]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
22 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
23 from wpasupplicant
import WpaSupplicant
24 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
28 openssl_imported
= True
30 openssl_imported
= False
32 def check_hlr_auc_gw_support():
33 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev
, method
):
37 res
= dev
.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method
)
41 def check_subject_match_support(dev
):
42 tls
= dev
.request("GET tls_library")
43 if not tls
.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
46 def check_altsubject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
51 def check_domain_match(dev
):
52 tls
= dev
.request("GET tls_library")
53 if tls
.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
56 def check_domain_suffix_match(dev
):
57 tls
= dev
.request("GET tls_library")
58 if tls
.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
61 def check_domain_match_full(dev
):
62 tls
= dev
.request("GET tls_library")
63 if not tls
.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
66 def check_cert_probe_support(dev
):
67 tls
= dev
.request("GET tls_library")
68 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
71 def check_ext_cert_check_support(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
76 def check_ocsp_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_pkcs5_v15_support(dev
):
84 tls
= dev
.request("GET tls_library")
85 if "BoringSSL" in tls
or "GnuTLS" in tls
:
86 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
88 def check_ocsp_multi_support(dev
):
89 tls
= dev
.request("GET tls_library")
90 if not tls
.startswith("internal"):
91 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
92 as_hapd
= hostapd
.Hostapd("as")
93 res
= as_hapd
.request("GET tls_library")
95 if not res
.startswith("internal"):
96 raise HwsimSkip("Authentication server does not support ocsp_multi")
98 def check_pkcs12_support(dev
):
99 tls
= dev
.request("GET tls_library")
100 #if tls.startswith("internal"):
101 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 def check_dh_dsa_support(dev
):
104 tls
= dev
.request("GET tls_library")
105 if tls
.startswith("internal"):
106 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
109 with
open(fname
, "r") as f
:
110 lines
= f
.readlines()
118 if "-----BEGIN" in l
:
120 return base64
.b64decode(cert
)
122 def eap_connect(dev
, hapd
, method
, identity
,
123 sha256
=False, expect_failure
=False, local_error_report
=False,
124 maybe_local_error
=False, **kwargs
):
125 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
126 eap
=method
, identity
=identity
,
127 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
129 eap_check_auth(dev
, method
, True, sha256
=sha256
,
130 expect_failure
=expect_failure
,
131 local_error_report
=local_error_report
,
132 maybe_local_error
=maybe_local_error
)
135 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
137 raise Exception("No connection event received from hostapd")
140 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
141 expect_failure
=False, local_error_report
=False,
142 maybe_local_error
=False):
143 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
145 raise Exception("Association and EAP start timed out")
146 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
147 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
149 raise Exception("EAP method selection timed out")
150 if "CTRL-EVENT-EAP-FAILURE" in ev
:
151 if maybe_local_error
:
153 raise Exception("Could not select EAP method")
155 raise Exception("Unexpected EAP method")
157 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
159 raise Exception("EAP failure timed out")
160 ev
= dev
.wait_disconnected(timeout
=10)
161 if maybe_local_error
and "locally_generated=1" in ev
:
163 if not local_error_report
:
164 if "reason=23" not in ev
:
165 raise Exception("Proper reason code for disconnection not reported")
167 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
169 raise Exception("EAP success timed out")
172 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
174 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
176 raise Exception("Association with the AP timed out")
177 status
= dev
.get_status()
178 if status
["wpa_state"] != "COMPLETED":
179 raise Exception("Connection not completed")
181 if status
["suppPortStatus"] != "Authorized":
182 raise Exception("Port not authorized")
183 if "selectedMethod" not in status
:
184 logger
.info("Status: " + str(status
))
185 raise Exception("No selectedMethod in status")
186 if method
not in status
["selectedMethod"]:
187 raise Exception("Incorrect EAP method status")
189 e
= "WPA2-EAP-SHA256"
191 e
= "WPA2/IEEE 802.1X/EAP"
193 e
= "WPA/IEEE 802.1X/EAP"
194 if status
["key_mgmt"] != e
:
195 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
198 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
199 dev
.request("REAUTHENTICATE")
200 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
201 expect_failure
=expect_failure
)
203 def test_ap_wpa2_eap_sim(dev
, apdev
):
204 """WPA2-Enterprise connection using EAP-SIM"""
205 check_hlr_auc_gw_support()
206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
207 hapd
= hostapd
.add_ap(apdev
[0], params
)
208 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
209 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
210 hwsim_utils
.test_connectivity(dev
[0], hapd
)
211 eap_reauth(dev
[0], "SIM")
213 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
214 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
215 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
216 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
219 logger
.info("Negative test with incorrect key")
220 dev
[0].request("REMOVE_NETWORK all")
221 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
222 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
225 logger
.info("Invalid GSM-Milenage key")
226 dev
[0].request("REMOVE_NETWORK all")
227 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
228 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
231 logger
.info("Invalid GSM-Milenage key(2)")
232 dev
[0].request("REMOVE_NETWORK all")
233 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
234 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
237 logger
.info("Invalid GSM-Milenage key(3)")
238 dev
[0].request("REMOVE_NETWORK all")
239 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
240 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
243 logger
.info("Invalid GSM-Milenage key(4)")
244 dev
[0].request("REMOVE_NETWORK all")
245 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
246 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
249 logger
.info("Missing key configuration")
250 dev
[0].request("REMOVE_NETWORK all")
251 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
254 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
255 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
256 check_hlr_auc_gw_support()
260 raise HwsimSkip("No sqlite3 module available")
261 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
263 params
['auth_server_port'] = "1814"
264 hapd
= hostapd
.add_ap(apdev
[0], params
)
265 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
266 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
268 logger
.info("SIM fast re-authentication")
269 eap_reauth(dev
[0], "SIM")
271 logger
.info("SIM full auth with pseudonym")
274 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
275 eap_reauth(dev
[0], "SIM")
277 logger
.info("SIM full auth with permanent identity")
280 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
281 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
282 eap_reauth(dev
[0], "SIM")
284 logger
.info("SIM reauth with mismatching MK")
287 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
288 eap_reauth(dev
[0], "SIM", expect_failure
=True)
289 dev
[0].request("REMOVE_NETWORK all")
291 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
292 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
295 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 eap_reauth(dev
[0], "SIM")
299 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
300 logger
.info("SIM reauth with mismatching counter")
301 eap_reauth(dev
[0], "SIM")
302 dev
[0].request("REMOVE_NETWORK all")
304 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
305 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
308 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
309 logger
.info("SIM reauth with max reauth count reached")
310 eap_reauth(dev
[0], "SIM")
312 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
313 """EAP-SIM configuration options"""
314 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
315 hapd
= hostapd
.add_ap(apdev
[0], params
)
316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
317 identity
="1232010000000000",
318 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1
="sim_min_num_chal=1",
320 wait_connect
=False, scan_freq
="2412")
321 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
323 raise Exception("No EAP error message seen")
324 dev
[0].request("REMOVE_NETWORK all")
326 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
327 identity
="1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
329 phase1
="sim_min_num_chal=4",
330 wait_connect
=False, scan_freq
="2412")
331 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
333 raise Exception("No EAP error message seen (2)")
334 dev
[0].request("REMOVE_NETWORK all")
336 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
337 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
338 phase1
="sim_min_num_chal=2")
339 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 anonymous_identity
="345678")
343 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
344 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
346 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
348 dev
[0].request("SET external_sim 0")
350 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
351 check_hlr_auc_gw_support()
352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
353 hostapd
.add_ap(apdev
[0], params
)
354 dev
[0].request("SET external_sim 1")
355 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
356 identity
="1232010000000000",
357 wait_connect
=False, scan_freq
="2412")
358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
360 raise Exception("Network connected timed out")
362 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
364 raise Exception("Wait for external SIM processing request timed out")
