]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
22 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
23 from wpasupplicant
import WpaSupplicant
24 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
28 openssl_imported
= True
30 openssl_imported
= False
32 def check_hlr_auc_gw_support():
33 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev
, method
):
37 res
= dev
.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method
)
41 def check_subject_match_support(dev
):
42 tls
= dev
.request("GET tls_library")
43 if not tls
.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
46 def check_altsubject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
51 def check_domain_match(dev
):
52 tls
= dev
.request("GET tls_library")
53 if tls
.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
56 def check_domain_suffix_match(dev
):
57 tls
= dev
.request("GET tls_library")
58 if tls
.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
61 def check_domain_match_full(dev
):
62 tls
= dev
.request("GET tls_library")
63 if not tls
.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
66 def check_cert_probe_support(dev
):
67 tls
= dev
.request("GET tls_library")
68 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
71 def check_ext_cert_check_support(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
76 def check_ocsp_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev
):
84 tls
= dev
.request("GET tls_library")
85 if not tls
.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
87 as_hapd
= hostapd
.Hostapd("as")
88 res
= as_hapd
.request("GET tls_library")
90 if not res
.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev
):
94 tls
= dev
.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev
):
99 tls
= dev
.request("GET tls_library")
100 if tls
.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
104 with
open(fname
, "r") as f
:
105 lines
= f
.readlines()
113 if "-----BEGIN" in l
:
115 return base64
.b64decode(cert
)
117 def eap_connect(dev
, ap
, method
, identity
,
118 sha256
=False, expect_failure
=False, local_error_report
=False,
119 maybe_local_error
=False, **kwargs
):
120 hapd
= hostapd
.Hostapd(ap
['ifname'])
121 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
122 eap
=method
, identity
=identity
,
123 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
125 eap_check_auth(dev
, method
, True, sha256
=sha256
,
126 expect_failure
=expect_failure
,
127 local_error_report
=local_error_report
,
128 maybe_local_error
=maybe_local_error
)
131 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
137 expect_failure
=False, local_error_report
=False,
138 maybe_local_error
=False):
139 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
141 raise Exception("Association and EAP start timed out")
142 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev
:
147 if maybe_local_error
:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev
= dev
.wait_disconnected(timeout
=10)
157 if maybe_local_error
and "locally_generated=1" in ev
:
159 if not local_error_report
:
160 if "reason=23" not in ev
:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
165 raise Exception("EAP success timed out")
168 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
170 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
172 raise Exception("Association with the AP timed out")
173 status
= dev
.get_status()
174 if status
["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status
["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status
:
180 logger
.info("Status: " + str(status
))
181 raise Exception("No selectedMethod in status")
182 if method
not in status
["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e
= "WPA2-EAP-SHA256"
187 e
= "WPA2/IEEE 802.1X/EAP"
189 e
= "WPA/IEEE 802.1X/EAP"
190 if status
["key_mgmt"] != e
:
191 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
194 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
195 dev
.request("REAUTHENTICATE")
196 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
197 expect_failure
=expect_failure
)
199 def test_ap_wpa2_eap_sim(dev
, apdev
):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
203 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
204 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
205 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils
.test_connectivity(dev
[0], hapd
)
207 eap_reauth(dev
[0], "SIM")
209 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
210 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
212 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger
.info("Negative test with incorrect key")
216 dev
[0].request("REMOVE_NETWORK all")
217 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
218 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger
.info("Invalid GSM-Milenage key")
222 dev
[0].request("REMOVE_NETWORK all")
223 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
224 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger
.info("Invalid GSM-Milenage key(2)")
228 dev
[0].request("REMOVE_NETWORK all")
229 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
230 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger
.info("Invalid GSM-Milenage key(3)")
234 dev
[0].request("REMOVE_NETWORK all")
235 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
236 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger
.info("Invalid GSM-Milenage key(4)")
240 dev
[0].request("REMOVE_NETWORK all")
241 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
242 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger
.info("Missing key configuration")
246 dev
[0].request("REMOVE_NETWORK all")
247 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
258 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
259 params
['auth_server_port'] = "1814"
260 hostapd
.add_ap(apdev
[0]['ifname'], params
)
261 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
262 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger
.info("SIM fast re-authentication")
265 eap_reauth(dev
[0], "SIM")
267 logger
.info("SIM full auth with pseudonym")
270 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev
[0], "SIM")
273 logger
.info("SIM full auth with permanent identity")
276 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev
[0], "SIM")
280 logger
.info("SIM reauth with mismatching MK")
283 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev
[0], "SIM", expect_failure
=True)
285 dev
[0].request("REMOVE_NETWORK all")
287 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
288 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev
[0], "SIM")
295 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger
.info("SIM reauth with mismatching counter")
297 eap_reauth(dev
[0], "SIM")
298 dev
[0].request("REMOVE_NETWORK all")
300 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
301 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger
.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev
[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
309 """EAP-SIM configuration options"""
310 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
311 hostapd
.add_ap(apdev
[0]['ifname'], params
)
312 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
313 identity
="1232010000000000",
314 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1
="sim_min_num_chal=1",
316 wait_connect
=False, scan_freq
="2412")
317 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
319 raise Exception("No EAP error message seen")
320 dev
[0].request("REMOVE_NETWORK all")
322 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
323 identity
="1232010000000000",
324 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1
="sim_min_num_chal=4",
326 wait_connect
=False, scan_freq
="2412")
327 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
329 raise Exception("No EAP error message seen (2)")
330 dev
[0].request("REMOVE_NETWORK all")
332 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
333 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1
="sim_min_num_chal=2")
335 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
336 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity
="345678")
339 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
344 dev
[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
347 check_hlr_auc_gw_support()
348 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
349 hostapd
.add_ap(apdev
[0]['ifname'], params
)
350 dev
[0].request("SET external_sim 1")
351 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
352 identity
="1232010000000000",
353 wait_connect
=False, scan_freq
="2412")
354 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
356 raise Exception("Network connected timed out")
358 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p
[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid
= p
[0].split('-')[3]
367 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
370 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
372 raise Exception("EAP failure not reported")
373 dev
[0].request("DISCONNECT")
374 dev
[0].wait_disconnected()
377 dev
[0].select_network(id, freq
="2412")
378 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p
[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid
= p
[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
390 raise Exception("EAP failure not reported")
391 dev
[0].request("DISCONNECT")
392 dev
[0].wait_disconnected()
395 dev
[0].select_network(id, freq
="2412")
396 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p
[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid
= p
[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
408 raise Exception("EAP failure not reported")
409 dev
[0].request("DISCONNECT")
410 dev
[0].wait_disconnected()
413 dev
[0].select_network(id, freq
="2412")
414 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p
[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid
= p
[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
426 raise Exception("EAP failure not reported")
427 dev
[0].request("DISCONNECT")
428 dev
[0].wait_disconnected()
431 dev
[0].select_network(id, freq
="2412")
432 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p
[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid
= p
[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
444 raise Exception("EAP failure not reported")
445 dev
[0].request("DISCONNECT")
446 dev
[0].wait_disconnected()
449 dev
[0].select_network(id, freq
="2412")
450 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p
[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid
= p
[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
462 raise Exception("EAP failure not reported")
463 dev
[0].request("DISCONNECT")
464 dev
[0].wait_disconnected()
467 dev
[0].select_network(id, freq
="2412")
468 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p
[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid
= p
[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
487 dev
[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
490 check_hlr_auc_gw_support()
491 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
492 hostapd
.add_ap(apdev
[0]['ifname'], params
)
493 dev
[0].request("SET external_sim 1")
494 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
495 identity
="1232010000000000",
496 wait_connect
=False, scan_freq
="2412")
498 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p
[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid
= p
[0].split('-')[3]
505 rand
= p
[2].split(' ')[0]
507 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand
])
511 if "GSM-AUTH-RESP" not in res
:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp
= res
.split(' ')[2].rstrip()
515 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
516 dev
[0].wait_connected(timeout
=15)
517 dev
[0].request("DISCONNECT")
518 dev
[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev
[0].select_network(id, freq
="2412")
524 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p
[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid
= p
[0].split('-')[3]
531 rand
= p
[2].split(' ')[0]
533 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand
])
537 if "GSM-AUTH-RESP" not in res
:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp
= res
.split(' ')[2].rstrip()
541 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
542 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
544 raise Exception("EAP-Failure not reported")
545 dev
[0].request("DISCONNECT")
546 dev
[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
553 dev
[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
556 check_hlr_auc_gw_support()
557 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
558 hostapd
.add_ap(apdev
[0]['ifname'], params
)
559 dev
[0].request("SET external_sim 1")
560 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
561 identity
="1232010000000000",
562 wait_connect
=False, scan_freq
="2412")
564 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p
[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid
= p
[0].split('-')[3]
571 rand
= p
[2].split(' ')[0]
573 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand
])
577 if "GSM-AUTH-RESP" not in res
:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp
= res
.split(' ')[2].rstrip()
581 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
582 dev
[0].wait_connected(timeout
=15)
583 dev
[0].request("DISCONNECT")
584 dev
[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev
[0].set_network(id, "anonymous_identity", "NULL")
589 dev
[0].select_network(id, freq
="2412")
591 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p
[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid
= p
[0].split('-')[3]
598 rand
= p
[2].split(' ')[0]
600 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand
])
604 if "GSM-AUTH-RESP" not in res
:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp
= res
.split(' ')[2].rstrip()
608 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
609 dev
[0].wait_connected()
610 dev
[0].request("DISCONNECT")
611 dev
[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
618 dev
[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
621 check_hlr_auc_gw_support()
622 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
623 hostapd
.add_ap(apdev
[0]['ifname'], params
)
624 dev
[0].request("SET external_sim 1")
625 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
626 wait_connect
=False, scan_freq
="2412")
628 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid
= ev
.split(':')[0].split('-')[-1]
632 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
634 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p
[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid
= p
[0].split('-')[3]
641 rand
= p
[2].split(' ')[0]
643 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand
])
647 if "GSM-AUTH-RESP" not in res
:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp
= res
.split(' ')[2].rstrip()
651 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
652 dev
[0].wait_connected(timeout
=15)
653 dev
[0].request("DISCONNECT")
654 dev
[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev
[0].set_network(id, "identity", "NULL")
658 dev
[0].set_network(id, "anonymous_identity", "NULL")
659 dev
[0].select_network(id, freq
="2412")
661 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid
= ev
.split(':')[0].split('-')[-1]
665 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
667 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p
[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid
= p
[0].split('-')[3]
674 rand
= p
[2].split(' ')[0]
676 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand
])
680 if "GSM-AUTH-RESP" not in res
:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp
= res
.split(' ')[2].rstrip()
684 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
685 dev
[0].wait_connected()
686 dev
[0].request("DISCONNECT")
687 dev
[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
694 dev
[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
697 check_hlr_auc_gw_support()
698 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
699 hostapd
.add_ap(apdev
[0]['ifname'], params
)
700 dev
[0].request("SET external_sim 1")
701 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
702 identity
="1232010000000000",
703 wait_connect
=False, scan_freq
="2412")
705 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid
= p
[0].split('-')[3]
710 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
711 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
713 raise Exception("EAP failure not reported")
714 dev
[0].request("REMOVE_NETWORK all")
715 dev
[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
718 """EAP-SIM and OOM"""
719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
720 hostapd
.add_ap(apdev
[0]['ifname'], params
)
721 tests
= [ (1, "milenage_f2345"),
722 (2, "milenage_f2345"),
723 (3, "milenage_f2345"),
724 (4, "milenage_f2345"),
725 (5, "milenage_f2345"),
726 (6, "milenage_f2345"),
727 (7, "milenage_f2345"),
728 (8, "milenage_f2345"),
729 (9, "milenage_f2345"),
730 (10, "milenage_f2345"),
731 (11, "milenage_f2345"),
732 (12, "milenage_f2345") ]
733 for count
, func
in tests
:
734 with
fail_test(dev
[0], count
, func
):
735 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
736 identity
="1232010000000000",
737 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
738 wait_connect
=False, scan_freq
="2412")
739 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
741 raise Exception("EAP method not selected")
742 dev
[0].wait_disconnected()
743 dev
[0].request("REMOVE_NETWORK all")
745 def test_ap_wpa2_eap_aka(dev
, apdev
):
746 """WPA2-Enterprise connection using EAP-AKA"""
747 check_hlr_auc_gw_support()
748 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
749 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
750 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
751 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
752 hwsim_utils
.test_connectivity(dev
[0], hapd
)
753 eap_reauth(dev
[0], "AKA")
755 logger
.info("Negative test with incorrect key")
756 dev
[0].request("REMOVE_NETWORK all")
757 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
758 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
761 logger
.info("Invalid Milenage key")
762 dev
[0].request("REMOVE_NETWORK all")
763 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
764 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
767 logger
.info("Invalid Milenage key(2)")
768 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
769 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
772 logger
.info("Invalid Milenage key(3)")
773 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
774 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
777 logger
.info("Invalid Milenage key(4)")
778 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
779 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
782 logger
.info("Invalid Milenage key(5)")
783 dev
[0].request("REMOVE_NETWORK all")
784 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
785 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
788 logger
.info("Invalid Milenage key(6)")
789 dev
[0].request("REMOVE_NETWORK all")
790 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
791 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
794 logger
.info("Missing key configuration")
795 dev
[0].request("REMOVE_NETWORK all")
796 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
799 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
800 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
801 check_hlr_auc_gw_support()
805 raise HwsimSkip("No sqlite3 module available")
806 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
807 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
808 params
['auth_server_port'] = "1814"
809 hostapd
.add_ap(apdev
[0]['ifname'], params
)
810 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
811 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
813 logger
.info("AKA fast re-authentication")
814 eap_reauth(dev
[0], "AKA")
816 logger
.info("AKA full auth with pseudonym")
819 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
820 eap_reauth(dev
[0], "AKA")
822 logger
.info("AKA full auth with permanent identity")
825 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
826 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
827 eap_reauth(dev
[0], "AKA")
829 logger
.info("AKA reauth with mismatching MK")
832 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
833 eap_reauth(dev
[0], "AKA", expect_failure
=True)
834 dev
[0].request("REMOVE_NETWORK all")
836 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
837 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
840 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
841 eap_reauth(dev
[0], "AKA")
844 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
845 logger
.info("AKA reauth with mismatching counter")
846 eap_reauth(dev
[0], "AKA")
847 dev
[0].request("REMOVE_NETWORK all")
849 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
850 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
853 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
854 logger
.info("AKA reauth with max reauth count reached")
855 eap_reauth(dev
[0], "AKA")
857 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
858 """EAP-AKA configuration options"""
859 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
860 hostapd
.add_ap(apdev
[0]['ifname'], params
)
861 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
862 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
863 anonymous_identity
="2345678")
865 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
866 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
868 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
870 dev
[0].request("SET external_sim 0")
872 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
873 check_hlr_auc_gw_support()
874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
875 hostapd
.add_ap(apdev
[0]['ifname'], params
)
876 dev
[0].request("SET external_sim 1")
877 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
878 identity
="0232010000000000",
879 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
880 wait_connect
=False, scan_freq
="2412")
881 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
883 raise Exception("Network connected timed out")
885 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
887 raise Exception("Wait for external SIM processing request timed out")
889 if p
[1] != "UMTS-AUTH":
890 raise Exception("Unexpected CTRL-REQ-SIM type")
891 rid
= p
[0].split('-')[3]
894 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
895 # This will fail during processing, but the ctrl_iface command succeeds
896 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
897 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
899 raise Exception("EAP failure not reported")
900 dev
[0].request("DISCONNECT")
901 dev
[0].wait_disconnected()
903 dev
[0].dump_monitor()
905 dev
[0].select_network(id, freq
="2412")
906 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
908 raise Exception("Wait for external SIM processing request timed out")
910 if p
[1] != "UMTS-AUTH":
911 raise Exception("Unexpected CTRL-REQ-SIM type")
912 rid
= p
[0].split('-')[3]
913 # This will fail during UMTS auth validation
914 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
915 raise Exception("CTRL-RSP-SIM failed")
916 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
918 raise Exception("Wait for external SIM processing request timed out")
920 if p
[1] != "UMTS-AUTH":
921 raise Exception("Unexpected CTRL-REQ-SIM type")
922 rid
= p
[0].split('-')[3]
923 # This will fail during UMTS auth validation
924 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
925 raise Exception("CTRL-RSP-SIM failed")
926 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
928 raise Exception("EAP failure not reported")
929 dev
[0].request("DISCONNECT")
930 dev
[0].wait_disconnected()
932 dev
[0].dump_monitor()
934 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
936 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
937 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
938 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
939 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
940 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
942 dev
[0].select_network(id, freq
="2412")
943 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
945 raise Exception("Wait for external SIM processing request timed out")
947 if p
[1] != "UMTS-AUTH":
948 raise Exception("Unexpected CTRL-REQ-SIM type")
949 rid
= p
[0].split('-')[3]
950 # This will fail during UMTS auth validation
951 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
952 raise Exception("CTRL-RSP-SIM failed")
953 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
955 raise Exception("EAP failure not reported")
956 dev
[0].request("DISCONNECT")
957 dev
[0].wait_disconnected()
959 dev
[0].dump_monitor()
961 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
962 """EAP-AKA with external UMTS auth and auth failing"""
964 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
966 dev
[0].request("SET external_sim 0")
968 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
969 check_hlr_auc_gw_support()
970 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
971 hostapd
.add_ap(apdev
[0]['ifname'], params
)
972 dev
[0].request("SET external_sim 1")
973 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
974 identity
="0232010000000000",
975 wait_connect
=False, scan_freq
="2412")
977 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
979 raise Exception("Wait for external SIM processing request timed out")
981 rid
= p
[0].split('-')[3]
982 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
983 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
985 raise Exception("EAP failure not reported")
986 dev
[0].request("REMOVE_NETWORK all")
987 dev
[0].wait_disconnected()
989 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
990 """WPA2-Enterprise connection using EAP-AKA'"""
991 check_hlr_auc_gw_support()
992 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
993 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
994 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
995 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
996 hwsim_utils
.test_connectivity(dev
[0], hapd
)
997 eap_reauth(dev
[0], "AKA'")
999 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1000 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1001 identity
="6555444333222111@both",
1002 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1003 wait_connect
=False, scan_freq
="2412")
1004 dev
[1].wait_connected(timeout
=15)
1006 logger
.info("Negative test with incorrect key")
1007 dev
[0].request("REMOVE_NETWORK all")
1008 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
1009 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1010 expect_failure
=True)
1012 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1013 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1014 check_hlr_auc_gw_support()
1018 raise HwsimSkip("No sqlite3 module available")
1019 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1020 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1021 params
['auth_server_port'] = "1814"
1022 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1023 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
1024 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1026 logger
.info("AKA' fast re-authentication")
1027 eap_reauth(dev
[0], "AKA'")
1029 logger
.info("AKA' full auth with pseudonym")
1032 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1033 eap_reauth(dev
[0], "AKA'")
1035 logger
.info("AKA' full auth with permanent identity")
1038 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1039 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1040 eap_reauth(dev
[0], "AKA'")
1042 logger
.info("AKA' reauth with mismatching k_aut")
1045 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1046 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1047 dev
[0].request("REMOVE_NETWORK all")
1049 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
