception("Unexpected status code: " + ev
)
6079 dev
[0].request("REMOVE_NETWORK all")
6080 dev
[0].dump_monitor()
6082 def test_eap_tls_ext_cert_check(dev
, apdev
):
6083 """EAP-TLS and external server certification validation"""
6084 # With internal server certificate chain validation
6085 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6086 identity
="tls user",
6087 ca_cert
="auth_serv/ca.pem",
6088 client_cert
="auth_serv/user.pem",
6089 private_key
="auth_serv/user.key",
6090 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6091 only_add_network
=True)
6092 run_ext_cert_check(dev
, apdev
, id)
6094 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6095 """EAP-TTLS and external server certification validation"""
6096 # Without internal server certificate chain validation
6097 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6098 identity
="pap user", anonymous_identity
="ttls",
6099 password
="password", phase2
="auth=PAP",
6100 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6101 only_add_network
=True)
6102 run_ext_cert_check(dev
, apdev
, id)
6104 def test_eap_peap_ext_cert_check(dev
, apdev
):
6105 """EAP-PEAP and external server certification validation"""
6106 # With internal server certificate chain validation
6107 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6108 identity
="user", anonymous_identity
="peap",
6109 ca_cert
="auth_serv/ca.pem",
6110 password
="password", phase2
="auth=MSCHAPV2",
6111 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6112 only_add_network
=True)
6113 run_ext_cert_check(dev
, apdev
, id)
6115 def test_eap_fast_ext_cert_check(dev
, apdev
):
6116 """EAP-FAST and external server certification validation"""
6117 check_eap_capa(dev
[0], "FAST")
6118 # With internal server certificate chain validation
6119 dev
[0].request("SET blob fast_pac_auth_ext ")
6120 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6121 identity
="user", anonymous_identity
="FAST",
6122 ca_cert
="auth_serv/ca.pem",
6123 password
="password", phase2
="auth=GTC",
6124 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6125 pac_file
="blob://fast_pac_auth_ext",
6127 only_add_network
=True)
6128 run_ext_cert_check(dev
, apdev
, id)
6130 def run_ext_cert_check(dev
, apdev
, net_id
):
6131 check_ext_cert_check_support(dev
[0])
6132 if not openssl_imported
:
6133 raise HwsimSkip("OpenSSL python method not available")
6135 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6136 hapd
= hostapd
.add_ap(apdev
[0], params
)
6138 dev
[0].select_network(net_id
)
6141 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6142 "CTRL-REQ-EXT_CERT_CHECK",
6143 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6145 raise Exception("No peer server certificate event seen")
6146 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6149 vals
= ev
.split(' ')
6151 if v
.startswith("depth="):
6152 depth
= int(v
.split('=')[1])
6153 elif v
.startswith("cert="):
6154 cert
= v
.split('=')[1]
6155 if depth
is not None and cert
:
6156 certs
[depth
] = binascii
.unhexlify(cert
)
6157 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6158 raise Exception("Unexpected EAP-Success")
6159 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6160 id = ev
.split(':')[0].split('-')[-1]
6163 raise Exception("Server certificate not received")
6165 raise Exception("Server certificate issuer not received")
6167 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6169 cn
= cert
.get_subject().commonName
6170 logger
.info("Server certificate CN=" + cn
)
6172 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6174 icn
= issuer
.get_subject().commonName
6175 logger
.info("Issuer certificate CN=" + icn
)
6177 if cn
!= "server.w1.fi":
6178 raise Exception("Unexpected server certificate CN: " + cn
)
6179 if icn
!= "Root CA":
6180 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6184 raise Exception("Unexpected EAP-Success before external check result indication")
6186 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6187 dev
[0].wait_connected()
6189 dev
[0].request("DISCONNECT")
6190 dev
[0].wait_disconnected()
6191 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6192 raise Exception("PMKSA_FLUSH failed")
6193 dev
[0].request("SET blob fast_pac_auth_ext ")
6194 dev
[0].request("RECONNECT")
6196 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6198 raise Exception("No peer server certificate event seen (2)")
6199 id = ev
.split(':')[0].split('-')[-1]
6200 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6201 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6203 raise Exception("EAP-Failure not reported")
6204 dev
[0].request("REMOVE_NETWORK all")
6205 dev
[0].wait_disconnected()
6207 def test_eap_tls_errors(dev
, apdev
):
6208 """EAP-TLS error cases"""
6209 params
= int_eap_server_params()
6210 params
['fragment_size'] = '100'
6211 hostapd
.add_ap(apdev
[0], params
)
6212 with
alloc_fail(dev
[0], 1,
6213 "eap_peer_tls_reassemble_fragment"):
6214 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6215 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6216 client_cert
="auth_serv/user.pem",
6217 private_key
="auth_serv/user.key",
6218 wait_connect
=False, scan_freq
="2412")
6219 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6220 dev
[0].request("REMOVE_NETWORK all")
6221 dev
[0].wait_disconnected()
6223 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6224 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6225 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6226 client_cert
="auth_serv/user.pem",
6227 private_key
="auth_serv/user.key",
6228 wait_connect
=False, scan_freq
="2412")
6229 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6230 dev
[0].request("REMOVE_NETWORK all")
6231 dev
[0].wait_disconnected()
6233 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6234 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6235 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6236 client_cert
="auth_serv/user.pem",
6237 private_key
="auth_serv/user.key",
6239 wait_connect
=False, scan_freq
="2412")
6240 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6241 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6243 raise Exception("No CTRL-REQ-PIN seen")
6244 dev
[0].request("REMOVE_NETWORK all")
6245 dev
[0].wait_disconnected()
6247 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6248 "eap_peer_tls_derive_session_id;eap_tls_success",