366 if p
[1] != "GSM-AUTH":
367 raise Exception("Unexpected CTRL-REQ-SIM type")
368 rid
= p
[0].split('-')[3]
371 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
372 # This will fail during processing, but the ctrl_iface command succeeds
373 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
374 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
376 raise Exception("EAP failure not reported")
377 dev
[0].request("DISCONNECT")
378 dev
[0].wait_disconnected()
381 dev
[0].select_network(id, freq
="2412")
382 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
384 raise Exception("Wait for external SIM processing request timed out")
386 if p
[1] != "GSM-AUTH":
387 raise Exception("Unexpected CTRL-REQ-SIM type")
388 rid
= p
[0].split('-')[3]
389 # This will fail during GSM auth validation
390 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
391 raise Exception("CTRL-RSP-SIM failed")
392 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
394 raise Exception("EAP failure not reported")
395 dev
[0].request("DISCONNECT")
396 dev
[0].wait_disconnected()
399 dev
[0].select_network(id, freq
="2412")
400 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p
[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid
= p
[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
486 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
487 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
489 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
491 dev
[0].request("SET external_sim 0")
493 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
494 check_hlr_auc_gw_support()
495 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
496 hostapd
.add_ap(apdev
[0], params
)
497 dev
[0].request("SET external_sim 1")
498 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
499 identity
="1232010000000000",
500 wait_connect
=False, scan_freq
="2412")
502 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
504 raise Exception("Wait for external SIM processing request timed out")
506 if p
[1] != "GSM-AUTH":
507 raise Exception("Unexpected CTRL-REQ-SIM type")
508 rid
= p
[0].split('-')[3]
509 rand
= p
[2].split(' ')[0]
511 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
513 "auth_serv/hlr_auc_gw.milenage_db",
514 "GSM-AUTH-REQ 232010000000000 " + rand
])
515 if "GSM-AUTH-RESP" not in res
:
516 raise Exception("Unexpected hlr_auc_gw response")
517 resp
= res
.split(' ')[2].rstrip()
519 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
520 dev
[0].wait_connected(timeout
=15)
521 dev
[0].request("DISCONNECT")
522 dev
[0].wait_disconnected()
524 # Replace SIM, but forget to drop the previous pseudonym identity
525 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
526 dev
[0].select_network(id, freq
="2412")
528 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
530 raise Exception("Wait for external SIM processing request timed out")
532 if p
[1] != "GSM-AUTH":
533 raise Exception("Unexpected CTRL-REQ-SIM type")
534 rid
= p
[0].split('-')[3]
535 rand
= p
[2].split(' ')[0]
537 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
539 "auth_serv/hlr_auc_gw.milenage_db",
540 "GSM-AUTH-REQ 232010000000009 " + rand
])
541 if "GSM-AUTH-RESP" not in res
:
542 raise Exception("Unexpected hlr_auc_gw response")
543 resp
= res
.split(' ')[2].rstrip()
545 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
546 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
548 raise Exception("EAP-Failure not reported")
549 dev
[0].request("DISCONNECT")
550 dev
[0].wait_disconnected()
552 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
553 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
555 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
557 dev
[0].request("SET external_sim 0")
559 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
560 check_hlr_auc_gw_support()
561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
562 hostapd
.add_ap(apdev
[0], params
)
563 dev
[0].request("SET external_sim 1")
564 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
565 identity
="1232010000000000",
566 wait_connect
=False, scan_freq
="2412")
568 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
570 raise Exception("Wait for external SIM processing request timed out")
572 if p
[1] != "GSM-AUTH":
573 raise Exception("Unexpected CTRL-REQ-SIM type")
574 rid
= p
[0].split('-')[3]
575 rand
= p
[2].split(' ')[0]
577 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
579 "auth_serv/hlr_auc_gw.milenage_db",
580 "GSM-AUTH-REQ 232010000000000 " + rand
])
581 if "GSM-AUTH-RESP" not in res
:
582 raise Exception("Unexpected hlr_auc_gw response")
583 resp
= res
.split(' ')[2].rstrip()
585 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
586 dev
[0].wait_connected(timeout
=15)
587 dev
[0].request("DISCONNECT")
588 dev
[0].wait_disconnected()
590 # Replace SIM and drop the previous pseudonym identity
591 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
592 dev
[0].set_network(id, "anonymous_identity", "NULL")
593 dev
[0].select_network(id, freq
="2412")
595 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p
[1] != "GSM-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid
= p
[0].split('-')[3]
602 rand
= p
[2].split(' ')[0]
604 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
606 "auth_serv/hlr_auc_gw.milenage_db",
607 "GSM-AUTH-REQ 232010000000009 " + rand
])
608 if "GSM-AUTH-RESP" not in res
:
609 raise Exception("Unexpected hlr_auc_gw response")
610 resp
= res
.split(' ')[2].rstrip()
612 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
613 dev
[0].wait_connected()
614 dev
[0].request("DISCONNECT")
615 dev
[0].wait_disconnected()
617 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
618 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
620 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
622 dev
[0].request("SET external_sim 0")
624 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
625 check_hlr_auc_gw_support()
626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
627 hostapd
.add_ap(apdev
[0], params
)
628 dev
[0].request("SET external_sim 1")
629 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
630 wait_connect
=False, scan_freq
="2412")
632 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
634 raise Exception("Request for identity timed out")
635 rid
= ev
.split(':')[0].split('-')[-1]
636 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
638 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
640 raise Exception("Wait for external SIM processing request timed out")
642 if p
[1] != "GSM-AUTH":
643 raise Exception("Unexpected CTRL-REQ-SIM type")
644 rid
= p
[0].split('-')[3]
645 rand
= p
[2].split(' ')[0]
647 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
649 "auth_serv/hlr_auc_gw.milenage_db",
650 "GSM-AUTH-REQ 232010000000000 " + rand
])
651 if "GSM-AUTH-RESP" not in res
:
652 raise Exception("Unexpected hlr_auc_gw response")
653 resp
= res
.split(' ')[2].rstrip()
655 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
656 dev
[0].wait_connected(timeout
=15)
657 dev
[0].request("DISCONNECT")
658 dev
[0].wait_disconnected()
660 # Replace SIM and drop the previous permanent and pseudonym identities
661 dev
[0].set_network(id, "identity", "NULL")
662 dev
[0].set_network(id, "anonymous_identity", "NULL")
663 dev
[0].select_network(id, freq
="2412")
665 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
667 raise Exception("Request for identity timed out")
668 rid
= ev
.split(':')[0].split('-')[-1]
669 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
671 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
673 raise Exception("Wait for external SIM processing request timed out")
675 if p
[1] != "GSM-AUTH":
676 raise Exception("Unexpected CTRL-REQ-SIM type")
677 rid
= p
[0].split('-')[3]
678 rand
= p
[2].split(' ')[0]
680 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
682 "auth_serv/hlr_auc_gw.milenage_db",
683 "GSM-AUTH-REQ 232010000000009 " + rand
])
684 if "GSM-AUTH-RESP" not in res
:
685 raise Exception("Unexpected hlr_auc_gw response")
686 resp
= res
.split(' ')[2].rstrip()
688 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
689 dev
[0].wait_connected()
690 dev
[0].request("DISCONNECT")
691 dev
[0].wait_disconnected()
693 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
694 """EAP-SIM with external GSM auth and auth failing"""
696 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
698 dev
[0].request("SET external_sim 0")
700 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
701 check_hlr_auc_gw_support()
702 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
703 hostapd
.add_ap(apdev
[0], params
)
704 dev
[0].request("SET external_sim 1")
705 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
706 identity
="1232010000000000",
707 wait_connect
=False, scan_freq
="2412")
709 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
711 raise Exception("Wait for external SIM processing request timed out")
713 rid
= p
[0].split('-')[3]
714 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
715 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
717 raise Exception("EAP failure not reported")
718 dev
[0].request("REMOVE_NETWORK all")
719 dev
[0].wait_disconnected()
721 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
722 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
724 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
726 dev
[0].request("SET external_sim 0")
728 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
729 check_hlr_auc_gw_support()
730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
731 hostapd
.add_ap(apdev
[0], params
)
732 dev
[0].request("SET external_sim 1")
733 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
734 identity
="1232010000000000",
735 wait_connect
=False, scan_freq
="2412")
737 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
739 raise Exception("Wait for external SIM processing request timed out")
741 if p
[1] != "GSM-AUTH":
742 raise Exception("Unexpected CTRL-REQ-SIM type")
743 rid
= p
[0].split('-')[3]
744 rand
= p
[2].split(' ')[0]
746 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
748 "auth_serv/hlr_auc_gw.milenage_db",
749 "GSM-AUTH-REQ 232010000000000 " + rand
])
750 if "GSM-AUTH-RESP" not in res
:
751 raise Exception("Unexpected hlr_auc_gw response")
752 resp
= res
.split(' ')[2].rstrip()
754 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
755 dev
[0].wait_connected(timeout
=15)
757 # Verify that EAP-SIM Reauthentication can be used after a profile change
758 # that does not affect EAP parameters.