1050 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1053 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1054 eap_reauth(dev
[0], "AKA'")
1057 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1058 logger
.info("AKA' reauth with mismatching counter")
1059 eap_reauth(dev
[0], "AKA'")
1060 dev
[0].request("REMOVE_NETWORK all")
1062 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
1063 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1066 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1067 logger
.info("AKA' reauth with max reauth count reached")
1068 eap_reauth(dev
[0], "AKA'")
1070 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1071 """EAP-AKA' with external UMTS auth and auth failing"""
1073 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1075 dev
[0].request("SET external_sim 0")
1077 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1078 check_hlr_auc_gw_support()
1079 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1080 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1081 dev
[0].request("SET external_sim 1")
1082 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1083 identity
="6555444333222111",
1084 wait_connect
=False, scan_freq
="2412")
1086 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1088 raise Exception("Wait for external SIM processing request timed out")
1089 p
= ev
.split(':', 2)
1090 rid
= p
[0].split('-')[3]
1091 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1092 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1094 raise Exception("EAP failure not reported")
1095 dev
[0].request("REMOVE_NETWORK all")
1096 dev
[0].wait_disconnected()
1098 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1099 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1100 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1101 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1102 key_mgmt
= hapd
.get_config()['key_mgmt']
1103 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1104 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1105 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
1106 anonymous_identity
="ttls", password
="password",
1107 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1108 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1109 eap_reauth(dev
[0], "TTLS")
1110 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1111 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1113 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1114 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1115 check_subject_match_support(dev
[0])
1116 check_altsubject_match_support(dev
[0])
1117 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1118 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1119 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
1120 anonymous_identity
="ttls", password
="password",
1121 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1122 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1123 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1124 eap_reauth(dev
[0], "TTLS")
1126 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1127 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1128 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1129 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1130 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
1131 anonymous_identity
="ttls", password
="wrong",
1132 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1133 expect_failure
=True)
1134 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
1135 anonymous_identity
="ttls", password
="password",
1136 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1137 expect_failure
=True)
1139 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1140 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1141 skip_with_fips(dev
[0])
1142 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1143 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1144 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
1145 anonymous_identity
="ttls", password
="password",
1146 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1147 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1148 eap_reauth(dev
[0], "TTLS")
1150 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1151 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1152 skip_with_fips(dev
[0])
1153 check_altsubject_match_support(dev
[0])
1154 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1155 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1156 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
1157 anonymous_identity
="ttls", password
="password",
1158 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1159 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1160 eap_reauth(dev
[0], "TTLS")
1162 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1163 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1164 skip_with_fips(dev
[0])
1165 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1166 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1167 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
1168 anonymous_identity
="ttls", password
="wrong",
1169 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1170 expect_failure
=True)
1171 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
1172 anonymous_identity
="ttls", password
="password",
1173 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1174 expect_failure
=True)
1176 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1177 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1178 skip_with_fips(dev
[0])
1179 check_domain_suffix_match(dev
[0])
1180 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1181 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1182 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
1183 anonymous_identity
="ttls", password
="password",
1184 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1185 domain_suffix_match
="server.w1.fi")
1186 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1187 eap_reauth(dev
[0], "TTLS")
1188 dev
[0].request("REMOVE_NETWORK all")
1189 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
1190 anonymous_identity
="ttls", password
="password",
1191 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1192 fragment_size
="200")
1193 dev
[0].request("REMOVE_NETWORK all")
1194 dev
[0].wait_disconnected()
1195 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
1196 anonymous_identity
="ttls",
1197 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1198 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1200 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1201 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1202 skip_with_fips(dev
[0])
1203 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1204 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1205 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
1206 anonymous_identity
="ttls", password
="wrong",
1207 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1208 expect_failure
=True)
1209 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
1210 anonymous_identity
="ttls", password
="password",
1211 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1212 expect_failure
=True)
1213 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
1214 anonymous_identity
="ttls", password
="password",
1215 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1216 expect_failure
=True)
1218 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1219 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1220 check_domain_suffix_match(dev
[0])
1221 check_eap_capa(dev
[0], "MSCHAPV2")
1222 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1223 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1224 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1225 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1226 anonymous_identity
="ttls", password
="password",
1227 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1228 domain_suffix_match
="server.w1.fi")
1229 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1230 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1231 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1232 eap_reauth(dev
[0], "TTLS")
1233 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1234 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1235 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1236 raise Exception("dot1xAuthEapolFramesRx did not increase")
1237 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1238 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1239 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1240 raise Exception("backendAuthSuccesses did not increase")
1242 logger
.info("Password as hash value")
1243 dev
[0].request("REMOVE_NETWORK all")
1244 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1245 anonymous_identity
="ttls",
1246 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1247 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1249 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1250 """EAP-TTLS with invalid phase2 parameter values"""
1251 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1252 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1253 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1254 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1255 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1257 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1258 identity
="DOMAIN\mschapv2 user",
1259 anonymous_identity
="ttls", password
="password",
1260 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1261 wait_connect
=False, scan_freq
="2412")
1262 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1263 if ev
is None or "method=21" not in ev
:
1264 raise Exception("EAP-TTLS not started")
1265 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1266 "CTRL-EVENT-CONNECTED"], timeout
=5)
1267 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1268 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1269 dev
[0].request("REMOVE_NETWORK all")
1270 dev
[0].wait_disconnected()
1271 dev
[0].dump_monitor()
1273 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1274 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1275 check_domain_match_full(dev
[0])
1276 skip_with_fips(dev
[0])
1277 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1278 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1279 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1280 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1281 anonymous_identity
="ttls", password
="password",
1282 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1283 domain_suffix_match
="w1.fi")
1284 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1285 eap_reauth(dev
[0], "TTLS")
1287 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1288 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1289 check_domain_match(dev
[0])
1290 skip_with_fips(dev
[0])
1291 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1292 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1293 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1294 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1295 anonymous_identity
="ttls", password
="password",
1296 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1297 domain_match
="Server.w1.fi")
1298 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1299 eap_reauth(dev
[0], "TTLS")
1301 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1302 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1303 skip_with_fips(dev
[0])
1304 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1305 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1306 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1307 anonymous_identity
="ttls", password
="password1",
1308 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1309 expect_failure
=True)
1310 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
1311 anonymous_identity
="ttls", password
="password",
1312 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1313 expect_failure
=True)
1315 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1316 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1317 skip_with_fips(dev
[0])
1318 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1319 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1320 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1321 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
1322 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1323 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1324 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
1325 anonymous_identity
="ttls",
1326 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1327 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1328 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1329 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1330 eap
="TTLS", identity
="utf8-user-hash",
1331 anonymous_identity
="ttls", password_hex
=p
,
1332 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1333 wait_connect
=False, scan_freq
="2412")
1334 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1336 raise Exception("No failure reported")
1337 dev
[2].request("REMOVE_NETWORK all")
1338 dev
[2].wait_disconnected()
1340 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1341 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1342 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1343 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1344 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1345 anonymous_identity
="ttls", password
="password",
1346 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1347 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1348 eap_reauth(dev
[0], "TTLS")
1350 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1351 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1353 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1354 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1355 anonymous_identity
="ttls", password
="wrong",
1356 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1357 expect_failure
=True)
1359 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1360 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1361 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1362 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1363 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1364 anonymous_identity
="ttls", password
="password",
1365 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1366 expect_failure
=True)
1368 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1369 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1370 params
= int_eap_server_params()
1371 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1372 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1373 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1374 anonymous_identity
="ttls", password
="password",
1375 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1376 expect_failure
=True)
1377 dev
[0].request("REMOVE_NETWORK all")
1379 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1380 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1381 eap
="TTLS", identity
="user",
1382 anonymous_identity
="ttls", password
="password",
1383 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1384 wait_connect
=False, scan_freq
="2412")
1385 # This would eventually time out, but we can stop after having reached
1386 # the allocation failure.
1389 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1392 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1393 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1394 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1395 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1397 tests
= [ "eap_gtc_init",
1398 "eap_msg_alloc;eap_gtc_process" ]
1400 with
alloc_fail(dev
[0], 1, func
):
1401 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1403 eap
="TTLS", identity
="user",
1404 anonymous_identity
="ttls", password
="password",
1405 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1407 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1408 dev
[0].request("REMOVE_NETWORK all")
1409 dev
[0].wait_disconnected()
1411 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1412 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1413 check_eap_capa(dev
[0], "MD5")
1414 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1415 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1416 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1417 anonymous_identity
="ttls", password
="password",
1418 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1419 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1420 eap_reauth(dev
[0], "TTLS")
1422 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1424 check_eap_capa(dev
[0], "MD5")
1425 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1426 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1427 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1428 anonymous_identity
="ttls", password
="wrong",
1429 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1430 expect_failure
=True)
1432 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1433 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1434 check_eap_capa(dev
[0], "MD5")
1435 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1436 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1437 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1438 anonymous_identity
="ttls", password
="password",
1439 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1440 expect_failure
=True)
1442 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1443 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1444 check_eap_capa(dev
[0], "MD5")
1445 params
= int_eap_server_params()
1446 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1447 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1448 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1449 anonymous_identity
="ttls", password
="password",
1450 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1451 expect_failure
=True)
1452 dev
[0].request("REMOVE_NETWORK all")
1454 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1455 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1456 eap
="TTLS", identity
="user",
1457 anonymous_identity
="ttls", password
="password",
1458 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1459 wait_connect
=False, scan_freq
="2412")
1460 # This would eventually time out, but we can stop after having reached
1461 # the allocation failure.
1464 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1467 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1468 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1469 check_eap_capa(dev
[0], "MSCHAPV2")
1470 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1471 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1472 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1473 anonymous_identity
="ttls", password
="password",
1474 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1475 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1476 eap_reauth(dev
[0], "TTLS")
1478 logger
.info("Negative test with incorrect password")
1479 dev
[0].request("REMOVE_NETWORK all")
1480 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1481 anonymous_identity
="ttls", password
="password1",
1482 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1483 expect_failure
=True)
1485 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1486 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1487 check_eap_capa(dev
[0], "MSCHAPV2")
1488 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1489 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1490 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1491 anonymous_identity
="ttls", password
="password",
1492 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1493 expect_failure
=True)
1495 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1496 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1497 check_eap_capa(dev
[0], "MSCHAPV2")
1498 params
= int_eap_server_params()
1499 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1500 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1501 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1502 anonymous_identity
="ttls", password
="password",
1503 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1504 expect_failure
=True)
1505 dev
[0].request("REMOVE_NETWORK all")
1507 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1508 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1509 eap
="TTLS", identity
="user",
1510 anonymous_identity
="ttls", password
="password",
1511 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1512 wait_connect
=False, scan_freq
="2412")
1513 # This would eventually time out, but we can stop after having reached
1514 # the allocation failure.
1517 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1519 dev
[0].request("REMOVE_NETWORK all")
1521 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1522 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1523 eap
="TTLS", identity
="user",
1524 anonymous_identity
="ttls", password
="password",
1525 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1526 wait_connect
=False, scan_freq
="2412")
1527 # This would eventually time out, but we can stop after having reached
1528 # the allocation failure.
1531 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1533 dev
[0].request("REMOVE_NETWORK all")
1535 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1536 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1537 eap
="TTLS", identity
="user",
1538 anonymous_identity
="ttls", password
="wrong",
1539 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1540 wait_connect
=False, scan_freq
="2412")
1541 # This would eventually time out, but we can stop after having reached
1542 # the allocation failure.
1545 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1547 dev
[0].request("REMOVE_NETWORK all")
1549 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1550 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1551 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1552 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1553 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
1554 anonymous_identity
="0232010000000000@ttls",
1555 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1556 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1558 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1559 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1560 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1561 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1562 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
1563 anonymous_identity
="0232010000000000@peap",
1564 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1565 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1567 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1568 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1569 check_eap_capa(dev
[0], "FAST")
1570 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1571 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1572 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
1573 anonymous_identity
="0232010000000000@fast",
1574 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1575 phase1
="fast_provisioning=2",
1576 pac_file
="blob://fast_pac_auth_aka",
1577 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1579 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1580 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1581 check_eap_capa(dev
[0], "MSCHAPV2")
1582 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1583 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1584 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1585 anonymous_identity
="peap", password
="password",
1586 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1587 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1588 eap_reauth(dev
[0], "PEAP")
1589 dev
[0].request("REMOVE_NETWORK all")
1590 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1591 anonymous_identity
="peap", password
="password",
1592 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1593 fragment_size
="200")
1595 logger
.info("Password as hash value")
1596 dev
[0].request("REMOVE_NETWORK all")
1597 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1598 anonymous_identity
="peap",
1599 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1600 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1602 logger
.info("Negative test with incorrect password")
1603 dev
[0].request("REMOVE_NETWORK all")
1604 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1605 anonymous_identity
="peap", password
="password1",
1606 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1607 expect_failure
=True)
1609 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1610 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1611 check_eap_capa(dev
[0], "MSCHAPV2")
1612 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1613 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1614 eap_connect(dev
[0], apdev
[0], "PEAP", "DOMAIN\user3",
1615 anonymous_identity
="peap", password
="password",
1616 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1617 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1618 eap_reauth(dev
[0], "PEAP")
1620 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1621 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1622 check_eap_capa(dev
[0], "MSCHAPV2")
1623 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1624 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1625 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1626 anonymous_identity
="peap", password
="wrong",
1627 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1628 expect_failure
=True)
1630 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1631 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1632 check_eap_capa(dev
[0], "MSCHAPV2")
1633 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1634 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1635 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1636 ca_cert
="auth_serv/ca.pem",
1637 phase1
="peapver=0 crypto_binding=2",
1638 phase2
="auth=MSCHAPV2")
1639 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1640 eap_reauth(dev
[0], "PEAP")
1642 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1643 ca_cert
="auth_serv/ca.pem",
1644 phase1
="peapver=0 crypto_binding=1",
1645 phase2
="auth=MSCHAPV2")
1646 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1647 ca_cert
="auth_serv/ca.pem",
1648 phase1
="peapver=0 crypto_binding=0",
1649 phase2
="auth=MSCHAPV2")
1651 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1652 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1653 check_eap_capa(dev
[0], "MSCHAPV2")
1654 params
= int_eap_server_params()
1655 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1656 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1657 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1658 ca_cert
="auth_serv/ca.pem",
1659 phase1
="peapver=0 crypto_binding=2",
1660 phase2
="auth=MSCHAPV2",
1661 expect_failure
=True, local_error_report
=True)
1663 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1664 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1665 check_eap_capa(dev
[0], "MSCHAPV2")
1666 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1667 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1668 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1669 anonymous_identity
="peap", password
="password",
1670 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1671 phase1
="peapver=0 peaplabel=1",
1672 expect_failure
=True)
1673 dev
[0].request("REMOVE_NETWORK all")
1674 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1676 anonymous_identity
="peap", password
="password",
1677 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1678 phase1
="peap_outer_success=0",
1679 wait_connect
=False, scan_freq
="2412")
1680 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1682 raise Exception("No EAP success seen")
1683 # This won't succeed to connect with peap_outer_success=0, so stop here.