6251 "eap_tls_get_session_id" ]
6253 with
alloc_fail(dev
[0], 1, func
):
6254 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6255 identity
="tls user@domain",
6256 ca_cert
="auth_serv/ca.pem",
6257 client_cert
="auth_serv/user.pem",
6258 private_key
="auth_serv/user.key",
6260 wait_connect
=False, scan_freq
="2412")
6261 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6262 dev
[0].request("REMOVE_NETWORK all")
6263 dev
[0].wait_disconnected()
6265 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6266 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6267 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6268 wait_connect
=False, scan_freq
="2412")
6269 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6270 dev
[0].request("REMOVE_NETWORK all")
6271 dev
[0].wait_disconnected()
6273 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6274 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6275 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6276 wait_connect
=False, scan_freq
="2412")
6277 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6278 dev
[0].request("REMOVE_NETWORK all")
6279 dev
[0].wait_disconnected()
6281 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6282 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6283 eap
="WFA-UNAUTH-TLS",
6284 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6285 wait_connect
=False, scan_freq
="2412")
6286 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6287 dev
[0].request("REMOVE_NETWORK all")
6288 dev
[0].wait_disconnected()
6290 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6291 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6292 eap
="WFA-UNAUTH-TLS",
6293 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6294 wait_connect
=False, scan_freq
="2412")
6295 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6296 dev
[0].request("REMOVE_NETWORK all")
6297 dev
[0].wait_disconnected()
6299 def test_ap_wpa2_eap_status(dev
, apdev
):
6300 """EAP state machine status information"""
6301 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6302 hostapd
.add_ap(apdev
[0], params
)
6303 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6304 identity
="cert user",
6305 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6306 ca_cert2
="auth_serv/ca.pem",
6307 client_cert2
="auth_serv/user.pem",
6308 private_key2
="auth_serv/user.key",
6309 scan_freq
="2412", wait_connect
=False)
6315 selected_methods
= []
6316 for i
in range(100000):
6317 s
= dev
[0].get_status(extra
="VERBOSE")
6318 if 'EAP state' in s
:
6319 state
= s
['EAP state']
6321 if state
not in states
:
6322 states
.append(state
)
6323 if state
== "SUCCESS":
6326 if 'methodState' in s
:
6327 val
= s
['methodState']
6328 if val
not in method_states
:
6329 method_states
.append(val
)
6332 if val
not in decisions
:
6333 decisions
.append(val
)
6334 if 'reqMethod' in s
:
6335 val
= s
['reqMethod']
6336 if val
not in req_methods
:
6337 req_methods
.append(val
)
6338 if 'selectedMethod' in s
:
6339 val
= s
['selectedMethod']
6340 if val
not in selected_methods
:
6341 selected_methods
.append(val
)
6342 logger
.info("Iterations: %d" % i
)
6343 logger
.info("EAP states: " + str(states
))
6344 logger
.info("methodStates: " + str(method_states
))
6345 logger
.info("decisions: " + str(decisions
))
6346 logger
.info("reqMethods: " + str(req_methods
))
6347 logger
.info("selectedMethods: " + str(selected_methods
))
6349 raise Exception("EAP did not succeed")
6350 dev
[0].wait_connected()
6351 dev
[0].request("REMOVE_NETWORK all")
6352 dev
[0].wait_disconnected()
6354 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6355 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6356 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6357 params
['wpa_ptk_rekey'] = '2'
6358 hapd
= hostapd
.add_ap(apdev
[0], params
)
6359 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6360 password
="abcdefghijklmnop0123456789abcdef")
6361 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6363 raise Exception("PTK rekey timed out")
6364 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6366 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6367 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6368 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6369 hapd
= hostapd
.add_ap(apdev
[0], params
)
6370 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6371 identity
="gpsk user",
6372 password
="abcdefghijklmnop0123456789abcdef",
6375 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
6376 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
6377 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6378 hapd
= hostapd
.add_ap(apdev
[0], params
)
6380 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
6381 res
= cmd
.stdout
.read()
6384 for p
in res
.splitlines():
6385 if "wpa_supplicant" not in p
:
6387 if dev
[0].ifname
not in p
:
6389 pid
= int(p
.strip().split(' ')[0])
6391 logger
.info("Could not find wpa_supplicant PID")
6393 logger
.info("wpa_supplicant PID %d" % pid
)
6395 addr
= dev
[0].get_status_field("address")
6396 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6397 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6398 '02:11:22:33:44:55'])
6399 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6400 addr1
= dev
[0].get_status_field("address")
6401 if addr1
!= '02:11:22:33:44:55':
6402 raise Exception("Failed to change MAC address")
6404 # Scan using the externally set MAC address, stop the wpa_supplicant
6405 # process to avoid it from processing the ifdown event before the interface
6406 # is already UP, change the MAC address back, allow the wpa_supplicant
6407 # process to continue. This will result in the ifdown + ifup sequence of
6408 # RTM_NEWLINK events to be processed while the interface is already UP.
6410 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
6411 os
.kill(pid
, signal
.SIGSTOP
)
6414 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
6415 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
6417 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
6419 os
.kill(pid
, signal
.SIGCONT
)
6421 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
6422 password_hex
="0123456789abcdef0123456789abcdef")
6424 addr2
= dev
[0].get_status_field("address")
6426 raise Exception("Failed to restore MAC address")