759 dev
[0].set_network(id, "bssid", "any")
760 eap_reauth(dev
[0], "SIM")
762 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
763 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
765 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
767 dev
[0].request("SET external_sim 0")
769 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
770 check_hlr_auc_gw_support()
771 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
772 hostapd
.add_ap(apdev
[0], params
)
773 dev
[0].request("SET external_sim 1")
774 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
775 identity
="1232010000000000",
776 wait_connect
=False, scan_freq
="2412")
778 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
780 raise Exception("Wait for external SIM processing request timed out")
782 if p
[1] != "GSM-AUTH":
783 raise Exception("Unexpected CTRL-REQ-SIM type")
784 rid
= p
[0].split('-')[3]
785 rand
= p
[2].split(' ')[0]
787 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
789 "auth_serv/hlr_auc_gw.milenage_db",
790 "GSM-AUTH-REQ 232010000000000 " + rand
])
791 if "GSM-AUTH-RESP" not in res
:
792 raise Exception("Unexpected hlr_auc_gw response")
793 resp
= res
.split(' ')[2].rstrip()
795 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
796 dev
[0].wait_connected(timeout
=15)
798 # Verify that EAP-SIM Reauthentication can be used after network profile
799 # SET_NETWORK commands that do not actually change previously set
801 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
802 dev
[0].set_network(id, "eap", "SIM")
803 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
804 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
805 eap_reauth(dev
[0], "SIM")
807 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
808 """EAP-SIM and OOM"""
809 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
810 hostapd
.add_ap(apdev
[0], params
)
811 tests
= [ (1, "milenage_f2345"),
812 (2, "milenage_f2345"),
813 (3, "milenage_f2345"),
814 (4, "milenage_f2345"),
815 (5, "milenage_f2345"),
816 (6, "milenage_f2345"),
817 (7, "milenage_f2345"),
818 (8, "milenage_f2345"),
819 (9, "milenage_f2345"),
820 (10, "milenage_f2345"),
821 (11, "milenage_f2345"),
822 (12, "milenage_f2345") ]
823 for count
, func
in tests
:
824 with
fail_test(dev
[0], count
, func
):
825 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
826 identity
="1232010000000000",
827 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
828 wait_connect
=False, scan_freq
="2412")
829 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
831 raise Exception("EAP method not selected")
832 dev
[0].wait_disconnected()
833 dev
[0].request("REMOVE_NETWORK all")
835 def test_ap_wpa2_eap_aka(dev
, apdev
):
836 """WPA2-Enterprise connection using EAP-AKA"""
837 check_hlr_auc_gw_support()
838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
839 hapd
= hostapd
.add_ap(apdev
[0], params
)
840 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
841 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
842 hwsim_utils
.test_connectivity(dev
[0], hapd
)
843 eap_reauth(dev
[0], "AKA")
845 logger
.info("Negative test with incorrect key")
846 dev
[0].request("REMOVE_NETWORK all")
847 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
848 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
851 logger
.info("Invalid Milenage key")
852 dev
[0].request("REMOVE_NETWORK all")
853 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
854 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
857 logger
.info("Invalid Milenage key(2)")
858 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
859 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
862 logger
.info("Invalid Milenage key(3)")
863 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
864 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
867 logger
.info("Invalid Milenage key(4)")
868 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
869 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
872 logger
.info("Invalid Milenage key(5)")
873 dev
[0].request("REMOVE_NETWORK all")
874 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
875 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
878 logger
.info("Invalid Milenage key(6)")
879 dev
[0].request("REMOVE_NETWORK all")
880 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
881 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
884 logger
.info("Missing key configuration")
885 dev
[0].request("REMOVE_NETWORK all")
886 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
889 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
890 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
891 check_hlr_auc_gw_support()
895 raise HwsimSkip("No sqlite3 module available")
896 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
897 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
898 params
['auth_server_port'] = "1814"
899 hapd
= hostapd
.add_ap(apdev
[0], params
)
900 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
901 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
903 logger
.info("AKA fast re-authentication")
904 eap_reauth(dev
[0], "AKA")
906 logger
.info("AKA full auth with pseudonym")
909 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
910 eap_reauth(dev
[0], "AKA")
912 logger
.info("AKA full auth with permanent identity")
915 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
916 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
917 eap_reauth(dev
[0], "AKA")
919 logger
.info("AKA reauth with mismatching MK")
922 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
923 eap_reauth(dev
[0], "AKA", expect_failure
=True)
924 dev
[0].request("REMOVE_NETWORK all")
926 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
927 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
930 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
931 eap_reauth(dev
[0], "AKA")
934 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
935 logger
.info("AKA reauth with mismatching counter")
936 eap_reauth(dev
[0], "AKA")
937 dev
[0].request("REMOVE_NETWORK all")
939 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
940 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
943 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
944 logger
.info("AKA reauth with max reauth count reached")
945 eap_reauth(dev
[0], "AKA")
947 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
948 """EAP-AKA configuration options"""
949 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
950 hapd
= hostapd
.add_ap(apdev
[0], params
)
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
953 anonymous_identity
="2345678")
955 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
956 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
958 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
960 dev
[0].request("SET external_sim 0")
962 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
963 check_hlr_auc_gw_support()
964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
965 hostapd
.add_ap(apdev
[0], params
)
966 dev
[0].request("SET external_sim 1")
967 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
968 identity
="0232010000000000",
969 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
970 wait_connect
=False, scan_freq
="2412")
971 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
973 raise Exception("Network connected timed out")
975 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
977 raise Exception("Wait for external SIM processing request timed out")
979 if p
[1] != "UMTS-AUTH":
980 raise Exception("Unexpected CTRL-REQ-SIM type")
981 rid
= p
[0].split('-')[3]
984 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
985 # This will fail during processing, but the ctrl_iface command succeeds
986 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
987 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
989 raise Exception("EAP failure not reported")
990 dev
[0].request("DISCONNECT")
991 dev
[0].wait_disconnected()
993 dev
[0].dump_monitor()
995 dev
[0].select_network(id, freq
="2412")
996 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
998 raise Exception("Wait for external SIM processing request timed out")
1000 if p
[1] != "UMTS-AUTH":
1001 raise Exception("Unexpected CTRL-REQ-SIM type")
1002 rid
= p
[0].split('-')[3]
1003 # This will fail during UMTS auth validation
1004 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1005 raise Exception("CTRL-RSP-SIM failed")
1006 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1008 raise Exception("Wait for external SIM processing request timed out")
1009 p
= ev
.split(':', 2)
1010 if p
[1] != "UMTS-AUTH":
1011 raise Exception("Unexpected CTRL-REQ-SIM type")
1012 rid
= p
[0].split('-')[3]
1013 # This will fail during UMTS auth validation
1014 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1015 raise Exception("CTRL-RSP-SIM failed")
1016 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1018 raise Exception("EAP failure not reported")
1019 dev
[0].request("DISCONNECT")
1020 dev
[0].wait_disconnected()
1022 dev
[0].dump_monitor()
1024 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1026 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1027 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1028 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1029 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1030 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1032 dev
[0].select_network(id, freq
="2412")
1033 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1035 raise Exception("Wait for external SIM processing request timed out")
1036 p
= ev
.split(':', 2)
1037 if p
[1] != "UMTS-AUTH":
1038 raise Exception("Unexpected CTRL-REQ-SIM type")
1039 rid
= p
[0].split('-')[3]
1040 # This will fail during UMTS auth validation