1684 dev
[0].request("REMOVE_NETWORK all")
1685 dev
[0].wait_disconnected()
1686 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1687 ca_cert
="auth_serv/ca.pem",
1688 phase1
="peap_outer_success=1",
1689 phase2
="auth=MSCHAPV2")
1690 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1691 ca_cert
="auth_serv/ca.pem",
1692 phase1
="peap_outer_success=2",
1693 phase2
="auth=MSCHAPV2")
1694 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1696 anonymous_identity
="peap", password
="password",
1697 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1698 phase1
="peapver=1 peaplabel=1",
1699 wait_connect
=False, scan_freq
="2412")
1700 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1702 raise Exception("No EAP success seen")
1703 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1705 raise Exception("Unexpected connection")
1707 tests
= [ ("peap-ver0", ""),
1709 ("peap-ver0", "peapver=0"),
1710 ("peap-ver1", "peapver=1") ]
1711 for anon
,phase1
in tests
:
1712 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1713 identity
="user", anonymous_identity
=anon
,
1714 password
="password", phase1
=phase1
,
1715 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1717 dev
[0].request("REMOVE_NETWORK all")
1718 dev
[0].wait_disconnected()
1720 tests
= [ ("peap-ver0", "peapver=1"),
1721 ("peap-ver1", "peapver=0") ]
1722 for anon
,phase1
in tests
:
1723 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1724 identity
="user", anonymous_identity
=anon
,
1725 password
="password", phase1
=phase1
,
1726 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1727 wait_connect
=False, scan_freq
="2412")
1728 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1730 raise Exception("No EAP-Failure seen")
1731 dev
[0].request("REMOVE_NETWORK all")
1732 dev
[0].wait_disconnected()
1734 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1735 ca_cert
="auth_serv/ca.pem",
1736 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1737 phase2
="auth=MSCHAPV2")
1739 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1740 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1741 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1742 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1743 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1744 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1745 ca_cert2
="auth_serv/ca.pem",
1746 client_cert2
="auth_serv/user.pem",
1747 private_key2
="auth_serv/user.key")
1748 eap_reauth(dev
[0], "PEAP")
1750 def test_ap_wpa2_eap_tls(dev
, apdev
):
1751 """WPA2-Enterprise connection using EAP-TLS"""
1752 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1753 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1754 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1755 client_cert
="auth_serv/user.pem",
1756 private_key
="auth_serv/user.key")
1757 eap_reauth(dev
[0], "TLS")
1759 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
1760 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1761 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1762 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1763 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1764 client_cert
="auth_serv/user.pem",
1765 private_key
="auth_serv/user.key.pkcs8",
1766 private_key_passwd
="whatever")
1768 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
1769 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1770 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1771 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1772 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1773 client_cert
="auth_serv/user.pem",
1774 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
1775 private_key_passwd
="whatever")
1777 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1778 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1779 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1780 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1781 cert
= read_pem("auth_serv/ca.pem")
1782 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1783 raise Exception("Could not set cacert blob")
1784 cert
= read_pem("auth_serv/user.pem")
1785 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1786 raise Exception("Could not set usercert blob")
1787 key
= read_pem("auth_serv/user.rsa-key")
1788 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1789 raise Exception("Could not set cacert blob")
1790 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1791 client_cert
="blob://usercert",
1792 private_key
="blob://userkey")
1794 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
1795 """EAP-TLS and config blob missing"""
1796 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1797 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1798 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1799 identity
="tls user",
1800 ca_cert
="blob://testing-blob-does-not-exist",
1801 client_cert
="blob://testing-blob-does-not-exist",
1802 private_key
="blob://testing-blob-does-not-exist",
1803 wait_connect
=False, scan_freq
="2412")
1804 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
1806 raise Exception("EAP failure not reported")
1807 dev
[0].request("REMOVE_NETWORK all")
1808 dev
[0].wait_disconnected()
1810 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
1811 """EAP-TLS and TLS Message Length in unfragmented packets"""
1812 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1813 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1814 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1815 phase1
="include_tls_length=1",
1816 client_cert
="auth_serv/user.pem",
1817 private_key
="auth_serv/user.key")
1819 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1820 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1821 check_pkcs12_support(dev
[0])
1822 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1823 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1824 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1825 private_key
="auth_serv/user.pkcs12",
1826 private_key_passwd
="whatever")
1827 dev
[0].request("REMOVE_NETWORK all")
1828 dev
[0].wait_disconnected()
1830 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1831 identity
="tls user",
1832 ca_cert
="auth_serv/ca.pem",
1833 private_key
="auth_serv/user.pkcs12",
1834 wait_connect
=False, scan_freq
="2412")
1835 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1837 raise Exception("Request for private key passphrase timed out")
1838 id = ev
.split(':')[0].split('-')[-1]
1839 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1840 dev
[0].wait_connected(timeout
=10)
1841 dev
[0].request("REMOVE_NETWORK all")
1842 dev
[0].wait_disconnected()
1844 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1845 # different files to cover both cases of the extra certificate being the
1846 # one that signed the client certificate and it being unrelated to the
1847 # client certificate.
1848 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1850 eap_connect(dev
[0], apdev
[0], "TLS", "tls user",
1851 ca_cert
="auth_serv/ca.pem",
1853 private_key_passwd
="whatever")
1854 dev
[0].request("REMOVE_NETWORK all")
1855 dev
[0].wait_disconnected()
1857 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1858 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1859 check_pkcs12_support(dev
[0])
1860 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1861 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1862 cert
= read_pem("auth_serv/ca.pem")
1863 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1864 raise Exception("Could not set cacert blob")
1865 with
open("auth_serv/user.pkcs12", "rb") as f
:
1866 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1867 raise Exception("Could not set pkcs12 blob")
1868 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1869 private_key
="blob://pkcs12",
1870 private_key_passwd
="whatever")
1872 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1873 """WPA2-Enterprise negative test - incorrect trust root"""
1874 check_eap_capa(dev
[0], "MSCHAPV2")
1875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1876 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1877 cert
= read_pem("auth_serv/ca-incorrect.pem")
1878 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1879 raise Exception("Could not set cacert blob")
1880 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1881 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1882 password
="password", phase2
="auth=MSCHAPV2",
1883 ca_cert
="blob://cacert",
1884 wait_connect
=False, scan_freq
="2412")
1885 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1886 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1887 password
="password", phase2
="auth=MSCHAPV2",
1888 ca_cert
="auth_serv/ca-incorrect.pem",
1889 wait_connect
=False, scan_freq
="2412")
1891 for dev
in (dev
[0], dev
[1]):
1892 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
1894 raise Exception("Association and EAP start timed out")
1896 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1898 raise Exception("EAP method selection timed out")
1899 if "TTLS" not in ev
:
1900 raise Exception("Unexpected EAP method")
1902 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1903 "CTRL-EVENT-EAP-SUCCESS",
1904 "CTRL-EVENT-EAP-FAILURE",
1905 "CTRL-EVENT-CONNECTED",
1906 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1908 raise Exception("EAP result timed out")
1909 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1910 raise Exception("TLS certificate error not reported")
1912 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1913 "CTRL-EVENT-EAP-FAILURE",
1914 "CTRL-EVENT-CONNECTED",
1915 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1917 raise Exception("EAP result(2) timed out")
1918 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1919 raise Exception("EAP failure not reported")
1921 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1922 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1924 raise Exception("EAP result(3) timed out")
1925 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1926 raise Exception("Disconnection not reported")
1928 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1930 raise Exception("Network block disabling not reported")
1932 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1933 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1935 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1936 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1937 identity
="pap user", anonymous_identity
="ttls",
1938 password
="password", phase2
="auth=PAP",
1939 ca_cert
="auth_serv/ca.pem",
1940 wait_connect
=True, scan_freq
="2412")
1941 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1942 identity
="pap user", anonymous_identity
="ttls",
1943 password
="password", phase2
="auth=PAP",
1944 ca_cert
="auth_serv/ca-incorrect.pem",
1945 only_add_network
=True, scan_freq
="2412")
1947 dev
[0].request("DISCONNECT")
1948 dev
[0].wait_disconnected()
1949 dev
[0].dump_monitor()
1950 dev
[0].select_network(id, freq
="2412")
1952 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1954 raise Exception("EAP-TTLS not re-started")
1956 ev
= dev
[0].wait_disconnected(timeout
=15)
1957 if "reason=23" not in ev
:
1958 raise Exception("Proper reason code for disconnection not reported")
1960 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1961 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1962 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1963 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1964 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1965 identity
="pap user", anonymous_identity
="ttls",
1966 password
="password", phase2
="auth=PAP",
1967 wait_connect
=True, scan_freq
="2412")
1968 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1969 identity
="pap user", anonymous_identity
="ttls",
1970 password
="password", phase2
="auth=PAP",
1971 ca_cert
="auth_serv/ca-incorrect.pem",
1972 only_add_network
=True, scan_freq
="2412")
1974 dev
[0].request("DISCONNECT")
1975 dev
[0].wait_disconnected()
1976 dev
[0].dump_monitor()
1977 dev
[0].select_network(id, freq
="2412")
1979 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1981 raise Exception("EAP-TTLS not re-started")
1983 ev
= dev
[0].wait_disconnected(timeout
=15)
1984 if "reason=23" not in ev
:
1985 raise Exception("Proper reason code for disconnection not reported")
1987 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1988 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1989 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1990 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1991 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1992 identity
="pap user", anonymous_identity
="ttls",
1993 password
="password", phase2
="auth=PAP",
1994 ca_cert
="auth_serv/ca.pem",
1995 wait_connect
=True, scan_freq
="2412")
1996 dev
[0].request("DISCONNECT")
1997 dev
[0].wait_disconnected()
1998 dev
[0].dump_monitor()
1999 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2000 dev
[0].select_network(id, freq
="2412")
2002 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2004 raise Exception("EAP-TTLS not re-started")
2006 ev
= dev
[0].wait_disconnected(timeout
=15)
2007 if "reason=23" not in ev
:
2008 raise Exception("Proper reason code for disconnection not reported")
2010 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2011 """WPA2-Enterprise negative test - domain suffix mismatch"""
2012 check_domain_suffix_match(dev
[0])
2013 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2014 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2015 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2016 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2017 password
="password", phase2
="auth=MSCHAPV2",
2018 ca_cert
="auth_serv/ca.pem",
2019 domain_suffix_match
="incorrect.example.com",
2020 wait_connect
=False, scan_freq
="2412")
2022 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2024 raise Exception("Association and EAP start timed out")
2026 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2028 raise Exception("EAP method selection timed out")
2029 if "TTLS" not in ev
:
2030 raise Exception("Unexpected EAP method")
2032 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2033 "CTRL-EVENT-EAP-SUCCESS",
2034 "CTRL-EVENT-EAP-FAILURE",
2035 "CTRL-EVENT-CONNECTED",
2036 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2038 raise Exception("EAP result timed out")
2039 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2040 raise Exception("TLS certificate error not reported")
2041 if "Domain suffix mismatch" not in ev
:
2042 raise Exception("Domain suffix mismatch not reported")
2044 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2045 "CTRL-EVENT-EAP-FAILURE",
2046 "CTRL-EVENT-CONNECTED",
2047 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2049 raise Exception("EAP result(2) timed out")
2050 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2051 raise Exception("EAP failure not reported")
2053 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2054 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2056 raise Exception("EAP result(3) timed out")
2057 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2058 raise Exception("Disconnection not reported")
2060 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2062 raise Exception("Network block disabling not reported")
2064 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2065 """WPA2-Enterprise negative test - domain mismatch"""
2066 check_domain_match(dev
[0])
2067 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2068 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2069 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2070 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2071 password
="password", phase2
="auth=MSCHAPV2",
2072 ca_cert
="auth_serv/ca.pem",
2073 domain_match
="w1.fi",
2074 wait_connect
=False, scan_freq
="2412")
2076 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2078 raise Exception("Association and EAP start timed out")
2080 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2082 raise Exception("EAP method selection timed out")
2083 if "TTLS" not in ev
:
2084 raise Exception("Unexpected EAP method")
2086 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2087 "CTRL-EVENT-EAP-SUCCESS",
2088 "CTRL-EVENT-EAP-FAILURE",
2089 "CTRL-EVENT-CONNECTED",
2090 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2092 raise Exception("EAP result timed out")
2093 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2094 raise Exception("TLS certificate error not reported")
2095 if "Domain mismatch" not in ev
:
2096 raise Exception("Domain mismatch not reported")
2098 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2099 "CTRL-EVENT-EAP-FAILURE",
2100 "CTRL-EVENT-CONNECTED",
2101 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2103 raise Exception("EAP result(2) timed out")
2104 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2105 raise Exception("EAP failure not reported")
2107 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2108 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2110 raise Exception("EAP result(3) timed out")
2111 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2112 raise Exception("Disconnection not reported")
2114 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2116 raise Exception("Network block disabling not reported")
2118 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2119 """WPA2-Enterprise negative test - subject mismatch"""
2120 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2121 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2122 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2123 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2124 password
="password", phase2
="auth=MSCHAPV2",
2125 ca_cert
="auth_serv/ca.pem",
2126 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2127 wait_connect
=False, scan_freq
="2412")
2129 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2131 raise Exception("Association and EAP start timed out")
2133 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2134 "EAP: Failed to initialize EAP method"], timeout
=10)
2136 raise Exception("EAP method selection timed out")
2137 if "EAP: Failed to initialize EAP method" in ev
:
2138 tls
= dev
[0].request("GET tls_library")
2139 if tls
.startswith("OpenSSL"):
2140 raise Exception("Failed to select EAP method")
2141 logger
.info("subject_match not supported - connection failed, so test succeeded")
2143 if "TTLS" not in ev
:
2144 raise Exception("Unexpected EAP method")
2146 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2147 "CTRL-EVENT-EAP-SUCCESS",
2148 "CTRL-EVENT-EAP-FAILURE",
2149 "CTRL-EVENT-CONNECTED",
2150 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2152 raise Exception("EAP result timed out")
2153 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2154 raise Exception("TLS certificate error not reported")
2155 if "Subject mismatch" not in ev
:
2156 raise Exception("Subject mismatch not reported")
2158 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2159 "CTRL-EVENT-EAP-FAILURE",
2160 "CTRL-EVENT-CONNECTED",
2161 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2163 raise Exception("EAP result(2) timed out")
2164 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2165 raise Exception("EAP failure not reported")
2167 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2170 raise Exception("EAP result(3) timed out")
2171 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2172 raise Exception("Disconnection not reported")
2174 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2176 raise Exception("Network block disabling not reported")
2178 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2179 """WPA2-Enterprise negative test - altsubject mismatch"""
2180 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2181 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2183 tests
= [ "incorrect.example.com",
2184 "DNS:incorrect.example.com",
2188 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2190 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2191 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2192 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2193 password
="password", phase2
="auth=MSCHAPV2",
2194 ca_cert
="auth_serv/ca.pem",
2195 altsubject_match
=match
,
2196 wait_connect
=False, scan_freq
="2412")
2198 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2200 raise Exception("Association and EAP start timed out")
2202 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2203 "EAP: Failed to initialize EAP method"], timeout
=10)
2205 raise Exception("EAP method selection timed out")
2206 if "EAP: Failed to initialize EAP method" in ev
:
2207 tls
= dev
[0].request("GET tls_library")
2208 if tls
.startswith("OpenSSL"):
2209 raise Exception("Failed to select EAP method")
2210 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2212 if "TTLS" not in ev
:
2213 raise Exception("Unexpected EAP method")
2215 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2216 "CTRL-EVENT-EAP-SUCCESS",
2217 "CTRL-EVENT-EAP-FAILURE",
2218 "CTRL-EVENT-CONNECTED",
2219 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2221 raise Exception("EAP result timed out")
2222 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2223 raise Exception("TLS certificate error not reported")
2224 if "AltSubject mismatch" not in ev
:
2225 raise Exception("altsubject mismatch not reported")
2227 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2228 "CTRL-EVENT-EAP-FAILURE",
2229 "CTRL-EVENT-CONNECTED",
2230 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2232 raise Exception("EAP result(2) timed out")
2233 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2234 raise Exception("EAP failure not reported")
2236 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2237 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2239 raise Exception("EAP result(3) timed out")
2240 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2241 raise Exception("Disconnection not reported")
2243 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2245 raise Exception("Network block disabling not reported")
2247 dev
[0].request("REMOVE_NETWORK all")
2249 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2250 """WPA2-Enterprise connection using UNAUTH-TLS"""
2251 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2252 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2253 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
2254 ca_cert
="auth_serv/ca.pem")
2255 eap_reauth(dev
[0], "UNAUTH-TLS")
2257 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2258 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2259 check_cert_probe_support(dev
[0])
2260 skip_with_fips(dev
[0])
2261 srv_cert_hash
= "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2263 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2264 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2265 identity
="probe", ca_cert
="probe://",
2266 wait_connect
=False, scan_freq
="2412")
2267 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2269 raise Exception("Association and EAP start timed out")
2270 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2272 raise Exception("No peer server certificate event seen")
2273 if "hash=" + srv_cert_hash
not in ev
:
2274 raise Exception("Expected server certificate hash not reported")
2275 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2277 raise Exception("EAP result timed out")
2278 if "Server certificate chain probe" not in ev
:
2279 raise Exception("Server certificate probe not reported")
2280 dev
[0].wait_disconnected(timeout
=10)
2281 dev
[0].request("REMOVE_NETWORK all")
2283 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2284 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2285 password
="password", phase2
="auth=MSCHAPV2",
2286 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2287 wait_connect
=False, scan_freq
="2412")
2288 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2290 raise Exception("Association and EAP start timed out")
2291 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2293 raise Exception("EAP result timed out")
2294 if "Server certificate mismatch" not in ev
:
2295 raise Exception("Server certificate mismatch not reported")
2296 dev
[0].wait_disconnected(timeout
=10)
2297 dev
[0].request("REMOVE_NETWORK all")
2299 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
2300 anonymous_identity
="ttls", password
="password",
2301 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2302 phase2
="auth=MSCHAPV2")
2304 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2305 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2306 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2307 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2308 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2309 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2310 password
="password", phase2
="auth=MSCHAPV2",
2311 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2312 wait_connect
=False, scan_freq
="2412")
2313 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2314 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2315 password
="password", phase2
="auth=MSCHAPV2",
2316 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2317 wait_connect
=False, scan_freq
="2412")
2318 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2319 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2320 password
="password", phase2
="auth=MSCHAPV2",
2321 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2322 wait_connect
=False, scan_freq
="2412")
2323 for i
in range(0, 3):
2324 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2326 raise Exception("Association and EAP start timed out")
2327 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2329 raise Exception("Did not report EAP method initialization failure")
2331 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2332 """WPA2-Enterprise connection using EAP-pwd"""
2333 check_eap_capa(dev
[0], "PWD")
2334 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2335 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2336 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
2337 eap_reauth(dev
[0], "PWD")
2338 dev
[0].request("REMOVE_NETWORK all")
2340 eap_connect(dev
[1], apdev
[0], "PWD",
2341 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2342 password
="secret password",
2345 logger
.info("Negative test with incorrect password")
2346 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
2347 expect_failure
=True, local_error_report
=True)
2349 eap_connect(dev
[0], apdev
[0], "PWD",
2350 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2351 password
="secret password",
2354 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2355 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2356 check_eap_capa(dev
[0], "PWD")
2357 skip_with_fips(dev
[0])
2358 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2359 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2360 eap_connect(dev
[0], apdev
[0], "PWD", "pwd-hash", password
="secret password")
2361 eap_connect(dev
[1], apdev
[0], "PWD", "pwd-hash",
2362 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2363 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user",
2364 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2365 expect_failure
=True, local_error_report
=True)
2367 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2368 """WPA2-Enterprise connection using various EAP-pwd groups"""
2369 check_eap_capa(dev
[0], "PWD")
2370 tls
= dev
[0].request("GET tls_library")
2371 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2372 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2373 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2374 groups
= [ 19, 20, 21, 25, 26 ]
2375 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2376 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2377 groups
+= [ 27, 28, 29, 30 ]
2379 logger
.info("Group %d" % i
)
2380 params
['pwd_group'] = str(i
)
2381 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2383 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user",
2384 password
="secret password")
2385 dev
[0].request("REMOVE_NETWORK all")
2386 dev
[0].wait_disconnected()
2387 dev
[0].dump_monitor()
2389 if "BoringSSL" in tls
and i
in [ 25 ]:
2390 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2391 dev
[0].request("DISCONNECT")
2393 dev
[0].request("REMOVE_NETWORK all")
2394 dev
[0].dump_monitor()
2398 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2399 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2400 check_eap_capa(dev
[0], "PWD")
2401 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2402 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2403 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2404 params
['pwd_group'] = "0"
2405 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2406 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2407 identity
="pwd user", password
="secret password",
2408 scan_freq
="2412", wait_connect
=False)
2409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2411 raise Exception("Timeout on EAP failure report")
2413 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2414 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2415 check_eap_capa(dev
[0], "PWD")
2416 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2417 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2418 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2419 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2420 "pwd_group": "19", "fragment_size": "40" }
2421 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2422 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
2424 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2425 """WPA2-Enterprise connection using EAP-GPSK"""
2426 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2427 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2428 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
2429 password
="abcdefghijklmnop0123456789abcdef")
2430 eap_reauth(dev
[0], "GPSK")
2432 logger
.info("Test forced algorithm selection")
2433 for phase1
in [ "cipher=1", "cipher=2" ]:
2434 dev
[0].set_network_quoted(id, "phase1", phase1
)
2435 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2437 raise Exception("EAP success timed out")
2438 dev
[0].wait_connected(timeout
=10)
2440 logger
.info("Test failed algorithm negotiation")
2441 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2442 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2444 raise Exception("EAP failure timed out")
2446 logger
.info("Negative test with incorrect password")
2447 dev
[0].request("REMOVE_NETWORK all")
2448 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
2449 password
="ffcdefghijklmnop0123456789abcdef",
2450 expect_failure
=True)
2452 def test_ap_wpa2_eap_sake(dev
, apdev
):
2453 """WPA2-Enterprise connection using EAP-SAKE"""
2454 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2455 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2456 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
2457 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2458 eap_reauth(dev
[0], "SAKE")
2460 logger
.info("Negative test with incorrect password")
2461 dev
[0].request("REMOVE_NETWORK all")
2462 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
2463 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2464 expect_failure
=True)
2466 def test_ap_wpa2_eap_eke(dev
, apdev
):
2467 """WPA2-Enterprise connection using EAP-EKE"""
2468 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2469 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2470 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2471 eap_reauth(dev
[0], "EKE")
2473 logger
.info("Test forced algorithm selection")
2474 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2475 "dhgroup=4 encr=1 prf=2 mac=2",
2476 "dhgroup=3 encr=1 prf=2 mac=2",
2477 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2478 dev
[0].set_network_quoted(id, "phase1", phase1
)
2479 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2481 raise Exception("EAP success timed out")
2482 dev
[0].wait_connected(timeout
=10)
2484 logger
.info("Test failed algorithm negotiation")
2485 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2486 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2488 raise Exception("EAP failure timed out")
2490 logger
.info("Negative test with incorrect password")
2491 dev
[0].request("REMOVE_NETWORK all")
2492 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
2493 expect_failure
=True)
2495 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2496 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2497 if not params
['long']:
2498 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2499 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2500 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2503 for i
in range(100):
2505 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2506 identity
="eke user", password
="hello",
2507 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2508 scan_freq
="2412", wait_connect
=False)
2510 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2511 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2513 raise Exception("No connected/disconnected event")
2514 if "CTRL-EVENT-DISCONNECTED" in ev
:
2516 # The RADIUS server limits on active sessions can be hit when
2517 # going through this test case, so try to give some more time
2518 # for the server to remove sessions.