1041 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1042 raise Exception("CTRL-RSP-SIM failed")
1043 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1045 raise Exception("EAP failure not reported")
1046 dev
[0].request("DISCONNECT")
1047 dev
[0].wait_disconnected()
1049 dev
[0].dump_monitor()
1051 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1052 """EAP-AKA with external UMTS auth and auth failing"""
1054 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1056 dev
[0].request("SET external_sim 0")
1058 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1059 check_hlr_auc_gw_support()
1060 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1061 hostapd
.add_ap(apdev
[0], params
)
1062 dev
[0].request("SET external_sim 1")
1063 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1064 identity
="0232010000000000",
1065 wait_connect
=False, scan_freq
="2412")
1067 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1069 raise Exception("Wait for external SIM processing request timed out")
1070 p
= ev
.split(':', 2)
1071 rid
= p
[0].split('-')[3]
1072 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1073 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1075 raise Exception("EAP failure not reported")
1076 dev
[0].request("REMOVE_NETWORK all")
1077 dev
[0].wait_disconnected()
1079 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1080 """WPA2-Enterprise connection using EAP-AKA'"""
1081 check_hlr_auc_gw_support()
1082 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1083 hapd
= hostapd
.add_ap(apdev
[0], params
)
1084 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1085 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1086 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1087 eap_reauth(dev
[0], "AKA'")
1089 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1090 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1091 identity
="6555444333222111@both",
1092 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1093 wait_connect
=False, scan_freq
="2412")
1094 dev
[1].wait_connected(timeout
=15)
1096 logger
.info("Negative test with incorrect key")
1097 dev
[0].request("REMOVE_NETWORK all")
1098 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1099 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1100 expect_failure
=True)
1102 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1103 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1104 check_hlr_auc_gw_support()
1108 raise HwsimSkip("No sqlite3 module available")
1109 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1111 params
['auth_server_port'] = "1814"
1112 hapd
= hostapd
.add_ap(apdev
[0], params
)
1113 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1114 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1116 logger
.info("AKA' fast re-authentication")
1117 eap_reauth(dev
[0], "AKA'")
1119 logger
.info("AKA' full auth with pseudonym")
1122 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1123 eap_reauth(dev
[0], "AKA'")
1125 logger
.info("AKA' full auth with permanent identity")
1128 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1129 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1130 eap_reauth(dev
[0], "AKA'")
1132 logger
.info("AKA' reauth with mismatching k_aut")
1135 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1136 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1137 dev
[0].request("REMOVE_NETWORK all")
1139 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1140 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1143 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1144 eap_reauth(dev
[0], "AKA'")
1147 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1148 logger
.info("AKA' reauth with mismatching counter")
1149 eap_reauth(dev
[0], "AKA'")
1150 dev
[0].request("REMOVE_NETWORK all")
1152 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1153 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1156 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1157 logger
.info("AKA' reauth with max reauth count reached")
1158 eap_reauth(dev
[0], "AKA'")
1160 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1161 """EAP-AKA' with external UMTS auth and auth failing"""
1163 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1165 dev
[0].request("SET external_sim 0")
1167 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1168 check_hlr_auc_gw_support()
1169 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1170 hostapd
.add_ap(apdev
[0], params
)
1171 dev
[0].request("SET external_sim 1")
1172 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1173 identity
="6555444333222111",
1174 wait_connect
=False, scan_freq
="2412")
1176 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1178 raise Exception("Wait for external SIM processing request timed out")
1179 p
= ev
.split(':', 2)
1180 rid
= p
[0].split('-')[3]
1181 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1184 raise Exception("EAP failure not reported")
1185 dev
[0].request("REMOVE_NETWORK all")
1186 dev
[0].wait_disconnected()
1188 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1189 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1191 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1193 dev
[0].request("SET external_sim 0")
1195 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1196 check_hlr_auc_gw_support()
1197 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1198 hostapd
.add_ap(apdev
[0], params
)
1199 dev
[0].request("SET external_sim 1")
1200 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1201 identity
="6555444333222111",
1202 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1203 wait_connect
=False, scan_freq
="2412")
1204 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1206 raise Exception("Network connected timed out")
1208 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1210 raise Exception("Wait for external SIM processing request timed out")
1211 p
= ev
.split(':', 2)
1212 if p
[1] != "UMTS-AUTH":
1213 raise Exception("Unexpected CTRL-REQ-SIM type")
1214 rid
= p
[0].split('-')[3]
1215 # This will fail during UMTS auth validation
1216 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1217 raise Exception("CTRL-RSP-SIM failed")
1218 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1220 raise Exception("Wait for external SIM processing request timed out")
1222 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1223 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1225 hapd
= hostapd
.add_ap(apdev
[0], params
)
1226 key_mgmt
= hapd
.get_config()['key_mgmt']
1227 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1228 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1229 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1230 anonymous_identity
="ttls", password
="password",
1231 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1232 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1233 eap_reauth(dev
[0], "TTLS")
1234 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1235 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1237 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1238 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1239 check_subject_match_support(dev
[0])
1240 check_altsubject_match_support(dev
[0])
1241 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1242 hapd
= hostapd
.add_ap(apdev
[0], params
)
1243 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1244 anonymous_identity
="ttls", password
="password",
1245 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1246 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1247 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1248 eap_reauth(dev
[0], "TTLS")
1250 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1251 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1252 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1253 hapd
= hostapd
.add_ap(apdev
[0], params
)
1254 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1255 anonymous_identity
="ttls", password
="wrong",
1256 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1257 expect_failure
=True)
1258 eap_connect(dev
[1], hapd
, "TTLS", "user",
1259 anonymous_identity
="ttls", password
="password",
1260 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1261 expect_failure
=True)
1263 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1264 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1265 skip_with_fips(dev
[0])
1266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1267 hapd
= hostapd
.add_ap(apdev
[0], params
)
1268 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1269 anonymous_identity
="ttls", password
="password",
1270 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1271 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1272 eap_reauth(dev
[0], "TTLS")
1274 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1275 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1276 skip_with_fips(dev
[0])
1277 check_altsubject_match_support(dev
[0])
1278 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1279 hapd
= hostapd
.add_ap(apdev
[0], params
)
1280 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1281 anonymous_identity
="ttls", password
="password",
1282 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1283 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1284 eap_reauth(dev
[0], "TTLS")
1286 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1287 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1288 skip_with_fips(dev
[0])
1289 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1290 hapd
= hostapd
.add_ap(apdev
[0], params
)
1291 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1292 anonymous_identity
="ttls", password
="wrong",
1293 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1294 expect_failure
=True)
1295 eap_connect(dev
[1], hapd
, "TTLS", "user",
1296 anonymous_identity
="ttls", password
="password",
1297 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1298 expect_failure
=True)
1300 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1301 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1302 skip_with_fips(dev
[0])
1303 check_domain_suffix_match(dev
[0])
1304 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1305 hapd
= hostapd
.add_ap(apdev
[0], params
)
1306 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1307 anonymous_identity
="ttls", password
="password",
1308 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1309 domain_suffix_match
="server.w1.fi")
1310 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1311 eap_reauth(dev
[0], "TTLS")
1312 dev
[0].request("REMOVE_NETWORK all")
1313 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1314 anonymous_identity
="ttls", password
="password",
1315 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1316 fragment_size
="200")
1317 dev
[0].request("REMOVE_NETWORK all")
1318 dev
[0].wait_disconnected()
1319 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1320 anonymous_identity
="ttls",
1321 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1322 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1324 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1325 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1326 skip_with_fips(dev
[0])
1327 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1328 hapd
= hostapd
.add_ap(apdev
[0], params
)
1329 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1330 anonymous_identity
="ttls", password
="wrong",
1331 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1332 expect_failure
=True)
1333 eap_connect(dev
[1], hapd
, "TTLS", "user",
1334 anonymous_identity
="ttls", password
="password",
1335 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1336 expect_failure
=True)
1337 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1338 anonymous_identity
="ttls", password
="password",
1339 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1340 expect_failure
=True)
1342 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1343 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1344 check_domain_suffix_match(dev
[0])
1345 check_eap_capa(dev
[0], "MSCHAPV2")
1346 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1347 hapd
= hostapd
.add_ap(apdev
[0], params
)
1348 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1349 anonymous_identity
="ttls", password
="password",
1350 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1351 domain_suffix_match
="server.w1.fi")
1352 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1353 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1354 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1355 eap_reauth(dev
[0], "TTLS")
1356 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1357 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1358 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1359 raise Exception("dot1xAuthEapolFramesRx did not increase")
1360 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1361 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1362 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1363 raise Exception("backendAuthSuccesses did not increase")
1365 logger
.info("Password as hash value")
1366 dev
[0].request("REMOVE_NETWORK all")
1367 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1368 anonymous_identity
="ttls",
1369 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1372 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1373 """EAP-TTLS with invalid phase2 parameter values"""
1374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1375 hostapd
.add_ap(apdev
[0], params
)
1376 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1377 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1378 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1380 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1381 identity
="DOMAIN\mschapv2 user",
1382 anonymous_identity
="ttls", password
="password",
1383 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1384 wait_connect
=False, scan_freq
="2412")
1385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1386 if ev
is None or "method=21" not in ev
:
1387 raise Exception("EAP-TTLS not started")
1388 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1389 "CTRL-EVENT-CONNECTED"], timeout
=5)
1390 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1391 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1392 dev
[0].request("REMOVE_NETWORK all")
1393 dev
[0].wait_disconnected()
1394 dev
[0].dump_monitor()
1396 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1397 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1398 check_domain_match_full(dev
[0])
1399 skip_with_fips(dev
[0])
1400 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1401 hapd
= hostapd
.add_ap(apdev
[0], params
)
1402 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1403 anonymous_identity
="ttls", password
="password",
1404 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1405 domain_suffix_match
="w1.fi")
1406 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1407 eap_reauth(dev
[0], "TTLS")
1409 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1410 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1411 check_domain_match(dev
[0])
1412 skip_with_fips(dev
[0])
1413 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1414 hapd
= hostapd
.add_ap(apdev
[0], params
)
1415 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1416 anonymous_identity
="ttls", password
="password",
1417 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1418 domain_match
="Server.w1.fi")
1419 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1420 eap_reauth(dev
[0], "TTLS")
1422 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1423 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1424 skip_with_fips(dev
[0])
1425 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1426 hapd
= hostapd
.add_ap(apdev
[0], params
)
1427 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1428 anonymous_identity
="ttls", password
="password1",
1429 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1430 expect_failure
=True)
1431 eap_connect(dev
[1], hapd
, "TTLS", "user",
1432 anonymous_identity
="ttls", password
="password",
1433 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1434 expect_failure
=True)
1436 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1437 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1438 skip_with_fips(dev
[0])
1439 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1440 hapd
= hostapd
.add_ap(apdev
[0], params
)
1441 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1442 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1443 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1444 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1445 anonymous_identity
="ttls",
1446 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1447 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1448 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1449 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1450 eap
="TTLS", identity
="utf8-user-hash",
1451 anonymous_identity
="ttls", password_hex
=p
,
1452 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1453 wait_connect
=False, scan_freq
="2412")
1454 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1456 raise Exception("No failure reported")
1457 dev
[2].request("REMOVE_NETWORK all")
1458 dev
[2].wait_disconnected()
1460 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1461 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1462 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1463 hapd
= hostapd
.add_ap(apdev
[0], params
)
1464 eap_connect(dev
[0], hapd
, "TTLS", "user",
1465 anonymous_identity
="ttls", password
="password",
1466 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1467 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1468 eap_reauth(dev
[0], "TTLS")
1470 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1471 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1472 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1473 hapd
= hostapd
.add_ap(apdev
[0], params
)
1474 eap_connect(dev
[0], hapd
, "TTLS", "user",
1475 anonymous_identity
="ttls", password
="wrong",
1476 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1477 expect_failure
=True)
1479 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1480 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1481 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1482 hapd
= hostapd
.add_ap(apdev
[0], params
)
1483 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1484 anonymous_identity
="ttls", password
="password",
1485 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1486 expect_failure
=True)
1488 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1489 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1490 params
= int_eap_server_params()
1491 hapd
= hostapd
.add_ap(apdev
[0], params
)
1492 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1493 eap_connect(dev
[0], hapd
, "TTLS", "user",
1494 anonymous_identity
="ttls", password
="password",
1495 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1496 expect_failure
=True)
1497 dev
[0].request("REMOVE_NETWORK all")
1499 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1500 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1501 eap
="TTLS", identity
="user",
1502 anonymous_identity
="ttls", password
="password",
1503 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1504 wait_connect
=False, scan_freq
="2412")
1505 # This would eventually time out, but we can stop after having reached
1506 # the allocation failure.