2519 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2520 dev
[j
].request("REMOVE_NETWORK all")
2524 dev
[j
].request("REMOVE_NETWORK all")
2525 dev
[j
].wait_disconnected()
2526 dev
[j
].dump_monitor()
2527 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2529 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2530 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2531 params
= int_eap_server_params()
2532 params
['server_id'] = 'example.server@w1.fi'
2533 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2534 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2536 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2537 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2538 params
= int_eap_server_params()
2539 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2540 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2542 for count
,func
in [ (1, "eap_eke_build_commit"),
2543 (2, "eap_eke_build_commit"),
2544 (3, "eap_eke_build_commit"),
2545 (1, "eap_eke_build_confirm"),
2546 (2, "eap_eke_build_confirm"),
2547 (1, "eap_eke_process_commit"),
2548 (2, "eap_eke_process_commit"),
2549 (1, "eap_eke_process_confirm"),
2550 (1, "eap_eke_process_identity"),
2551 (2, "eap_eke_process_identity"),
2552 (3, "eap_eke_process_identity"),
2553 (4, "eap_eke_process_identity") ]:
2554 with
alloc_fail(hapd
, count
, func
):
2555 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello",
2556 expect_failure
=True)
2557 dev
[0].request("REMOVE_NETWORK all")
2559 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2560 (1, "eap_eke_get_session_id", "hello"),
2561 (1, "eap_eke_getKey", "hello"),
2562 (1, "eap_eke_build_msg", "hello"),
2563 (1, "eap_eke_build_failure", "wrong"),
2564 (1, "eap_eke_build_identity", "hello"),
2565 (2, "eap_eke_build_identity", "hello") ]:
2566 with
alloc_fail(hapd
, count
, func
):
2567 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2568 eap
="EKE", identity
="eke user", password
=pw
,
2569 wait_connect
=False, scan_freq
="2412")
2570 # This would eventually time out, but we can stop after having
2571 # reached the allocation failure.
2574 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2576 dev
[0].request("REMOVE_NETWORK all")
2578 for count
in range(1, 1000):
2580 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2581 dev
[0].connect("test-wpa2-eap",
2582 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2583 eap
="EKE", identity
="eke user", password
=pw
,
2584 wait_connect
=False, scan_freq
="2412")
2585 # This would eventually time out, but we can stop after having
2586 # reached the allocation failure.
2589 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2591 dev
[0].request("REMOVE_NETWORK all")
2592 except Exception, e
:
2593 if str(e
) == "Allocation failure did not trigger":
2595 raise Exception("Too few allocation failures")
2596 logger
.info("%d allocation failures tested" % (count
- 1))
2600 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2601 """WPA2-Enterprise connection using EAP-IKEv2"""
2602 check_eap_capa(dev
[0], "IKEV2")
2603 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2604 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2605 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2606 password
="ike password")
2607 eap_reauth(dev
[0], "IKEV2")
2608 dev
[0].request("REMOVE_NETWORK all")
2609 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2610 password
="ike password", fragment_size
="50")
2612 logger
.info("Negative test with incorrect password")
2613 dev
[0].request("REMOVE_NETWORK all")
2614 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2615 password
="ike-password", expect_failure
=True)
2617 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2618 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2619 check_eap_capa(dev
[0], "IKEV2")
2620 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2621 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2622 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2623 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2624 "fragment_size": "50" }
2625 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2626 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2627 password
="ike password")
2628 eap_reauth(dev
[0], "IKEV2")
2630 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2631 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2632 check_eap_capa(dev
[0], "IKEV2")
2633 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2634 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2636 tests
= [ (1, "dh_init"),
2638 (1, "dh_derive_shared") ]
2639 for count
, func
in tests
:
2640 with
alloc_fail(dev
[0], count
, func
):
2641 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2642 identity
="ikev2 user", password
="ike password",
2643 wait_connect
=False, scan_freq
="2412")
2644 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2646 raise Exception("EAP method not selected")
2648 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2651 dev
[0].request("REMOVE_NETWORK all")
2653 tests
= [ (1, "os_get_random;dh_init") ]
2654 for count
, func
in tests
:
2655 with
fail_test(dev
[0], count
, func
):
2656 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2657 identity
="ikev2 user", password
="ike password",
2658 wait_connect
=False, scan_freq
="2412")
2659 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2661 raise Exception("EAP method not selected")
2663 if "0:" in dev
[0].request("GET_FAIL"):
2666 dev
[0].request("REMOVE_NETWORK all")
2668 def test_ap_wpa2_eap_pax(dev
, apdev
):
2669 """WPA2-Enterprise connection using EAP-PAX"""
2670 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2671 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2672 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2673 password_hex
="0123456789abcdef0123456789abcdef")
2674 eap_reauth(dev
[0], "PAX")
2676 logger
.info("Negative test with incorrect password")
2677 dev
[0].request("REMOVE_NETWORK all")
2678 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2679 password_hex
="ff23456789abcdef0123456789abcdef",
2680 expect_failure
=True)
2682 def test_ap_wpa2_eap_psk(dev
, apdev
):
2683 """WPA2-Enterprise connection using EAP-PSK"""
2684 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2685 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2686 params
["ieee80211w"] = "2"
2687 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2688 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2689 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2690 eap_reauth(dev
[0], "PSK", sha256
=True)
2691 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2692 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2694 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2695 if 'flags' not in bss
:
2696 raise Exception("Could not get BSS flags from BSS table")
2697 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2698 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2700 logger
.info("Negative test with incorrect password")
2701 dev
[0].request("REMOVE_NETWORK all")
2702 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2703 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2704 expect_failure
=True)
2706 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2707 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2708 skip_with_fips(dev
[0])
2709 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2710 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2711 tests
= [ (1, "=aes_128_eax_encrypt"),
2712 (1, "=aes_128_eax_decrypt") ]
2713 for count
, func
in tests
:
2714 with
alloc_fail(dev
[0], count
, func
):
2715 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2716 identity
="psk.user@example.com",
2717 password_hex
="0123456789abcdef0123456789abcdef",
2718 wait_connect
=False, scan_freq
="2412")
2719 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2721 raise Exception("EAP method not selected")
2722 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2723 note
="Failure not triggered: %d:%s" % (count
, func
))
2724 dev
[0].request("REMOVE_NETWORK all")
2725 dev
[0].wait_disconnected()
2727 tests
= [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2728 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2729 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2730 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2731 (1, "omac1_aes_vector"),
2732 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2733 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2734 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2735 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2736 for count
, func
in tests
:
2737 with
fail_test(dev
[0], count
, func
):
2738 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2739 identity
="psk.user@example.com",
2740 password_hex
="0123456789abcdef0123456789abcdef",
2741 wait_connect
=False, scan_freq
="2412")
2742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2744 raise Exception("EAP method not selected")
2745 wait_fail_trigger(dev
[0], "GET_FAIL",
2746 note
="Failure not triggered: %d:%s" % (count
, func
))
2747 dev
[0].request("REMOVE_NETWORK all")
2748 dev
[0].wait_disconnected()
2750 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
2751 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2752 identity
="psk.user@example.com",
2753 password_hex
="0123456789abcdef0123456789abcdef",
2754 wait_connect
=False, scan_freq
="2412")
2755 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2757 raise Exception("EAP method failure not reported")
2758 dev
[0].request("REMOVE_NETWORK all")
2759 dev
[0].wait_disconnected()
2761 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2762 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2763 check_eap_capa(dev
[0], "MSCHAPV2")
2764 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2765 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2766 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2767 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2768 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2770 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2771 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2772 eap_reauth(dev
[0], "PEAP", rsn
=False)
2773 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2774 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2775 status
= dev
[0].get_status(extra
="VERBOSE")
2776 if 'portControl' not in status
:
2777 raise Exception("portControl missing from STATUS-VERBOSE")
2778 if status
['portControl'] != 'Auto':
2779 raise Exception("Unexpected portControl value: " + status
['portControl'])
2780 if 'eap_session_id' not in status
:
2781 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2782 if not status
['eap_session_id'].startswith("19"):
2783 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
2785 def test_ap_wpa2_eap_interactive(dev
, apdev
):
2786 """WPA2-Enterprise connection using interactive identity/password entry"""
2787 check_eap_capa(dev
[0], "MSCHAPV2")
2788 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2789 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2790 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2792 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2793 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2795 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2796 "TTLS", "ttls", None, "auth=MSCHAPV2",
2797 "DOMAIN\mschapv2 user", "password"),
2798 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2799 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2800 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2801 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2802 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2803 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2804 ("Connection with dynamic PEAP/EAP-GTC password entry",
2805 "PEAP", None, "user", "auth=GTC", None, "password") ]
2806 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
2808 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
2809 anonymous_identity
=anon
, identity
=identity
,
2810 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
2811 wait_connect
=False, scan_freq
="2412")
2813 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2815 raise Exception("Request for identity timed out")
2816 id = ev
.split(':')[0].split('-')[-1]
2817 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2818 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2820 raise Exception("Request for password timed out")
2821 id = ev
.split(':')[0].split('-')[-1]
2822 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
2823 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
2824 dev
[0].wait_connected(timeout
=10)
2825 dev
[0].request("REMOVE_NETWORK all")
2827 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
2828 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2829 check_eap_capa(dev
[0], "MSCHAPV2")
2830 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2831 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2832 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2834 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
2835 only_add_network
=True)
2837 req_id
= "DOMAIN\mschapv2 user"
2838 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2839 anonymous_identity
="ttls", identity
=None,
2840 password
="password",
2841 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2842 wait_connect
=False, scan_freq
="2412")
2843 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2845 raise Exception("Request for identity timed out")
2846 id = ev
.split(':')[0].split('-')[-1]
2847 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2848 dev
[0].wait_connected(timeout
=10)
2850 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
2851 raise Exception("Failed to enable network")
2852 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
2854 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2855 dev
[0].request("REMOVE_NETWORK all")
2857 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
2858 """WPA2-Enterprise connection using EAP vendor test"""
2859 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2860 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2861 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
2862 eap_reauth(dev
[0], "VENDOR-TEST")
2863 eap_connect(dev
[1], apdev
[0], "VENDOR-TEST", "vendor-test",
2866 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
2867 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2868 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2869 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2871 tests
= [ "eap_vendor_test_init",
2872 "eap_msg_alloc;eap_vendor_test_process",
2873 "eap_vendor_test_getKey" ]
2875 with
alloc_fail(dev
[0], 1, func
):
2876 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
2878 eap
="VENDOR-TEST", identity
="vendor-test",
2880 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
2881 dev
[0].request("REMOVE_NETWORK all")
2882 dev
[0].wait_disconnected()
2884 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2885 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2886 check_eap_capa(dev
[0], "FAST")
2887 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2888 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2889 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2890 anonymous_identity
="FAST", password
="password",
2891 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2892 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2893 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2894 res
= eap_reauth(dev
[0], "FAST")
2895 if res
['tls_session_reused'] != '1':
2896 raise Exception("EAP-FAST could not use PAC session ticket")
2898 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2899 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2900 check_eap_capa(dev
[0], "FAST")
2901 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2902 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2903 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2904 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2907 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2908 anonymous_identity
="FAST", password
="password",
2909 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2910 phase1
="fast_provisioning=1", pac_file
=pac_file
)
2911 with
open(pac_file
, "r") as f
:
2913 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
2914 raise Exception("PAC file header missing")
2915 if "PAC-Key=" not in data
:
2916 raise Exception("PAC-Key missing from PAC file")
2917 dev
[0].request("REMOVE_NETWORK all")
2918 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2919 anonymous_identity
="FAST", password
="password",
2920 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2923 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2924 anonymous_identity
="FAST", password
="password",
2925 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2926 phase1
="fast_provisioning=1 fast_pac_format=binary",
2928 dev
[1].request("REMOVE_NETWORK all")
2929 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2930 anonymous_identity
="FAST", password
="password",
2931 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2932 phase1
="fast_pac_format=binary",
2940 os
.remove(pac_file2
)
2944 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
2945 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2946 check_eap_capa(dev
[0], "FAST")
2947 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2948 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2949 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2950 anonymous_identity
="FAST", password
="password",
2951 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2952 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2953 pac_file
="blob://fast_pac_bin")
2954 res
= eap_reauth(dev
[0], "FAST")
2955 if res
['tls_session_reused'] != '1':
2956 raise Exception("EAP-FAST could not use PAC session ticket")
2958 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
2959 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2960 check_eap_capa(dev
[0], "FAST")
2961 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2962 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2964 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2965 identity
="user", anonymous_identity
="FAST",
2966 password
="password",
2967 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2968 pac_file
="blob://fast_pac_not_in_use",
2969 wait_connect
=False, scan_freq
="2412")
2970 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2972 raise Exception("Timeout on EAP failure report")
2973 dev
[0].request("REMOVE_NETWORK all")
2975 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2976 identity
="user", anonymous_identity
="FAST",
2977 password
="password",
2978 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2979 wait_connect
=False, scan_freq
="2412")
2980 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2982 raise Exception("Timeout on EAP failure report")
2984 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
2985 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2986 check_eap_capa(dev
[0], "FAST")
2987 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2988 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2989 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2990 anonymous_identity
="FAST", password
="password",
2991 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2992 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
2993 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2994 res
= eap_reauth(dev
[0], "FAST")
2995 if res
['tls_session_reused'] != '1':
2996 raise Exception("EAP-FAST could not use PAC session ticket")
2998 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
2999 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3000 check_eap_capa(dev
[0], "FAST")
3001 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3002 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3003 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
3004 anonymous_identity
="FAST", password
="password",
3005 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3006 phase1
="fast_provisioning=2",
3007 pac_file
="blob://fast_pac_auth")
3008 dev
[0].set_network_quoted(id, "identity", "user2")
3009 dev
[0].wait_disconnected()
3010 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3012 raise Exception("EAP-FAST not started")
3013 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3015 raise Exception("EAP failure not reported")
3016 dev
[0].wait_disconnected()
3018 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3019 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3020 check_eap_capa(dev
[0], "FAST")
3021 tls
= dev
[0].request("GET tls_library")
3022 if tls
.startswith("OpenSSL"):
3023 func
= "openssl_tls_prf"
3025 elif tls
.startswith("internal"):
3026 func
= "tls_connection_prf"
3029 raise HwsimSkip("Unsupported TLS library")
3030 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3031 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3032 with
alloc_fail(dev
[0], count
, func
):
3033 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3034 identity
="user", anonymous_identity
="FAST",
3035 password
="password", ca_cert
="auth_serv/ca.pem",
3037 phase1
="fast_provisioning=2",
3038 pac_file
="blob://fast_pac_auth",
3039 wait_connect
=False, scan_freq
="2412")
3040 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3042 raise Exception("EAP failure not reported")
3043 dev
[0].request("DISCONNECT")
3045 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3046 """EAP-FAST/MSCHAPv2 and server OOM"""
3047 check_eap_capa(dev
[0], "FAST")
3049 params
= int_eap_server_params()
3050 params
['dh_file'] = 'auth_serv/dh.conf'
3051 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3052 params
['eap_fast_a_id'] = '1011'
3053 params
['eap_fast_a_id_info'] = 'another test server'
3054 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3056 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3057 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
3058 anonymous_identity
="FAST", password
="password",
3059 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3060 phase1
="fast_provisioning=1",
3061 pac_file
="blob://fast_pac",
3062 expect_failure
=True)
3063 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3065 raise Exception("No EAP failure reported")
3066 dev
[0].wait_disconnected()
3067 dev
[0].request("DISCONNECT")
3069 dev
[0].select_network(id, freq
="2412")
3071 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3072 """EAP-FAST and different TLS cipher suites"""
3073 check_eap_capa(dev
[0], "FAST")
3074 tls
= dev
[0].request("GET tls_library")
3075 if not tls
.startswith("OpenSSL"):
3076 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3078 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3079 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3081 dev
[0].request("SET blob fast_pac_ciphers ")
3082 eap_connect(dev
[0], apdev
[0], "FAST", "user",
3083 anonymous_identity
="FAST", password
="password",
3084 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3085 phase1
="fast_provisioning=2",
3086 pac_file
="blob://fast_pac_ciphers")
3087 res
= dev
[0].get_status_field('EAP TLS cipher')
3088 dev
[0].request("REMOVE_NETWORK all")
3089 dev
[0].wait_disconnected()
3090 if res
!= "DHE-RSA-AES256-SHA":
3091 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3093 tests
= [ "DHE-RSA-AES128-SHA",
3097 "DHE-RSA-AES256-SHA" ]
3098 for cipher
in tests
:
3099 eap_connect(dev
[0], apdev
[0], "FAST", "user",
3100 openssl_ciphers
=cipher
,
3101 anonymous_identity
="FAST", password
="password",
3102 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3103 pac_file
="blob://fast_pac_ciphers")
3104 res
= dev
[0].get_status_field('EAP TLS cipher')
3105 dev
[0].request("REMOVE_NETWORK all")
3106 dev
[0].wait_disconnected()
3108 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3110 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3111 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3112 check_ocsp_support(dev
[0])
3113 check_pkcs12_support(dev
[0])
3114 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3115 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3116 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3117 private_key
="auth_serv/user.pkcs12",
3118 private_key_passwd
="whatever", ocsp
=2)
3120 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3121 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3122 check_ocsp_multi_support(dev
[0])
3123 check_pkcs12_support(dev
[0])
3125 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3126 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3127 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3128 private_key
="auth_serv/user.pkcs12",
3129 private_key_passwd
="whatever", ocsp
=2)
3131 def int_eap_server_params():
3132 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3133 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3134 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3135 "ca_cert": "auth_serv/ca.pem",
3136 "server_cert": "auth_serv/server.pem",
3137 "private_key": "auth_serv/server.key",
3138 "dh_file": "auth_serv/dh.conf" }
3141 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3142 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3143 check_ocsp_support(dev
[0])
3144 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3145 if not os
.path
.exists(ocsp
):
3146 raise HwsimSkip("No OCSP response available")
3147 params
= int_eap_server_params()
3148 params
["ocsp_stapling_response"] = ocsp
3149 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3150 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3151 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3152 private_key
="auth_serv/user.pkcs12",
3153 private_key_passwd
="whatever", ocsp
=2,
3156 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3157 """EAP-TLS and CA signed OCSP response (good)"""
3158 check_ocsp_support(dev
[0])
3159 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3160 if not os
.path
.exists(ocsp
):
3161 raise HwsimSkip("No OCSP response available")
3162 params
= int_eap_server_params()
3163 params
["ocsp_stapling_response"] = ocsp
3164 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3165 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3166 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3167 private_key
="auth_serv/user.pkcs12",
3168 private_key_passwd
="whatever", ocsp
=2,
3171 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3172 """EAP-TLS and CA signed OCSP response (revoked)"""
3173 check_ocsp_support(dev
[0])
3174 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3175 if not os
.path
.exists(ocsp
):
3176 raise HwsimSkip("No OCSP response available")
3177 params
= int_eap_server_params()
3178 params
["ocsp_stapling_response"] = ocsp
3179 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3180 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3181 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3182 private_key
="auth_serv/user.pkcs12",
3183 private_key_passwd
="whatever", ocsp
=2,
3184 wait_connect
=False, scan_freq
="2412")
3187 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3189 raise Exception("Timeout on EAP status")
3190 if 'bad certificate status response' in ev
:
3192 if 'certificate revoked' in ev
:
3196 raise Exception("Unexpected number of EAP status messages")
3198 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3200 raise Exception("Timeout on EAP failure report")
3202 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3203 """EAP-TLS and CA signed OCSP response (unknown)"""
3204 check_ocsp_support(dev
[0])
3205 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3206 if not os
.path
.exists(ocsp
):
3207 raise HwsimSkip("No OCSP response available")
3208 params
= int_eap_server_params()
3209 params
["ocsp_stapling_response"] = ocsp
3210 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3211 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3212 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3213 private_key
="auth_serv/user.pkcs12",
3214 private_key_passwd
="whatever", ocsp
=2,
3215 wait_connect
=False, scan_freq
="2412")
3218 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3220 raise Exception("Timeout on EAP status")
3221 if 'bad certificate status response' in ev
:
3225 raise Exception("Unexpected number of EAP status messages")
3227 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3229 raise Exception("Timeout on EAP failure report")
3231 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3232 """EAP-TLS and server signed OCSP response"""
3233 check_ocsp_support(dev
[0])
3234 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3235 if not os
.path
.exists(ocsp
):
3236 raise HwsimSkip("No OCSP response available")
3237 params
= int_eap_server_params()
3238 params
["ocsp_stapling_response"] = ocsp
3239 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3240 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3241 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3242 private_key
="auth_serv/user.pkcs12",
3243 private_key_passwd
="whatever", ocsp
=2,
3244 wait_connect
=False, scan_freq
="2412")
3247 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3249 raise Exception("Timeout on EAP status")
3250 if 'bad certificate status response' in ev
:
3254 raise Exception("Unexpected number of EAP status messages")
3256 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3258 raise Exception("Timeout on EAP failure report")
3260 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3261 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3262 check_ocsp_support(dev
[0])
3263 params
= int_eap_server_params()
3264 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3265 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3266 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3267 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3268 private_key
="auth_serv/user.pkcs12",
3269 private_key_passwd
="whatever", ocsp
=2,
3270 wait_connect
=False, scan_freq
="2412")
3273 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3275 raise Exception("Timeout on EAP status")
3276 if 'bad certificate status response' in ev
:
3280 raise Exception("Unexpected number of EAP status messages")
3282 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3284 raise Exception("Timeout on EAP failure report")
3286 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3287 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3288 check_ocsp_support(dev
[0])
3289 params
= int_eap_server_params()
3290 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3291 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3292 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3293 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3294 private_key
="auth_serv/user.pkcs12",
3295 private_key_passwd
="whatever", ocsp
=2,
3296 wait_connect
=False, scan_freq
="2412")
3299 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3301 raise Exception("Timeout on EAP status")
3302 if 'bad certificate status response' in ev
:
3306 raise Exception("Unexpected number of EAP status messages")
3308 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3310 raise Exception("Timeout on EAP failure report")
3312 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
3313 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3314 check_ocsp_support(dev
[0])
3315 params
= int_eap_server_params()
3316 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3317 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3318 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3319 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3320 private_key
="auth_serv/user.pkcs12",
3321 private_key_passwd
="whatever", ocsp
=2,
3322 wait_connect
=False, scan_freq
="2412")
3325 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3327 raise Exception("Timeout on EAP status")
3328 if 'bad certificate status response' in ev
:
3332 raise Exception("Unexpected number of EAP status messages")
3334 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3336 raise Exception("Timeout on EAP failure report")
3338 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
3339 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3340 check_ocsp_support(dev
[0])
3341 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
3342 if not os
.path
.exists(ocsp
):
3343 raise HwsimSkip("No OCSP response available")
3344 params
= int_eap_server_params()
3345 params
["ocsp_stapling_response"] = ocsp
3346 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3347 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3348 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3349 anonymous_identity
="ttls", password
="password",
3350 phase2
="auth=PAP", ocsp
=2,
3351 wait_connect
=False, scan_freq
="2412")
3354 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3356 raise Exception("Timeout on EAP status")
3357 if 'bad certificate status response' in ev
:
3359 if 'certificate revoked' in ev
:
3363 raise Exception("Unexpected number of EAP status messages")
3365 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3367 raise Exception("Timeout on EAP failure report")
3369 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
3370 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3371 check_ocsp_support(dev
[0])
3372 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
3373 if not os
.path
.exists(ocsp
):
3374 raise HwsimSkip("No OCSP response available")
3375 params
= int_eap_server_params()
3376 params
["ocsp_stapling_response"] = ocsp
3377 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3378 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3379 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3380 anonymous_identity
="ttls", password
="password",
3381 phase2
="auth=PAP", ocsp
=2,
3382 wait_connect
=False, scan_freq
="2412")
3385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3387 raise Exception("Timeout on EAP status")
3388 if 'bad certificate status response' in ev
:
3392 raise Exception("Unexpected number of EAP status messages")
3394 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3396 raise Exception("Timeout on EAP failure report")
3398 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
3399 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3400 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
3401 if not os
.path
.exists(ocsp
):
3402 raise HwsimSkip("No OCSP response available")
3403 params
= int_eap_server_params()
3404 params
["ocsp_stapling_response"] = ocsp
3405 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3406 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3407 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3408 anonymous_identity
="ttls", password
="password",
3409 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
3411 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
3412 """EAP-TLS with intermediate server/user CA"""
3413 params
= int_eap_server_params()
3414 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3415 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
3416 params
["private_key"] = "auth_serv/iCA-server/server.key"
3417 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3418 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3419 identity
="tls user",
3420 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
3421 client_cert
="auth_serv/iCA-user/user.pem",
3422 private_key
="auth_serv/iCA-user/user.key",
3425 def root_ocsp(cert
):
3426 ca
= "auth_serv/ca.pem"
3428 fd2
, fn2
= tempfile
.mkstemp()
3431 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-cert", cert
,
3432 "-no_nonce", "-sha256", "-text" ]
3433 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3434 stderr
=subprocess
.PIPE
)
3435 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3438 logger
.info("OCSP request:\n" + res
)
3440 fd
, fn
= tempfile
.mkstemp()
3442 arg
= [ "openssl", "ocsp", "-index", "rootCA/index.txt",
3443 "-rsigner", ca
, "-rkey", "auth_serv/caa-key.pem",
3444 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
3445 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
3447 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3448 stderr
=subprocess
.PIPE
)
3449 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3452 logger
.info("OCSP response:\n" + res
)
3457 prefix
= "auth_serv/iCA-server/"
3458 ca
= prefix
+ "cacert.pem"
3459 cert
= prefix
+ cert
3461 fd2
, fn2
= tempfile
.mkstemp()
3464 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-cert", cert
,
3465 "-no_nonce", "-sha256", "-text" ]
3466 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3467 stderr
=subprocess
.PIPE
)
3468 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3471 logger
.info("OCSP request:\n" + res
)
3473 fd
, fn
= tempfile
.mkstemp()
3475 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
3476 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
3477 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
3478 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
3480 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
3481 stderr
=subprocess
.PIPE
)
3482 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
3485 logger
.info("OCSP response:\n" + res
)
3489 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
3490 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3491 params
= int_eap_server_params()
3492 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3493 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
3494 params
["private_key"] = "auth_serv/iCA-server/server.key"
3495 fn
= ica_ocsp("server.pem")
3496 params
["ocsp_stapling_response"] = fn
3498 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3499 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3500 identity
="tls user",
3501 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
3502 client_cert
="auth_serv/iCA-user/user.pem",
3503 private_key
="auth_serv/iCA-user/user.key",
3504 scan_freq
="2412", ocsp
=2)
3508 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
3509 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3510 params
= int_eap_server_params()
3511 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3512 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3513 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3514 fn
= ica_ocsp("server-revoked.pem")
3515 params
["ocsp_stapling_response"] = fn
3517 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3518 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3519 identity
="tls user",
3520 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
3521 client_cert
="auth_serv/iCA-user/user.pem",
3522 private_key
="auth_serv/iCA-user/user.key",
3523 scan_freq
="2412", ocsp
=1, wait_connect
=False)
3526 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3527 "CTRL-EVENT-EAP-SUCCESS"])
3529 raise Exception("Timeout on EAP status")
3530 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
3531 raise Exception("Unexpected EAP-Success")
3532 if 'bad certificate status response' in ev
:
3534 if 'certificate revoked' in ev
:
3538 raise Exception("Unexpected number of EAP status messages")
3540 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3542 raise Exception("Timeout on EAP failure report")
3543 dev
[0].request("REMOVE_NETWORK all")
3544 dev
[0].wait_disconnected()
3548 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
3549 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3550 check_ocsp_support(dev
[0])
3551 check_ocsp_multi_support(dev
[0])
3553 params
= int_eap_server_params()
3554 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3555 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
3556 params
["private_key"] = "auth_serv/iCA-server/server.key"
3557 fn
= ica_ocsp("server.pem")
3558 params
["ocsp_stapling_response"] = fn
3560 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3561 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3562 identity
="tls user",
3563 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
3564 client_cert
="auth_serv/iCA-user/user.pem",
3565 private_key
="auth_serv/iCA-user/user.key",
3566 scan_freq
="2412", ocsp
=3, wait_connect
=False)
3569 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3570 "CTRL-EVENT-EAP-SUCCESS"])
3572 raise Exception("Timeout on EAP status")
3573 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
3574 raise Exception("Unexpected EAP-Success")
3575 if 'bad certificate status response' in ev
:
3577 if 'certificate revoked' in ev
:
3581 raise Exception("Unexpected number of EAP status messages")
3583 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3585 raise Exception("Timeout on EAP failure report")
3586 dev
[0].request("REMOVE_NETWORK all")
3587 dev
[0].wait_disconnected()
3591 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
3592 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3593 check_ocsp_support(dev
[0])
3594 check_ocsp_multi_support(dev
[0])
3596 params
= int_eap_server_params()
3597 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3598 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
3599 params
["private_key"] = "auth_serv/iCA-server/server.key"
3600 fn
= ica_ocsp("server.pem")
3601 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
3602 params
["ocsp_stapling_response"] = fn
3604 with
open(fn
, "r") as f
:
3605 resp_server
= f
.read()
3606 with
open(fn2
, "r") as f
:
3609 fd3
, fn3
= tempfile
.mkstemp()
3611 f
= os
.fdopen(fd3
, 'w')
3612 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
3613 f
.write(resp_server
)
3614 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
3618 params
["ocsp_stapling_response_multi"] = fn3
3620 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3621 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3622 identity
="tls user",
3623 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
3624 client_cert
="auth_serv/iCA-user/user.pem",
3625 private_key
="auth_serv/iCA-user/user.key",
3626 scan_freq
="2412", ocsp
=3, wait_connect
=False)
3629 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3630 "CTRL-EVENT-EAP-SUCCESS"])
3632 raise Exception("Timeout on EAP status")
3633 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
3634 raise Exception("Unexpected EAP-Success")
3635 if 'bad certificate status response' in ev
:
3637 if 'certificate revoked' in ev
:
3641 raise Exception("Unexpected number of EAP status messages")
3643 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3645 raise Exception("Timeout on EAP failure report")
3646 dev
[0].request("REMOVE_NETWORK all")
3647 dev
[0].wait_disconnected()
3653 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
3654 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3655 check_ocsp_support(dev
[0])
3656 check_ocsp_multi_support(dev
[0])
3658 ocsp_revoked
= os
.path
.join(params
['logdir'],
3659 "ocsp-resp-ca-signed-revoked.der")
3660 if not os
.path
.exists(ocsp_revoked
):
3661 raise HwsimSkip("No OCSP response (revoked) available")
3662 ocsp_unknown
= os
.path
.join(params
['logdir'],
3663 "ocsp-resp-ca-signed-unknown.der")
3664 if not os
.path
.exists(ocsp_unknown
):
3665 raise HwsimSkip("No OCSP response(unknown) available")
3667 with
open(ocsp_revoked
, "r") as f
:
3668 resp_revoked
= f
.read()
3669 with
open(ocsp_unknown
, "r") as f
:
3670 resp_unknown
= f
.read()
3672 fd
, fn
= tempfile
.mkstemp()
3674 # This is not really a valid order of the OCSPResponse items in the
3675 # list, but this works for now to verify parsing and processing of
3676 # multiple responses.