1509 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1512 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1513 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1514 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1515 hapd
= hostapd
.add_ap(apdev
[0], params
)
1517 tests
= [ "eap_gtc_init",
1518 "eap_msg_alloc;eap_gtc_process" ]
1520 with
alloc_fail(dev
[0], 1, func
):
1521 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1523 eap
="TTLS", identity
="user",
1524 anonymous_identity
="ttls", password
="password",
1525 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1527 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1528 dev
[0].request("REMOVE_NETWORK all")
1529 dev
[0].wait_disconnected()
1531 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1532 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1533 check_eap_capa(dev
[0], "MD5")
1534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1535 hapd
= hostapd
.add_ap(apdev
[0], params
)
1536 eap_connect(dev
[0], hapd
, "TTLS", "user",
1537 anonymous_identity
="ttls", password
="password",
1538 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1539 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1540 eap_reauth(dev
[0], "TTLS")
1542 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1543 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1544 check_eap_capa(dev
[0], "MD5")
1545 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1546 hapd
= hostapd
.add_ap(apdev
[0], params
)
1547 eap_connect(dev
[0], hapd
, "TTLS", "user",
1548 anonymous_identity
="ttls", password
="wrong",
1549 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1550 expect_failure
=True)
1552 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1553 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1554 check_eap_capa(dev
[0], "MD5")
1555 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1556 hapd
= hostapd
.add_ap(apdev
[0], params
)
1557 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1558 anonymous_identity
="ttls", password
="password",
1559 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1560 expect_failure
=True)
1562 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1563 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1564 check_eap_capa(dev
[0], "MD5")
1565 params
= int_eap_server_params()
1566 hapd
= hostapd
.add_ap(apdev
[0], params
)
1567 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1568 eap_connect(dev
[0], hapd
, "TTLS", "user",
1569 anonymous_identity
="ttls", password
="password",
1570 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1571 expect_failure
=True)
1572 dev
[0].request("REMOVE_NETWORK all")
1574 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1575 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1576 eap
="TTLS", identity
="user",
1577 anonymous_identity
="ttls", password
="password",
1578 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1579 wait_connect
=False, scan_freq
="2412")
1580 # This would eventually time out, but we can stop after having reached
1581 # the allocation failure.
1584 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1587 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1588 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1589 check_eap_capa(dev
[0], "MSCHAPV2")
1590 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1591 hapd
= hostapd
.add_ap(apdev
[0], params
)
1592 eap_connect(dev
[0], hapd
, "TTLS", "user",
1593 anonymous_identity
="ttls", password
="password",
1594 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1595 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1596 eap_reauth(dev
[0], "TTLS")
1598 logger
.info("Negative test with incorrect password")
1599 dev
[0].request("REMOVE_NETWORK all")
1600 eap_connect(dev
[0], hapd
, "TTLS", "user",
1601 anonymous_identity
="ttls", password
="password1",
1602 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1603 expect_failure
=True)
1605 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1606 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1607 check_eap_capa(dev
[0], "MSCHAPV2")
1608 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1609 hapd
= hostapd
.add_ap(apdev
[0], params
)
1610 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1611 anonymous_identity
="ttls", password
="password",
1612 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1613 expect_failure
=True)
1615 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1616 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1617 check_eap_capa(dev
[0], "MSCHAPV2")
1618 params
= int_eap_server_params()
1619 hapd
= hostapd
.add_ap(apdev
[0], params
)
1620 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1621 eap_connect(dev
[0], hapd
, "TTLS", "user",
1622 anonymous_identity
="ttls", password
="password",
1623 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1624 expect_failure
=True)
1625 dev
[0].request("REMOVE_NETWORK all")
1627 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1628 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1629 eap
="TTLS", identity
="user",
1630 anonymous_identity
="ttls", password
="password",
1631 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1632 wait_connect
=False, scan_freq
="2412")
1633 # This would eventually time out, but we can stop after having reached
1634 # the allocation failure.
1637 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1639 dev
[0].request("REMOVE_NETWORK all")
1641 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1642 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1643 eap
="TTLS", identity
="user",
1644 anonymous_identity
="ttls", password
="password",
1645 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1646 wait_connect
=False, scan_freq
="2412")
1647 # This would eventually time out, but we can stop after having reached
1648 # the allocation failure.
1651 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1653 dev
[0].request("REMOVE_NETWORK all")
1655 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1656 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1657 eap
="TTLS", identity
="user",
1658 anonymous_identity
="ttls", password
="wrong",
1659 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1660 wait_connect
=False, scan_freq
="2412")
1661 # This would eventually time out, but we can stop after having reached
1662 # the allocation failure.
1665 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1667 dev
[0].request("REMOVE_NETWORK all")
1669 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1670 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1671 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1672 hapd
= hostapd
.add_ap(apdev
[0], params
)
1673 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1674 anonymous_identity
="1232010000000000@ttls",
1675 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1676 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1677 eap_reauth(dev
[0], "TTLS")
1679 def run_ext_sim_auth(dev
):
1680 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1682 raise Exception("Wait for external SIM processing request timed out")
1683 p
= ev
.split(':', 2)
1684 if p
[1] != "GSM-AUTH":
1685 raise Exception("Unexpected CTRL-REQ-SIM type")
1686 rid
= p
[0].split('-')[3]
1687 rand
= p
[2].split(' ')[0]
1689 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1691 "auth_serv/hlr_auc_gw.milenage_db",
1692 "GSM-AUTH-REQ 232010000000000 " + rand
])
1693 if "GSM-AUTH-RESP" not in res
:
1694 raise Exception("Unexpected hlr_auc_gw response")
1695 resp
= res
.split(' ')[2].rstrip()
1697 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1698 dev
.wait_connected(timeout
=15)
1701 dev
.request("REAUTHENTICATE")
1702 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1704 raise Exception("EAP reauthentication did not succeed")
1705 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1707 raise Exception("Key negotiation did not complete")
1710 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1711 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1712 check_hlr_auc_gw_support()
1714 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1716 dev
[0].request("SET external_sim 0")
1718 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1719 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1720 hapd
= hostapd
.add_ap(apdev
[0], params
)
1721 dev
[0].request("SET external_sim 1")
1722 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1723 identity
="1232010000000000",
1724 anonymous_identity
="1232010000000000@ttls",
1725 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1726 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1727 wait_connect
=False, scan_freq
="2412")
1728 run_ext_sim_auth(dev
[0])
1730 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1731 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1732 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1733 hapd
= hostapd
.add_ap(apdev
[0], params
)
1734 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1735 anonymous_identity
="1232010000000000@peap",
1736 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1737 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1738 eap_reauth(dev
[0], "PEAP")
1740 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1741 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1742 check_hlr_auc_gw_support()
1744 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1746 dev
[0].request("SET external_sim 0")
1748 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1750 hapd
= hostapd
.add_ap(apdev
[0], params
)
1751 dev
[0].request("SET external_sim 1")
1752 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1753 identity
="1232010000000000",
1754 anonymous_identity
="1232010000000000@peap",
1755 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1756 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1757 wait_connect
=False, scan_freq
="2412")
1758 run_ext_sim_auth(dev
[0])
1760 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1761 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1762 check_eap_capa(dev
[0], "FAST")