3677 f
= os
.fdopen(fd
, 'w')
3678 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
3679 f
.write(resp_unknown
)
3680 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
3681 f
.write(resp_revoked
)
3682 f
.write(struct
.pack(">L", 0)[1:4])
3683 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
3684 f
.write(resp_unknown
)
3687 params
= int_eap_server_params()
3688 params
["ocsp_stapling_response_multi"] = fn
3689 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3690 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3691 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3692 private_key
="auth_serv/user.pkcs12",
3693 private_key_passwd
="whatever", ocsp
=1,
3694 wait_connect
=False, scan_freq
="2412")
3697 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3698 "CTRL-EVENT-EAP-SUCCESS"])
3700 raise Exception("Timeout on EAP status")
3701 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
3702 raise Exception("Unexpected EAP-Success")
3703 if 'bad certificate status response' in ev
:
3705 if 'certificate revoked' in ev
:
3709 raise Exception("Unexpected number of EAP status messages")
3713 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
3714 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3715 check_domain_match_full(dev
[0])
3716 params
= int_eap_server_params()
3717 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3718 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3719 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3720 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3721 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3722 private_key
="auth_serv/user.pkcs12",
3723 private_key_passwd
="whatever",
3724 domain_suffix_match
="server3.w1.fi",
3727 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
3728 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
3729 check_domain_match(dev
[0])
3730 params
= int_eap_server_params()
3731 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3732 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3733 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3734 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3735 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3736 private_key
="auth_serv/user.pkcs12",
3737 private_key_passwd
="whatever",
3738 domain_match
="server3.w1.fi",
3741 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
3742 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3743 check_domain_match_full(dev
[0])
3744 params
= int_eap_server_params()
3745 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3746 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3747 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3748 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3749 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3750 private_key
="auth_serv/user.pkcs12",
3751 private_key_passwd
="whatever",
3752 domain_suffix_match
="w1.fi",
3755 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
3756 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3757 check_domain_suffix_match(dev
[0])
3758 params
= int_eap_server_params()
3759 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3760 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3761 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3762 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3763 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3764 private_key
="auth_serv/user.pkcs12",
3765 private_key_passwd
="whatever",
3766 domain_suffix_match
="example.com",
3769 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3770 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3771 private_key
="auth_serv/user.pkcs12",
3772 private_key_passwd
="whatever",
3773 domain_suffix_match
="erver3.w1.fi",
3776 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3778 raise Exception("Timeout on EAP failure report")
3779 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3781 raise Exception("Timeout on EAP failure report (2)")
3783 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
3784 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3785 check_domain_match(dev
[0])
3786 params
= int_eap_server_params()
3787 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
3788 params
["private_key"] = "auth_serv/server-no-dnsname.key"
3789 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3790 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3791 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3792 private_key
="auth_serv/user.pkcs12",
3793 private_key_passwd
="whatever",
3794 domain_match
="example.com",
3797 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3798 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3799 private_key
="auth_serv/user.pkcs12",
3800 private_key_passwd
="whatever",
3801 domain_match
="w1.fi",
3804 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3806 raise Exception("Timeout on EAP failure report")
3807 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3809 raise Exception("Timeout on EAP failure report (2)")
3811 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
3812 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3813 skip_with_fips(dev
[0])
3814 params
= int_eap_server_params()
3815 params
["server_cert"] = "auth_serv/server-expired.pem"
3816 params
["private_key"] = "auth_serv/server-expired.key"
3817 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3818 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3819 identity
="mschap user", password
="password",
3820 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3823 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3825 raise Exception("Timeout on EAP certificate error report")
3826 if "reason=4" not in ev
or "certificate has expired" not in ev
:
3827 raise Exception("Unexpected failure reason: " + ev
)
3828 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3830 raise Exception("Timeout on EAP failure report")
3832 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
3833 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3834 skip_with_fips(dev
[0])
3835 params
= int_eap_server_params()
3836 params
["server_cert"] = "auth_serv/server-expired.pem"
3837 params
["private_key"] = "auth_serv/server-expired.key"
3838 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3839 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3840 identity
="mschap user", password
="password",
3841 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3842 phase1
="tls_disable_time_checks=1",
3845 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
3846 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3847 skip_with_fips(dev
[0])
3848 params
= int_eap_server_params()
3849 params
["server_cert"] = "auth_serv/server-long-duration.pem"
3850 params
["private_key"] = "auth_serv/server-long-duration.key"
3851 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3852 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3853 identity
="mschap user", password
="password",
3854 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3857 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
3858 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3859 skip_with_fips(dev
[0])
3860 params
= int_eap_server_params()
3861 params
["server_cert"] = "auth_serv/server-eku-client.pem"
3862 params
["private_key"] = "auth_serv/server-eku-client.key"
3863 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3864 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3865 identity
="mschap user", password
="password",
3866 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3869 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3871 raise Exception("Timeout on EAP failure report")
3873 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
3874 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3875 skip_with_fips(dev
[0])
3876 params
= int_eap_server_params()
3877 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
3878 params
["private_key"] = "auth_serv/server-eku-client-server.key"
3879 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3880 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3881 identity
="mschap user", password
="password",
3882 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3885 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
3886 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3887 skip_with_fips(dev
[0])
3888 params
= int_eap_server_params()
3889 del params
["server_cert"]
3890 params
["private_key"] = "auth_serv/server.pkcs12"
3891 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3892 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3893 identity
="mschap user", password
="password",
3894 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3897 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
3898 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3899 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3900 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3901 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3902 anonymous_identity
="ttls", password
="password",
3903 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3904 dh_file
="auth_serv/dh.conf")
3906 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
3907 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3908 check_dh_dsa_support(dev
[0])
3909 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3910 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3911 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3912 anonymous_identity
="ttls", password
="password",
3913 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3914 dh_file
="auth_serv/dsaparam.pem")
3916 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3917 """EAP-TTLS and DH params file not found"""
3918 skip_with_fips(dev
[0])
3919 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3920 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3921 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3922 identity
="mschap user", password
="password",
3923 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3924 dh_file
="auth_serv/dh-no-such-file.conf",
3925 scan_freq
="2412", wait_connect
=False)
3926 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3928 raise Exception("EAP failure timed out")
3929 dev
[0].request("REMOVE_NETWORK all")
3930 dev
[0].wait_disconnected()
3932 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3933 """EAP-TTLS and invalid DH params file"""
3934 skip_with_fips(dev
[0])
3935 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3936 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3937 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3938 identity
="mschap user", password
="password",
3939 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3940 dh_file
="auth_serv/ca.pem",
3941 scan_freq
="2412", wait_connect
=False)
3942 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3944 raise Exception("EAP failure timed out")
3945 dev
[0].request("REMOVE_NETWORK all")
3946 dev
[0].wait_disconnected()
3948 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
3949 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3950 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3951 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3952 dh
= read_pem("auth_serv/dh2.conf")
3953 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
3954 raise Exception("Could not set dhparams blob")
3955 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3956 anonymous_identity
="ttls", password
="password",
3957 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3958 dh_file
="blob://dhparams")
3960 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
3961 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3962 params
= int_eap_server_params()
3963 params
["dh_file"] = "auth_serv/dh2.conf"
3964 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3965 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3966 anonymous_identity
="ttls", password
="password",
3967 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3969 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
3970 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3971 params
= int_eap_server_params()
3972 params
["dh_file"] = "auth_serv/dsaparam.pem"
3973 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3974 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3975 anonymous_identity
="ttls", password
="password",
3976 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3978 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3979 """EAP-TLS server and dhparams file not found"""
3980 params
= int_eap_server_params()
3981 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
3982 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3983 if "FAIL" not in hapd
.request("ENABLE"):
3984 raise Exception("Invalid configuration accepted")
3986 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3987 """EAP-TLS server and invalid dhparams file"""
3988 params
= int_eap_server_params()
3989 params
["dh_file"] = "auth_serv/ca.pem"
3990 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3991 if "FAIL" not in hapd
.request("ENABLE"):
3992 raise Exception("Invalid configuration accepted")
3994 def test_ap_wpa2_eap_reauth(dev
, apdev
):
3995 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3996 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3997 params
['eap_reauth_period'] = '2'
3998 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3999 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
4000 password_hex
="0123456789abcdef0123456789abcdef")
4001 logger
.info("Wait for reauthentication")
4002 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4004 raise Exception("Timeout on reauthentication")
4005 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4007 raise Exception("Timeout on reauthentication")
4008 for i
in range(0, 20):
4009 state
= dev
[0].get_status_field("wpa_state")
4010 if state
== "COMPLETED":
4013 if state
!= "COMPLETED":
4014 raise Exception("Reauthentication did not complete")
4016 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4017 """Optional displayable message in EAP Request-Identity"""
4018 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4019 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4020 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4021 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
4022 password_hex
="0123456789abcdef0123456789abcdef")
4024 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4025 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4026 check_hlr_auc_gw_support()
4027 params
= int_eap_server_params()
4028 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4029 params
['eap_sim_aka_result_ind'] = "1"
4030 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4032 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
4033 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4034 phase1
="result_ind=1")
4035 eap_reauth(dev
[0], "SIM")
4036 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
4037 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4039 dev
[0].request("REMOVE_NETWORK all")
4040 dev
[1].request("REMOVE_NETWORK all")
4042 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
4043 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4044 phase1
="result_ind=1")
4045 eap_reauth(dev
[0], "AKA")
4046 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
4047 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4049 dev
[0].request("REMOVE_NETWORK all")
4050 dev
[1].request("REMOVE_NETWORK all")
4052 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
4053 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4054 phase1
="result_ind=1")
4055 eap_reauth(dev
[0], "AKA'")
4056 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
4057 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4059 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4060 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4061 skip_with_fips(dev
[0])
4062 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4063 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4064 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4065 eap
="TTLS", identity
="mschap user",
4066 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4067 anonymous_identity
="ttls", password
="password",
4068 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4070 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
4072 raise Exception("EAP roundtrip limit not reached")
4074 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4075 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4076 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4077 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4078 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4079 eap
="PSK", identity
="vendor-test",
4080 password_hex
="ff23456789abcdef0123456789abcdef",
4084 for i
in range(0, 5):
4085 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4087 raise Exception("Association and EAP start timed out")
4088 if "refuse proposed method" in ev
:
4092 raise Exception("Unexpected EAP status: " + ev
)
4094 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4096 raise Exception("EAP failure timed out")
4098 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4099 """WPA2-Enterprise connection using SQLite for user DB"""
4100 skip_with_fips(dev
[0])
4104 raise HwsimSkip("No sqlite3 module available")
4105 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4110 con
= sqlite3
.connect(dbfile
)
4113 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4114 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4115 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4116 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4117 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4118 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4119 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4120 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4123 params
= int_eap_server_params()
4124 params
["eap_user_file"] = "sqlite:" + dbfile
4125 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4126 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
4127 anonymous_identity
="ttls", password
="password",
4128 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4129 dev
[0].request("REMOVE_NETWORK all")
4130 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
4131 anonymous_identity
="ttls", password
="password",
4132 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4133 dev
[1].request("REMOVE_NETWORK all")
4134 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
4135 anonymous_identity
="ttls", password
="password",
4136 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4137 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
4138 anonymous_identity
="ttls", password
="password",
4139 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4143 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4144 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4145 params
= int_eap_server_params()
4146 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4147 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4148 identity
="\x80", password
="password", wait_connect
=False)
4149 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4150 identity
="a\x80", password
="password", wait_connect
=False)
4151 for i
in range(0, 2):
4152 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4154 raise Exception("Association and EAP start timed out")
4155 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4157 raise Exception("EAP method selection timed out")
4159 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4160 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4161 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4162 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4163 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4164 identity
="\x80", password
="password", wait_connect
=False)
4165 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4166 identity
="a\x80", password
="password", wait_connect
=False)
4167 for i
in range(0, 2):
4168 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4170 raise Exception("Association and EAP start timed out")
4171 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4173 raise Exception("EAP method selection timed out")
4175 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4176 """OpenSSL cipher suite configuration on wpa_supplicant"""
4177 tls
= dev
[0].request("GET tls_library")
4178 if not tls
.startswith("OpenSSL"):
4179 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4180 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4181 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4182 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4183 anonymous_identity
="ttls", password
="password",
4184 openssl_ciphers
="AES128",
4185 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4186 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
4187 anonymous_identity
="ttls", password
="password",
4188 openssl_ciphers
="EXPORT",
4189 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4190 expect_failure
=True, maybe_local_error
=True)
4191 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4192 identity
="pap user", anonymous_identity
="ttls",
4193 password
="password",
4194 openssl_ciphers
="FOO",
4195 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4197 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4199 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4200 dev
[2].request("DISCONNECT")
4202 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
4203 """OpenSSL cipher suite configuration on hostapd"""
4204 tls
= dev
[0].request("GET tls_library")
4205 if not tls
.startswith("OpenSSL"):
4206 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
4207 params
= int_eap_server_params()
4208 params
['openssl_ciphers'] = "AES256"
4209 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4210 tls
= hapd
.request("GET tls_library")
4211 if not tls
.startswith("OpenSSL"):
4212 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
4213 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4214 anonymous_identity
="ttls", password
="password",
4215 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4216 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
4217 anonymous_identity
="ttls", password
="password",
4218 openssl_ciphers
="AES128",
4219 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4220 expect_failure
=True)
4221 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
4222 anonymous_identity
="ttls", password
="password",
4223 openssl_ciphers
="HIGH:!ADH",
4224 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4226 params
['openssl_ciphers'] = "FOO"
4227 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
, no_enable
=True)
4228 if "FAIL" not in hapd2
.request("ENABLE"):
4229 raise Exception("Invalid openssl_ciphers value accepted")
4231 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
4232 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4233 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4234 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
4235 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4236 pid
= find_wpas_process(dev
[0])
4237 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
4238 anonymous_identity
="ttls", password
=password
,
4239 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4240 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4241 # event has been delivered, so verify that wpa_supplicant has returned to
4242 # eloop before reading process memory.