1763 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1764 hapd
= hostapd
.add_ap(apdev
[0], params
)
1765 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1766 anonymous_identity
="1232010000000000@fast",
1767 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1768 phase1
="fast_provisioning=2",
1769 pac_file
="blob://fast_pac_auth_sim",
1770 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1771 eap_reauth(dev
[0], "FAST")
1773 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1774 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1775 check_hlr_auc_gw_support()
1777 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1779 dev
[0].request("SET external_sim 0")
1781 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1782 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1783 hapd
= hostapd
.add_ap(apdev
[0], params
)
1784 dev
[0].request("SET external_sim 1")
1785 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1786 identity
="1232010000000000",
1787 anonymous_identity
="1232010000000000@peap",
1788 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1789 phase1
="fast_provisioning=2",
1790 pac_file
="blob://fast_pac_auth_sim",
1791 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1792 wait_connect
=False, scan_freq
="2412")
1793 run_ext_sim_auth(dev
[0])
1795 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1796 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1797 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1798 hapd
= hostapd
.add_ap(apdev
[0], params
)
1799 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1800 anonymous_identity
="0232010000000000@ttls",
1801 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1802 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1803 eap_reauth(dev
[0], "TTLS")
1805 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1806 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1807 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1808 hapd
= hostapd
.add_ap(apdev
[0], params
)
1809 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1810 anonymous_identity
="0232010000000000@peap",
1811 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1812 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1813 eap_reauth(dev
[0], "PEAP")
1815 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1816 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1817 check_eap_capa(dev
[0], "FAST")
1818 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1819 hapd
= hostapd
.add_ap(apdev
[0], params
)
1820 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1821 anonymous_identity
="0232010000000000@fast",
1822 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1823 phase1
="fast_provisioning=2",
1824 pac_file
="blob://fast_pac_auth_aka",
1825 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1826 eap_reauth(dev
[0], "FAST")
1828 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1829 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1830 check_eap_capa(dev
[0], "MSCHAPV2")
1831 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1832 hapd
= hostapd
.add_ap(apdev
[0], params
)
1833 eap_connect(dev
[0], hapd
, "PEAP", "user",
1834 anonymous_identity
="peap", password
="password",
1835 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1836 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1837 eap_reauth(dev
[0], "PEAP")
1838 dev
[0].request("REMOVE_NETWORK all")
1839 eap_connect(dev
[0], hapd
, "PEAP", "user",
1840 anonymous_identity
="peap", password
="password",
1841 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1842 fragment_size
="200")
1844 logger
.info("Password as hash value")
1845 dev
[0].request("REMOVE_NETWORK all")
1846 eap_connect(dev
[0], hapd
, "PEAP", "user",
1847 anonymous_identity
="peap",
1848 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1849 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1851 logger
.info("Negative test with incorrect password")
1852 dev
[0].request("REMOVE_NETWORK all")
1853 eap_connect(dev
[0], hapd
, "PEAP", "user",
1854 anonymous_identity
="peap", password
="password1",
1855 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1856 expect_failure
=True)
1858 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1859 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1860 check_eap_capa(dev
[0], "MSCHAPV2")
1861 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1862 hapd
= hostapd
.add_ap(apdev
[0], params
)
1863 eap_connect(dev
[0], hapd
, "PEAP", "DOMAIN\user3",
1864 anonymous_identity
="peap", password
="password",
1865 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1866 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1867 eap_reauth(dev
[0], "PEAP")
1869 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1870 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1871 check_eap_capa(dev
[0], "MSCHAPV2")
1872 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1873 hapd
= hostapd
.add_ap(apdev
[0], params
)
1874 eap_connect(dev
[0], hapd
, "PEAP", "user",
1875 anonymous_identity
="peap", password
="wrong",
1876 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1877 expect_failure
=True)
1879 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1880 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1881 check_eap_capa(dev
[0], "MSCHAPV2")
1882 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1883 hapd
= hostapd
.add_ap(apdev
[0], params
)
1884 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1885 ca_cert
="auth_serv/ca.pem",
1886 phase1
="peapver=0 crypto_binding=2",
1887 phase2
="auth=MSCHAPV2")
1888 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1889 eap_reauth(dev
[0], "PEAP")
1891 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1892 ca_cert
="auth_serv/ca.pem",
1893 phase1
="peapver=0 crypto_binding=1",
1894 phase2
="auth=MSCHAPV2")
1895 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1896 ca_cert
="auth_serv/ca.pem",
1897 phase1
="peapver=0 crypto_binding=0",
1898 phase2
="auth=MSCHAPV2")
1900 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1901 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1902 check_eap_capa(dev
[0], "MSCHAPV2")
1903 params
= int_eap_server_params()
1904 hapd
= hostapd
.add_ap(apdev
[0], params
)
1905 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1906 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1907 ca_cert
="auth_serv/ca.pem",
1908 phase1
="peapver=0 crypto_binding=2",
1909 phase2
="auth=MSCHAPV2",
1910 expect_failure
=True, local_error_report
=True)
1912 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1913 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1914 check_eap_capa(dev
[0], "MSCHAPV2")
1915 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1916 hapd
= hostapd
.add_ap(apdev
[0], params
)
1917 eap_connect(dev
[0], hapd
, "PEAP", "user",
1918 anonymous_identity
="peap", password
="password",
1919 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1920 phase1
="peapver=0 peaplabel=1",
1921 expect_failure
=True)
1922 dev
[0].request("REMOVE_NETWORK all")
1923 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1925 anonymous_identity
="peap", password
="password",
1926 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1927 phase1
="peap_outer_success=0",
1928 wait_connect
=False, scan_freq
="2412")
1929 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1931 raise Exception("No EAP success seen")
1932 # This won't succeed to connect with peap_outer_success=0, so stop here.
1933 dev
[0].request("REMOVE_NETWORK all")
1934 dev
[0].wait_disconnected()
1935 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1936 ca_cert
="auth_serv/ca.pem",
1937 phase1
="peap_outer_success=1",
1938 phase2
="auth=MSCHAPV2")
1939 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1940 ca_cert
="auth_serv/ca.pem",
1941 phase1
="peap_outer_success=2",
1942 phase2
="auth=MSCHAPV2")
1943 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1945 anonymous_identity
="peap", password
="password",
1946 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1947 phase1
="peapver=1 peaplabel=1",
1948 wait_connect
=False, scan_freq
="2412")
1949 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1951 raise Exception("No EAP success seen")
1952 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1954 raise Exception("Unexpected connection")
1956 tests
= [ ("peap-ver0", ""),
1958 ("peap-ver0", "peapver=0"),
1959 ("peap-ver1", "peapver=1") ]
1960 for anon
,phase1
in tests
:
1961 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1962 identity
="user", anonymous_identity
=anon
,
1963 password
="password", phase1
=phase1
,
1964 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1966 dev
[0].request("REMOVE_NETWORK all")
1967 dev
[0].wait_disconnected()
1969 tests
= [ ("peap-ver0", "peapver=1"),
1970 ("peap-ver1", "peapver=0") ]
1971 for anon
,phase1
in tests
:
1972 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1973 identity
="user", anonymous_identity
=anon
,
1974 password
="password", phase1
=phase1
,
1975 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1976 wait_connect
=False, scan_freq
="2412")
1977 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1979 raise Exception("No EAP-Failure seen")
1980 dev
[0].request("REMOVE_NETWORK all")
1981 dev
[0].wait_disconnected()
1983 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1984 ca_cert
="auth_serv/ca.pem",
1985 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1986 phase2
="auth=MSCHAPV2")
1988 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1989 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1990 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1991 hapd
= hostapd
.add_ap(apdev
[0], params
)
1992 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
1993 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1994 ca_cert2
="auth_serv/ca.pem",
1995 client_cert2
="auth_serv/user.pem",
1996 private_key2
="auth_serv/user.key")
1997 eap_reauth(dev
[0], "PEAP")
1999 def test_ap_wpa2_eap_tls(dev
, apdev
):
2000 """WPA2-Enterprise connection using EAP-TLS"""
2001 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2002 hapd