4245 buf
= read_process_memory(pid
, password
)
4247 dev
[0].request("DISCONNECT")
4248 dev
[0].wait_disconnected()
4256 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
4257 for l
in f
.readlines():
4258 if "EAP-TTLS: Derived key - hexdump" in l
:
4259 val
= l
.strip().split(':')[3].replace(' ', '')
4260 msk
= binascii
.unhexlify(val
)
4261 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
4262 val
= l
.strip().split(':')[3].replace(' ', '')
4263 emsk
= binascii
.unhexlify(val
)
4264 if "WPA: PMK - hexdump" in l
:
4265 val
= l
.strip().split(':')[3].replace(' ', '')
4266 pmk
= binascii
.unhexlify(val
)
4267 if "WPA: PTK - hexdump" in l
:
4268 val
= l
.strip().split(':')[3].replace(' ', '')
4269 ptk
= binascii
.unhexlify(val
)
4270 if "WPA: Group Key - hexdump" in l
:
4271 val
= l
.strip().split(':')[3].replace(' ', '')
4272 gtk
= binascii
.unhexlify(val
)
4273 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
4274 raise Exception("Could not find keys from debug log")
4276 raise Exception("Unexpected GTK length")
4282 fname
= os
.path
.join(params
['logdir'],
4283 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4285 logger
.info("Checking keys in memory while associated")
4286 get_key_locations(buf
, password
, "Password")
4287 get_key_locations(buf
, pmk
, "PMK")
4288 get_key_locations(buf
, msk
, "MSK")
4289 get_key_locations(buf
, emsk
, "EMSK")
4290 if password
not in buf
:
4291 raise HwsimSkip("Password not found while associated")
4293 raise HwsimSkip("PMK not found while associated")
4295 raise Exception("KCK not found while associated")
4297 raise Exception("KEK not found while associated")
4299 raise Exception("TK found from memory")
4301 get_key_locations(buf
, gtk
, "GTK")
4302 raise Exception("GTK found from memory")
4304 logger
.info("Checking keys in memory after disassociation")
4305 buf
= read_process_memory(pid
, password
)
4307 # Note: Password is still present in network configuration
4308 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4310 get_key_locations(buf
, password
, "Password")
4311 get_key_locations(buf
, pmk
, "PMK")
4312 get_key_locations(buf
, msk
, "MSK")
4313 get_key_locations(buf
, emsk
, "EMSK")
4314 verify_not_present(buf
, kck
, fname
, "KCK")
4315 verify_not_present(buf
, kek
, fname
, "KEK")
4316 verify_not_present(buf
, tk
, fname
, "TK")
4317 verify_not_present(buf
, gtk
, fname
, "GTK")
4319 dev
[0].request("PMKSA_FLUSH")
4320 dev
[0].set_network_quoted(id, "identity", "foo")
4321 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4322 buf
= read_process_memory(pid
, password
)
4323 get_key_locations(buf
, password
, "Password")
4324 get_key_locations(buf
, pmk
, "PMK")
4325 get_key_locations(buf
, msk
, "MSK")
4326 get_key_locations(buf
, emsk
, "EMSK")
4327 verify_not_present(buf
, pmk
, fname
, "PMK")
4329 dev
[0].request("REMOVE_NETWORK all")
4331 logger
.info("Checking keys in memory after network profile removal")
4332 buf
= read_process_memory(pid
, password
)
4334 get_key_locations(buf
, password
, "Password")
4335 get_key_locations(buf
, pmk
, "PMK")
4336 get_key_locations(buf
, msk
, "MSK")
4337 get_key_locations(buf
, emsk
, "EMSK")
4338 verify_not_present(buf
, password
, fname
, "password")
4339 verify_not_present(buf
, pmk
, fname
, "PMK")
4340 verify_not_present(buf
, kck
, fname
, "KCK")
4341 verify_not_present(buf
, kek
, fname
, "KEK")
4342 verify_not_present(buf
, tk
, fname
, "TK")
4343 verify_not_present(buf
, gtk
, fname
, "GTK")
4344 verify_not_present(buf
, msk
, fname
, "MSK")
4345 verify_not_present(buf
, emsk
, fname
, "EMSK")
4347 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
4348 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4349 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4350 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4351 bssid
= apdev
[0]['bssid']
4352 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4353 anonymous_identity
="ttls", password
="password",
4354 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4356 # Send unexpected WEP EAPOL-Key; this gets dropped
4357 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4359 raise Exception("EAPOL_RX to wpa_supplicant failed")
4361 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
4362 """WPA2-EAP and wpas interface in a bridge"""
4366 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
4368 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
4369 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
4370 subprocess
.call(['brctl', 'delbr', br_ifname
])
4371 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
4373 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
4374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4375 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4379 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
4380 subprocess
.call(['brctl', 'addbr', br_ifname
])
4381 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
4382 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
4383 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
4384 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
4385 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
4388 id = eap_connect(wpas
, apdev
[0], "PAX", "pax.user@example.com",
4389 password_hex
="0123456789abcdef0123456789abcdef")
4391 eap_reauth(wpas
, "PAX")
4393 # Try again as a regression test for packet socket workaround
4394 eap_reauth(wpas
, "PAX")
4396 wpas
.request("DISCONNECT")
4397 wpas
.wait_disconnected()
4399 wpas
.request("RECONNECT")
4400 wpas
.wait_connected()
4403 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
4404 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4405 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4406 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4407 key_mgmt
= hapd
.get_config()['key_mgmt']
4408 if key_mgmt
.split(' ')[0] != "WPA-EAP":
4409 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
4410 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4411 anonymous_identity
="ttls", password
="password",
4412 ca_cert
="auth_serv/ca.pem",
4413 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
4414 eap_reauth(dev
[0], "TTLS")
4416 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
4417 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4418 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4419 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4420 key_mgmt
= hapd
.get_config()['key_mgmt']
4421 if key_mgmt
.split(' ')[0] != "WPA-EAP":
4422 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
4423 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4424 anonymous_identity
="ttls", password
="password",
4425 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
4427 eap_reauth(dev
[0], "TTLS")
4429 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
4430 """EAP-TLS and server checking CRL"""
4431 params
= int_eap_server_params()
4432 params
['check_crl'] = '1'
4433 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4435 # check_crl=1 and no CRL available --> reject connection
4436 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4437 client_cert
="auth_serv/user.pem",
4438 private_key
="auth_serv/user.key", expect_failure
=True)
4439 dev
[0].request("REMOVE_NETWORK all")
4442 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
4445 # check_crl=1 and valid CRL --> accept
4446 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4447 client_cert
="auth_serv/user.pem",
4448 private_key
="auth_serv/user.key")
4449 dev
[0].request("REMOVE_NETWORK all")
4452 hapd
.set("check_crl", "2")
4455 # check_crl=2 and valid CRL --> accept
4456 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4457 client_cert
="auth_serv/user.pem",
4458 private_key
="auth_serv/user.key")
4459 dev
[0].request("REMOVE_NETWORK all")
4461 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
4462 """EAP-TLS and OOM"""
4463 check_subject_match_support(dev
[0])
4464 check_altsubject_match_support(dev
[0])
4465 check_domain_match(dev
[0])
4466 check_domain_match_full(dev
[0])
4468 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4469 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4471 tests
= [ (1, "tls_connection_set_subject_match"),
4472 (2, "tls_connection_set_subject_match"),
4473 (3, "tls_connection_set_subject_match"),
4474 (4, "tls_connection_set_subject_match") ]
4475 for count
, func
in tests
:
4476 with
alloc_fail(dev
[0], count
, func
):
4477 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4478 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4479 client_cert
="auth_serv/user.pem",
4480 private_key
="auth_serv/user.key",
4481 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
4482 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4483 domain_suffix_match
="server.w1.fi",
4484 domain_match
="server.w1.fi",
4485 wait_connect
=False, scan_freq
="2412")
4486 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4487 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
4489 raise Exception("No passphrase request")
4490 dev
[0].request("REMOVE_NETWORK all")
4491 dev
[0].wait_disconnected()
4493 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
4494 """WPA2-Enterprise connection using MAC ACL"""
4495 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4496 params
["macaddr_acl"] = "2"
4497 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4498 eap_connect(dev
[1], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4499 client_cert
="auth_serv/user.pem",
4500 private_key
="auth_serv/user.key")
4502 def test_ap_wpa2_eap_oom(dev
, apdev
):
4503 """EAP server and OOM"""
4504 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4505 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4506 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
4508 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
4509 # The first attempt fails, but STA will send EAPOL-Start to retry and
4511 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4512 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4513 client_cert
="auth_serv/user.pem",
4514 private_key
="auth_serv/user.key",
4517 def check_tls_ver(dev
, ap
, phase1
, expected
):
4518 eap_connect(dev
, ap
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4519 client_cert
="auth_serv/user.pem",
4520 private_key
="auth_serv/user.key",
4522 ver
= dev
.get_status_field("eap_tls_version")
4524 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
4526 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
4527 """EAP-TLS and TLS version configuration"""
4528 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4529 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4531 tls
= dev
[0].request("GET tls_library")
4532 if tls
.startswith("OpenSSL"):
4533 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
4534 check_tls_ver(dev
[0], apdev
[0],
4535 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4537 elif tls
.startswith("internal"):
4538 check_tls_ver(dev
[0], apdev
[0],
4539 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4540 check_tls_ver(dev
[1], apdev
[0],
4541 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4542 check_tls_ver(dev
[2], apdev
[0],
4543 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4545 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
4546 """RSN element protocol testing for EAP cases on STA side"""
4547 bssid
= apdev
[0]['bssid']
4548 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4549 # This is the RSN element used normally by hostapd
4550 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4551 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4552 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4553 identity
="gpsk user",
4554 password
="abcdefghijklmnop0123456789abcdef",
4557 tests
= [ ('No RSN Capabilities field',
4558 '30120100000fac040100000fac040100000fac01'),
4559 ('No AKM Suite fields',
4560 '300c0100000fac040100000fac04'),
4561 ('No Pairwise Cipher Suite fields',
4562 '30060100000fac04'),
4563 ('No Group Data Cipher Suite field',
4565 for txt
,ie
in tests
:
4566 dev
[0].request("DISCONNECT")
4567 dev
[0].wait_disconnected()
4570 hapd
.set('own_ie_override', ie
)
4572 dev
[0].request("BSS_FLUSH 0")
4573 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
4574 dev
[0].select_network(id, freq
=2412)
4575 dev
[0].wait_connected()
4577 dev
[0].request("DISCONNECT")
4578 dev
[0].wait_disconnected()
4579 dev
[0].flush_scan_cache()
4581 def check_tls_session_resumption_capa(dev
, hapd
):
4582 tls
= hapd
.request("GET tls_library")
4583 if not tls
.startswith("OpenSSL"):
4584 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
4586 tls
= dev
.request("GET tls_library")
4587 if not tls
.startswith("OpenSSL"):
4588 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
4590 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
4591 """EAP-TTLS/PAP session resumption"""
4592 params
= int_eap_server_params()
4593 params
['tls_session_lifetime'] = '60'
4594 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4595 check_tls_session_resumption_capa(dev
[0], hapd
)
4596 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4597 anonymous_identity
="ttls", password
="password",
4598 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
4600 if dev
[0].get_status_field("tls_session_reused") != '0':
4601 raise Exception("Unexpected session resumption on the first connection")
4603 dev
[0].request("REAUTHENTICATE")
4604 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4606 raise Exception("EAP success timed out")
4607 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4609 raise Exception("Key handshake with the AP timed out")
4610 if dev
[0].get_status_field("tls_session_reused") != '1':
4611 raise Exception("Session resumption not used on the second connection")
4613 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
4614 """EAP-TTLS/CHAP session resumption"""
4615 params
= int_eap_server_params()
4616 params
['tls_session_lifetime'] = '60'
4617 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4618 check_tls_session_resumption_capa(dev
[0], hapd
)
4619 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
4620 anonymous_identity
="ttls", password
="password",
4621 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
4622 if dev
[0].get_status_field("tls_session_reused") != '0':
4623 raise Exception("Unexpected session resumption on the first connection")
4625 dev
[0].request("REAUTHENTICATE")
4626 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4628 raise Exception("EAP success timed out")
4629 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4631 raise Exception("Key handshake with the AP timed out")
4632 if dev
[0].get_status_field("tls_session_reused") != '1':
4633 raise Exception("Session resumption not used on the second connection")
4635 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
4636 """EAP-TTLS/MSCHAP session resumption"""
4637 check_domain_suffix_match(dev
[0])
4638 params
= int_eap_server_params()
4639 params
['tls_session_lifetime'] = '60'
4640 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4641 check_tls_session_resumption_capa(dev
[0], hapd
)
4642 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
4643 anonymous_identity
="ttls", password
="password",
4644 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4645 domain_suffix_match
="server.w1.fi")
4646 if dev
[0].get_status_field("tls_session_reused") != '0':
4647 raise Exception("Unexpected session resumption on the first connection")
4649 dev
[0].request("REAUTHENTICATE")
4650 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4652 raise Exception("EAP success timed out")
4653 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4655 raise Exception("Key handshake with the AP timed out")
4656 if dev
[0].get_status_field("tls_session_reused") != '1':
4657 raise Exception("Session resumption not used on the second connection")
4659 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
4660 """EAP-TTLS/MSCHAPv2 session resumption"""
4661 check_domain_suffix_match(dev
[0])
4662 check_eap_capa(dev
[0], "MSCHAPV2")
4663 params
= int_eap_server_params()
4664 params
['tls_session_lifetime'] = '60'
4665 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4666 check_tls_session_resumption_capa(dev
[0], hapd
)
4667 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
4668 anonymous_identity
="ttls", password
="password",
4669 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
4670 domain_suffix_match
="server.w1.fi")
4671 if dev
[0].get_status_field("tls_session_reused") != '0':
4672 raise Exception("Unexpected session resumption on the first connection")
4674 dev
[0].request("REAUTHENTICATE")
4675 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4677 raise Exception("EAP success timed out")
4678 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4680 raise Exception("Key handshake with the AP timed out")
4681 if dev
[0].get_status_field("tls_session_reused") != '1':
4682 raise Exception("Session resumption not used on the second connection")
4684 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
4685 """EAP-TTLS/EAP-GTC session resumption"""
4686 params
= int_eap_server_params()
4687 params
['tls_session_lifetime'] = '60'
4688 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4689 check_tls_session_resumption_capa(dev
[0], hapd
)
4690 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
4691 anonymous_identity
="ttls", password
="password",
4692 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
4693 if dev
[0].get_status_field("tls_session_reused") != '0':
4694 raise Exception("Unexpected session resumption on the first connection")
4696 dev
[0].request("REAUTHENTICATE")
4697 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4699 raise Exception("EAP success timed out")
4700 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4702 raise Exception("Key handshake with the AP timed out")
4703 if dev
[0].get_status_field("tls_session_reused") != '1':
4704 raise Exception("Session resumption not used on the second connection")
4706 def test_eap_ttls_no_session_resumption(dev
, apdev
):
4707 """EAP-TTLS session resumption disabled on server"""
4708 params
= int_eap_server_params()
4709 params
['tls_session_lifetime'] = '0'
4710 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4711 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
4712 anonymous_identity
="ttls", password
="password",
4713 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
4715 if dev
[0].get_status_field("tls_session_reused") != '0':
4716 raise Exception("Unexpected session resumption on the first connection")
4718 dev
[0].request("REAUTHENTICATE")
4719 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4721 raise Exception("EAP success timed out")
4722 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4724 raise Exception("Key handshake with the AP timed out")
4725 if dev
[0].get_status_field("tls_session_reused") != '0':
4726 raise Exception("Unexpected session resumption on the second connection")
4728 def test_eap_peap_session_resumption(dev
, apdev
):
4729 """EAP-PEAP session resumption"""
4730 params
= int_eap_server_params()
4731 params
['tls_session_lifetime'] = '60'
4732 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4733 check_tls_session_resumption_capa(dev
[0], hapd
)
4734 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
4735 anonymous_identity
="peap", password
="password",
4736 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4737 if dev
[0].get_status_field("tls_session_reused") != '0':
4738 raise Exception("Unexpected session resumption on the first connection")
4740 dev
[0].request("REAUTHENTICATE")
4741 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4743 raise Exception("EAP success timed out")
4744 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4746 raise Exception("Key handshake with the AP timed out")
4747 if dev
[0].get_status_field("tls_session_reused") != '1':
4748 raise Exception("Session resumption not used on the second connection")
4750 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
4751 """EAP-PEAP session resumption with crypto binding"""
4752 params
= int_eap_server_params()
4753 params
['tls_session_lifetime'] = '60'
4754 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4755 check_tls_session_resumption_capa(dev
[0], hapd
)
4756 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
4757 anonymous_identity
="peap", password
="password",
4758 phase1
="peapver=0 crypto_binding=2",
4759 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4760 if dev
[0].get_status_field("tls_session_reused") != '0':
4761 raise Exception("Unexpected session resumption on the first connection")
4763 dev
[0].request("REAUTHENTICATE")
4764 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4766 raise Exception("EAP success timed out")
4767 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4769 raise Exception("Key handshake with the AP timed out")
4770 if dev
[0].get_status_field("tls_session_reused") != '1':
4771 raise Exception("Session resumption not used on the second connection")
4773 def test_eap_peap_no_session_resumption(dev
, apdev
):
4774 """EAP-PEAP session resumption disabled on server"""
4775 params
= int_eap_server_params()
4776 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4777 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
4778 anonymous_identity
="peap", password
="password",
4779 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4780 if dev
[0].get_status_field("tls_session_reused") != '0':
4781 raise Exception("Unexpected session resumption on the first connection")
4783 dev
[0].request("REAUTHENTICATE")
4784 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4786 raise Exception("EAP success timed out")
4787 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4789 raise Exception("Key handshake with the AP timed out")
4790 if dev
[0].get_status_field("tls_session_reused") != '0':
4791 raise Exception("Unexpected session resumption on the second connection")
4793 def test_eap_tls_session_resumption(dev
, apdev
):
4794 """EAP-TLS session resumption"""
4795 params
= int_eap_server_params()
4796 params
['tls_session_lifetime'] = '60'
4797 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4798 check_tls_session_resumption_capa(dev
[0], hapd
)
4799 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4800 client_cert
="auth_serv/user.pem",
4801 private_key
="auth_serv/user.key")
4802 if dev
[0].get_status_field("tls_session_reused") != '0':
4803 raise Exception("Unexpected session resumption on the first connection")
4805 dev
[0].request("REAUTHENTICATE")
4806 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4808 raise Exception("EAP success timed out")
4809 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4811 raise Exception("Key handshake with the AP timed out")
4812 if dev
[0].get_status_field("tls_session_reused") != '1':
4813 raise Exception("Session resumption not used on the second connection")
4815 dev
[0].request("REAUTHENTICATE")
4816 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4818 raise Exception("EAP success timed out")
4819 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4821 raise Exception("Key handshake with the AP timed out")
4822 if dev
[0].get_status_field("tls_session_reused") != '1':
4823 raise Exception("Session resumption not used on the third connection")
4825 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
4826 """EAP-TLS session resumption"""
4827 params
= int_eap_server_params()
4828 params
['tls_session_lifetime'] = '1'
4829 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4830 check_tls_session_resumption_capa(dev
[0], hapd
)
4831 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4832 client_cert
="auth_serv/user.pem",
4833 private_key
="auth_serv/user.key")
4834 if dev
[0].get_status_field("tls_session_reused") != '0':
4835 raise Exception("Unexpected session resumption on the first connection")
4837 # Allow multiple attempts since OpenSSL may not expire the cached entry
4842 dev
[0].request("REAUTHENTICATE")
4843 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4845 raise Exception("EAP success timed out")
4846 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4848 raise Exception("Key handshake with the AP timed out")
4849 if dev
[0].get_status_field("tls_session_reused") == '0':
4851 if dev
[0].get_status_field("tls_session_reused") != '0':
4852 raise Exception("Session resumption used after lifetime expiration")
4854 def test_eap_tls_no_session_resumption(dev
, apdev
):
4855 """EAP-TLS session resumption disabled on server"""
4856 params
= int_eap_server_params()
4857 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4858 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4859 client_cert
="auth_serv/user.pem",
4860 private_key
="auth_serv/user.key")
4861 if dev
[0].get_status_field("tls_session_reused") != '0':
4862 raise Exception("Unexpected session resumption on the first connection")
4864 dev
[0].request("REAUTHENTICATE")
4865 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4867 raise Exception("EAP success timed out")
4868 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4870 raise Exception("Key handshake with the AP timed out")
4871 if dev
[0].get_status_field("tls_session_reused") != '0':
4872 raise Exception("Unexpected session resumption on the second connection")
4874 def test_eap_tls_session_resumption_radius(dev
, apdev
):
4875 """EAP-TLS session resumption (RADIUS)"""
4876 params
= { "ssid": "as", "beacon_int": "2000",
4877 "radius_server_clients": "auth_serv/radius_clients.conf",
4878 "radius_server_auth_port": '18128',
4880 "eap_user_file": "auth_serv/eap_user.conf",
4881 "ca_cert": "auth_serv/ca.pem",
4882 "server_cert": "auth_serv/server.pem",
4883 "private_key": "auth_serv/server.key",
4884 "tls_session_lifetime": "60" }
4885 authsrv
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
4886 check_tls_session_resumption_capa(dev
[0], authsrv
)
4888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4889 params
['auth_server_port'] = "18128"
4890 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4891 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4892 client_cert
="auth_serv/user.pem",
4893 private_key
="auth_serv/user.key")
4894 if dev
[0].get_status_field("tls_session_reused") != '0':
4895 raise Exception("Unexpected session resumption on the first connection")
4897 dev
[0].request("REAUTHENTICATE")
4898 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4900 raise Exception("EAP success timed out")
4901 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4903 raise Exception("Key handshake with the AP timed out")
4904 if dev
[0].get_status_field("tls_session_reused") != '1':
4905 raise Exception("Session resumption not used on the second connection")
4907 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
4908 """EAP-TLS session resumption disabled (RADIUS)"""
4909 params
= { "ssid": "as", "beacon_int": "2000",
4910 "radius_server_clients": "auth_serv/radius_clients.conf",
4911 "radius_server_auth_port": '18128',
4913 "eap_user_file": "auth_serv/eap_user.conf",
4914 "ca_cert": "auth_serv/ca.pem",
4915 "server_cert": "auth_serv/server.pem",
4916 "private_key": "auth_serv/server.key",
4917 "tls_session_lifetime": "0" }
4918 hostapd
.add_ap(apdev
[1]['ifname'], params
)
4920 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4921 params
['auth_server_port'] = "18128"
4922 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4923 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4924 client_cert
="auth_serv/user.pem",
4925 private_key
="auth_serv/user.key")
4926 if dev
[0].get_status_field("tls_session_reused") != '0':
4927 raise Exception("Unexpected session resumption on the first connection")
4929 dev
[0].request("REAUTHENTICATE")
4930 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4932 raise Exception("EAP success timed out")
4933 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4935 raise Exception("Key handshake with the AP timed out")
4936 if dev
[0].get_status_field("tls_session_reused") != '0':
4937 raise Exception("Unexpected session resumption on the second connection")
4939 def test_eap_mschapv2_errors(dev
, apdev
):
4940 """EAP-MSCHAPv2 error cases"""
4941 check_eap_capa(dev
[0], "MSCHAPV2")
4942 check_eap_capa(dev
[0], "FAST")
4944 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
4945 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4946 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4947 identity
="phase1-user", password
="password",
4949 dev
[0].request("REMOVE_NETWORK all")
4950 dev
[0].wait_disconnected()
4952 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4953 (1, "nt_password_hash;mschapv2_derive_response"),
4954 (1, "nt_password_hash;=mschapv2_derive_response"),
4955 (1, "generate_nt_response;mschapv2_derive_response"),
4956 (1, "generate_authenticator_response;mschapv2_derive_response"),
4957 (1, "nt_password_hash;=mschapv2_derive_response"),
4958 (1, "get_master_key;mschapv2_derive_response"),
4959 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4960 for count
, func
in tests
:
4961 with
fail_test(dev
[0], count
, func
):
4962 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4963 identity
="phase1-user", password
="password",
4964 wait_connect
=False, scan_freq
="2412")
4965 wait_fail_trigger(dev
[0], "GET_FAIL")
4966 dev
[0].request("REMOVE_NETWORK all")
4967 dev
[0].wait_disconnected()
4969 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4970 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4971 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4972 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4973 for count
, func
in tests
:
4974 with
fail_test(dev
[0], count
, func
):
4975 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4976 identity
="phase1-user",
4977 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
4978 wait_connect
=False, scan_freq
="2412")
4979 wait_fail_trigger(dev
[0], "GET_FAIL")
4980 dev
[0].request("REMOVE_NETWORK all")
4981 dev
[0].wait_disconnected()
4983 tests
= [ (1, "eap_mschapv2_init"),
4984 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4985 (1, "eap_msg_alloc;eap_mschapv2_success"),
4986 (1, "eap_mschapv2_getKey") ]
4987 for count
, func
in tests
:
4988 with
alloc_fail(dev
[0], count
, func
):
4989 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4990 identity
="phase1-user", password
="password",
4991 wait_connect
=False, scan_freq
="2412")
4992 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4993 dev
[0].request("REMOVE_NETWORK all")
4994 dev
[0].wait_disconnected()
4996 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4997 for count
, func
in tests
:
4998 with
alloc_fail(dev
[0], count
, func
):
4999 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5000 identity
="phase1-user", password
="wrong password",
5001 wait_connect
=False, scan_freq
="2412")
5002 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5003 dev
[0].request("REMOVE_NETWORK all")
5004 dev
[0].wait_disconnected()
5006 tests
= [ (2, "eap_mschapv2_init"),
5007 (3, "eap_mschapv2_init") ]
5008 for count
, func
in tests
:
5009 with
alloc_fail(dev
[0], count
, func
):
5010 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5011 anonymous_identity
="FAST", identity
="user",
5012 password
="password",
5013 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5014 phase1
="fast_provisioning=1",
5015 pac_file
="blob://fast_pac",
5016 wait_connect
=False, scan_freq
="2412")
5017 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5018 dev
[0].request("REMOVE_NETWORK all")
5019 dev
[0].wait_disconnected()
5021 def test_eap_gpsk_errors(dev
, apdev
):
5022 """EAP-GPSK error cases"""
5023 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5024 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
5025 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5026 identity
="gpsk user",
5027 password
="abcdefghijklmnop0123456789abcdef",
5029 dev
[0].request("REMOVE_NETWORK all")
5030 dev
[0].wait_disconnected()
5032 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5033 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5035 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5037 (1, "eap_gpsk_derive_keys_helper", None),
5038 (2, "eap_gpsk_derive_keys_helper", None),
5039 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5041 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5043 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5044 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5045 (1, "eap_gpsk_derive_mid_helper", None) ]
5046 for count
, func
, phase1
in tests
:
5047 with
fail_test(dev
[0], count
, func
):
5048 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5049 identity
="gpsk user",
5050 password
="abcdefghijklmnop0123456789abcdef",
5052 wait_connect
=False, scan_freq
="2412")
5053 wait_fail_trigger(dev
[0], "GET_FAIL")
5054 dev
[0].request("REMOVE_NETWORK all")
5055 dev
[0].wait_disconnected()
5057 tests
= [ (1, "eap_gpsk_init"),
5058 (2, "eap_gpsk_init"),
5059 (3, "eap_gpsk_init"),
5060 (1, "eap_gpsk_process_id_server"),
5061 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5062 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5063 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5064 (1, "eap_gpsk_derive_keys"),
5065 (1, "eap_gpsk_derive_keys_helper"),
5066 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5067 (1, "eap_gpsk_getKey"),
5068 (1, "eap_gpsk_get_emsk"),
5069 (1, "eap_gpsk_get_session_id") ]
5070 for count
, func
in tests
:
5071 with
alloc_fail(dev
[0], count
, func
):
5072 dev
[0].request("ERP_FLUSH")
5073 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5074 identity
="gpsk user", erp
="1",
5075 password
="abcdefghijklmnop0123456789abcdef",
5076 wait_connect
=False, scan_freq
="2412")
5077 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5078 dev
[0].request("REMOVE_NETWORK all")
5079 dev
[0].wait_disconnected()
5081 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5082 """EAP-SIM DB error cases"""
5083 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5088 hparams
= int_eap_server_params()
5089 hparams
['eap_sim_db'] = 'unix:' + sockpath
5090 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], hparams
)
5092 # Initial test with hlr_auc_gw socket not available
5093 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5094 eap
="SIM", identity
="1232010000000000",
5095 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5096 scan_freq
="2412", wait_connect
=False)
5097 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5099 raise Exception("EAP-Failure not reported")
5100 dev
[0].wait_disconnected()
5101 dev
[0].request("DISCONNECT")
5103 # Test with invalid responses and response timeout
5105 class test_handler(SocketServer
.DatagramRequestHandler
):
5107 data
= self
.request
[0].strip()
5108 socket
= self
.request
[1]
5109 logger
.debug("Received hlr_auc_gw request: " + data
)
5110 # EAP-SIM DB: Failed to parse response string
5111 socket
.sendto("FOO", self
.client_address
)
5112 # EAP-SIM DB: Failed to parse response string
5113 socket
.sendto("FOO 1", self
.client_address
)
5114 # EAP-SIM DB: Unknown external response
5115 socket
.sendto("FOO 1 2", self
.client_address
)
5116 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5118 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5121 dev
[0].select_network(id)
5122 server
.handle_request()
5123 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5125 raise Exception("EAP-Failure not reported")
5126 dev
[0].wait_disconnected()
5127 dev
[0].request("DISCONNECT")
5129 # Test with a valid response
5131 class test_handler2(SocketServer
.DatagramRequestHandler
):
5133 data
= self
.request
[0].strip()
5134 socket
= self
.request
[1]
5135 logger
.debug("Received hlr_auc_gw request: " + data
)
5136 fname
= os
.path
.join(params
['logdir'],
5137 'hlr_auc_gw.milenage_db')
5138 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5140 stdout
=subprocess
.PIPE
)
5141 res
= cmd
.stdout
.read().strip()
5143 logger
.debug("hlr_auc_gw response: " + res
)
5144 socket
.sendto(res
, self
.client_address
)
5146 server
.RequestHandlerClass
= test_handler2
5148 dev
[0].select_network(id)
5149 server
.handle_request()
5150 dev
[0].wait_connected()
5151 dev
[0].request("DISCONNECT")
5152 dev
[0].wait_disconnected()
5154 def test_eap_tls_sha512(dev
, apdev
, params
):
5155 """EAP-TLS with SHA512 signature"""
5156 params
= int_eap_server_params()
5157 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5158 params
["server_cert"] = "auth_serv/sha512-server.pem"
5159 params
["private_key"] = "auth_serv/sha512-server.key"
5160 hostapd
.add_ap(apdev
[0]['ifname'], params
)
5162 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5163 identity
="tls user sha512",
5164 ca_cert
="auth_serv/sha512-ca.pem",
5165 client_cert
="auth_serv/sha512-user.pem",
5166 private_key
="auth_serv/sha512-user.key",
5168 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5169 identity
="tls user sha512",
5170 ca_cert
="auth_serv/sha512-ca.pem",
5171 client_cert
="auth_serv/sha384-user.pem",
5172 private_key
="auth_serv/sha384-user.key",
5175 def test_eap_tls_sha384(dev
, apdev
, params
):
5176 """EAP-TLS with SHA384 signature"""
5177 params
= int_eap_server_params()
5178 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5179 params
["server_cert"] = "auth_serv/sha384-server.pem"
5180 params
["private_key"] = "auth_serv/sha384-server.key"
5181 hostapd
.add_ap(apdev
[0]['ifname'], params
)
5183 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5184 identity
="tls user sha512",
5185 ca_cert
="auth_serv/sha512-ca.pem",
5186 client_cert
="auth_serv/sha512-user.pem",
5187 private_key
="auth_serv/sha512-user.key",
5189 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5190 identity
="tls user sha512",
5191 ca_cert
="auth_serv/sha512-ca.pem",
5192 client_cert
="auth_serv/sha384-user.pem",
5193 private_key
="auth_serv/sha384-user.key",
5196 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
5197 """WPA2-Enterprise AP and association request RSN IE differences"""
5198 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5199 hostapd
.add_ap(apdev
[0]['ifname'], params
)
5201 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
5202 params
["ieee80211w"] = "2"
5203 hostapd
.add_ap(apdev
[1]['ifname'], params
)
5205 # Success cases with optional RSN IE fields removed one by one
5206 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5207 "30140100000fac040100000fac040100000fac010000"),
5208 ("Extra PMKIDCount field in RSN IE",
5209 "30160100000fac040100000fac040100000fac0100000000"),
5210 ("Extra Group Management Cipher Suite in RSN IE",
5211 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5212 ("Extra undefined extension field in RSN IE",
5213 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5214 ("RSN IE without RSN Capabilities",
5215 "30120100000fac040100000fac040100000fac01"),
5216 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5217 ("RSN IE without pairwise", "30060100000fac04"),
5218 ("RSN IE without group", "30020100") ]
5219 for title
, ie
in tests
:
5221 set_test_assoc_ie(dev
[0], ie
)
5222 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5223 identity
="gpsk user",
5224 password
="abcdefghijklmnop0123456789abcdef",
5226 dev
[0].request("REMOVE_NETWORK all")
5227 dev
[0].wait_disconnected()
5229 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5230 "30140100000fac040100000fac040100000fac01cc00"),
5231 ("Group management cipher included in assoc req RSN IE",
5232 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5233 for title
, ie
in tests
:
5235 set_test_assoc_ie(dev
[0], ie
)
5236 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5237 eap
="GPSK", identity
="gpsk user",
5238 password
="abcdefghijklmnop0123456789abcdef",
5240 dev
[0].request("REMOVE_NETWORK all")
5241 dev
[0].wait_disconnected()
5243 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
5244 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5245 for title
, ie
, status
in tests
:
5247 set_test_assoc_ie(dev
[0], ie
)
5248 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5249 identity
="gpsk user",
5250 password
="abcdefghijklmnop0123456789abcdef",
5251 scan_freq
="2412", wait_connect
=False)
5252 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5254 raise Exception("Association rejection not reported")
5255 if "status_code=" + str(status
) not in ev
:
5256 raise Exception("Unexpected status code: " + ev
)
5257 dev
[0].request("REMOVE_NETWORK all")
5258 dev
[0].dump_monitor()
5260 tests
= [ ("Management frame protection not enabled",
5261 "30140100000fac040100000fac040100000fac010000", 31),
5262 ("Unsupported management group cipher",
5263 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5264 for title
, ie
, status
in tests
:
5266 set_test_assoc_ie(dev
[0], ie
)
5267 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5268 eap
="GPSK", identity
="gpsk user",
5269 password
="abcdefghijklmnop0123456789abcdef",
5270 scan_freq
="2412", wait_connect
=False)
5271 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5273 raise Exception("Association rejection not reported")
5274 if "status_code=" + str(status
) not in ev
:
5275 raise Exception("Unexpected status code: " + ev
)
5276 dev
[0].request("REMOVE_NETWORK all")
5277 dev
[0].dump_monitor()
5279 def test_eap_tls_ext_cert_check(dev
, apdev
):
5280 """EAP-TLS and external server certification validation"""
5281 # With internal server certificate chain validation
5282 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5283 identity
="tls user",
5284 ca_cert
="auth_serv/ca.pem",
5285 client_cert
="auth_serv/user.pem",
5286 private_key
="auth_serv/user.key",
5287 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5288 only_add_network
=True)
5289 run_ext_cert_check(dev
, apdev
, id)
5291 def test_eap_ttls_ext_cert_check(dev
, apdev
):
5292 """EAP-TTLS and external server certification validation"""
5293 # Without internal server certificate chain validation
5294 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5295 identity
="pap user", anonymous_identity
="ttls",
5296 password
="password", phase2
="auth=PAP",
5297 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5298 only_add_network
=True)
5299 run_ext_cert_check(dev
, apdev
, id)
5301 def test_eap_peap_ext_cert_check(dev
, apdev
):
5302 """EAP-PEAP and external server certification validation"""
5303 # With internal server certificate chain validation
5304 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
5305 identity
="user", anonymous_identity
="peap",
5306 ca_cert
="auth_serv/ca.pem",
5307 password
="password", phase2
="auth=MSCHAPV2",
5308 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5309 only_add_network
=True)
5310 run_ext_cert_check(dev
, apdev
, id)
5312 def test_eap_fast_ext_cert_check(dev
, apdev
):
5313 """EAP-FAST and external server certification validation"""
5314 check_eap_capa(dev
[0], "FAST")
5315 # With internal server certificate chain validation
5316 dev
[0].request("SET blob fast_pac_auth_ext ")
5317 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5318 identity
="user", anonymous_identity
="FAST",
5319 ca_cert
="auth_serv/ca.pem",
5320 password
="password", phase2
="auth=GTC",
5321 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
5322 pac_file
="blob://fast_pac_auth_ext",
5324 only_add_network
=True)
5325 run_ext_cert_check(dev
, apdev
, id)
5327 def run_ext_cert_check(dev
, apdev
, net_id
):
5328 check_ext_cert_check_support(dev
[0])
5329 if not openssl_imported
:
5330 raise HwsimSkip("OpenSSL python method not available")
5332 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5333 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
5335 dev
[0].select_network(net_id
)
5338 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5339 "CTRL-REQ-EXT_CERT_CHECK",
5340 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5342 raise Exception("No peer server certificate event seen")
5343 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
5346 vals
= ev
.split(' ')
5348 if v
.startswith("depth="):
5349 depth
= int(v
.split('=')[1])
5350 elif v
.startswith("cert="):
5351 cert
= v
.split('=')[1]
5352 if depth
is not None and cert
:
5353 certs
[depth
] = binascii
.unhexlify(cert
)
5354 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
5355 raise Exception("Unexpected EAP-Success")
5356 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
5357 id = ev
.split(':')[0].split('-')[-1]
5360 raise Exception("Server certificate not received")
5362 raise Exception("Server certificate issuer not received")
5364 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
5366 cn
= cert
.get_subject().commonName
5367 logger
.info("Server certificate CN=" + cn
)
5369 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
5371 icn
= issuer
.get_subject().commonName
5372 logger
.info("Issuer certificate CN=" + icn
)
5374 if cn
!= "server.w1.fi":
5375 raise Exception("Unexpected server certificate CN: " + cn
)
5376 if icn
!= "Root CA":
5377 raise Exception("Unexpected server certificate issuer CN: " + icn
)
5379 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
5381 raise Exception("Unexpected EAP-Success before external check result indication")
5383 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5384 dev
[0].wait_connected()
5386 dev
[0].request("DISCONNECT")
5387 dev
[0].wait_disconnected()
5388 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
5389 raise Exception("PMKSA_FLUSH failed")
5390 dev
[0].request("SET blob fast_pac_auth_ext ")
5391 dev
[0].request("RECONNECT")
5393 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
5395 raise Exception("No peer server certificate event seen (2)")
5396 id = ev
.split(':')[0].split('-')[-1]
5397 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5398 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
5400 raise Exception("EAP-Failure not reported")
5401 dev
[0].request("REMOVE_NETWORK all")
5402 dev
[0].wait_disconnected()