= hostapd
.add_ap(apdev
[0], params
)
2003 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2004 client_cert
="auth_serv/user.pem",
2005 private_key
="auth_serv/user.key")
2006 eap_reauth(dev
[0], "TLS")
2008 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2009 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2010 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2011 hapd
= hostapd
.add_ap(apdev
[0], params
)
2012 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2013 client_cert
="auth_serv/user.pem",
2014 private_key
="auth_serv/user.key.pkcs8",
2015 private_key_passwd
="whatever")
2017 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2018 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2019 check_pkcs5_v15_support(dev
[0])
2020 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2021 hapd
= hostapd
.add_ap(apdev
[0], params
)
2022 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2023 client_cert
="auth_serv/user.pem",
2024 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2025 private_key_passwd
="whatever")
2027 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2028 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2029 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2030 hapd
= hostapd
.add_ap(apdev
[0], params
)
2031 cert
= read_pem("auth_serv/ca.pem")
2032 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2033 raise Exception("Could not set cacert blob")
2034 cert
= read_pem("auth_serv/user.pem")
2035 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
2036 raise Exception("Could not set usercert blob")
2037 key
= read_pem("auth_serv/user.rsa-key")
2038 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
2039 raise Exception("Could not set cacert blob")
2040 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2041 client_cert
="blob://usercert",
2042 private_key
="blob://userkey")
2044 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2045 """EAP-TLS and config blob missing"""
2046 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2047 hostapd
.add_ap(apdev
[0], params
)
2048 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2049 identity
="tls user",
2050 ca_cert
="blob://testing-blob-does-not-exist",
2051 client_cert
="blob://testing-blob-does-not-exist",
2052 private_key
="blob://testing-blob-does-not-exist",
2053 wait_connect
=False, scan_freq
="2412")
2054 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2056 raise Exception("EAP failure not reported")
2057 dev
[0].request("REMOVE_NETWORK all")
2058 dev
[0].wait_disconnected()
2060 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2061 """EAP-TLS and TLS Message Length in unfragmented packets"""
2062 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2063 hapd
= hostapd
.add_ap(apdev
[0], params
)
2064 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2065 phase1
="include_tls_length=1",
2066 client_cert
="auth_serv/user.pem",
2067 private_key
="auth_serv/user.key")
2069 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2070 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2071 check_pkcs12_support(dev
[0])
2072 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2073 hapd
= hostapd
.add_ap(apdev
[0], params
)
2074 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2075 private_key
="auth_serv/user.pkcs12",
2076 private_key_passwd
="whatever")
2077 dev
[0].request("REMOVE_NETWORK all")
2078 dev
[0].wait_disconnected()
2080 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2081 identity
="tls user",
2082 ca_cert
="auth_serv/ca.pem",
2083 private_key
="auth_serv/user.pkcs12",
2084 wait_connect
=False, scan_freq
="2412")
2085 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2087 raise Exception("Request for private key passphrase timed out")
2088 id = ev
.split(':')[0].split('-')[-1]
2089 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2090 dev
[0].wait_connected(timeout
=10)
2091 dev
[0].request("REMOVE_NETWORK all")
2092 dev
[0].wait_disconnected()
2094 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2095 # different files to cover both cases of the extra certificate being the
2096 # one that signed the client certificate and it being unrelated to the
2097 # client certificate.
2098 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2100 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2101 ca_cert
="auth_serv/ca.pem",
2103 private_key_passwd
="whatever")
2104 dev
[0].request("REMOVE_NETWORK all")
2105 dev
[0].wait_disconnected()
2107 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2108 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2109 check_pkcs12_support(dev
[0])
2110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2111 hapd
= hostapd
.add_ap(apdev
[0], params
)
2112 cert
= read_pem("auth_serv/ca.pem")
2113 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2114 raise Exception("Could not set cacert blob")
2115 with
open("auth_serv/user.pkcs12", "rb") as f
:
2116 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
2117 raise Exception("Could not set pkcs12 blob")
2118 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2119 private_key
="blob://pkcs12",
2120 private_key_passwd
="whatever")
2122 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2123 """WPA2-Enterprise negative test - incorrect trust root"""
2124 check_eap_capa(dev
[0], "MSCHAPV2")
2125 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2126 hostapd
.add_ap(apdev
[0], params
)
2127 cert
= read_pem("auth_serv/ca-incorrect.pem")
2128 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2129 raise Exception("Could not set cacert blob")
2130 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2131 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2132 password
="password", phase2
="auth=MSCHAPV2",
2133 ca_cert
="blob://cacert",
2134 wait_connect
=False, scan_freq
="2412")
2135 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2136 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2137 password
="password", phase2
="auth=MSCHAPV2",
2138 ca_cert
="auth_serv/ca-incorrect.pem",
2139 wait_connect
=False, scan_freq
="2412")
2141 for dev
in (dev
[0], dev
[1]):
2142 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2144 raise Exception("Association and EAP start timed out")
2146 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2148 raise Exception("EAP method selection timed out")
2149 if "TTLS" not in ev
:
2150 raise Exception("Unexpected EAP method")
2152 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2153 "CTRL-EVENT-EAP-SUCCESS",
2154 "CTRL-EVENT-EAP-FAILURE",
2155 "CTRL-EVENT-CONNECTED",
2156 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2158 raise Exception("EAP result timed out")
2159 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2160 raise Exception("TLS certificate error not reported")
2162 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2163 "CTRL-EVENT-EAP-FAILURE",
2164 "CTRL-EVENT-CONNECTED",
2165 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2167 raise Exception("EAP result(2) timed out")
2168 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2169 raise Exception("EAP failure not reported")
2171 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2172 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2174 raise Exception("EAP result(3) timed out")
2175 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2176 raise Exception("Disconnection not reported")
2178 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2180 raise Exception("Network block disabling not reported")
2182 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2183 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2184 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2185 hapd
= hostapd
.add_ap(apdev
[0], params
)
2186 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2187 identity
="pap user", anonymous_identity
="ttls",
2188 password
="password", phase2
="auth=PAP",
2189 ca_cert
="auth_serv/ca.pem",
2190 wait_connect
=True, scan_freq
="2412")
2191 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2192 identity
="pap user", anonymous_identity
="ttls",
2193 password
="password", phase2
="auth=PAP",
2194 ca_cert
="auth_serv/ca-incorrect.pem",
2195 only_add_network
=True, scan_freq
="2412")
2197 dev
[0].request("DISCONNECT")
2198 dev
[0].wait_disconnected()
2199 dev
[0].dump_monitor()
2200 dev
[0].select_network(id, freq
="2412")
2202 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2204 raise Exception("EAP-TTLS not re-started")
2206 ev
= dev
[0].wait_disconnected(timeout
=15)
2207 if "reason=23" not in ev
:
2208 raise Exception("Proper reason code for disconnection not reported")
2210 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2211 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2212 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2213 hapd
= hostapd
.add_ap(apdev
[0], params
)
2214 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2215 identity
="pap user", anonymous_identity
="ttls",
2216 password
="password", phase2
="auth=PAP",
2217 wait_connect
=True, scan_freq
="2412")
2218 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2219 identity
="pap user", anonymous_identity
="ttls",
2220 password
="password", phase2
="auth=PAP",
2221 ca_cert
="auth_serv/ca-incorrect.pem",
2222 only_add_network
=True, scan_freq
="2412")
2224 dev
[0].request("DISCONNECT")
2225 dev
[0].wait_disconnected()
2226 dev
[0].dump_monitor()
2227 dev
[0].select_network(id, freq
="2412")
2229 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2231 raise Exception("EAP-TTLS not re-started")
2233 ev
= dev
[0].wait_disconnected(timeout
=15)
2234 if "reason=23" not in ev
:
2235 raise Exception("Proper reason code for disconnection not reported")
2237 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2238 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2239 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2240 hapd
= hostapd
.add_ap(apdev
[0], params
)
2241 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2242 identity
="pap user", anonymous_identity
="ttls",
2243 password
="password", phase2
="auth=PAP",
2244 ca_cert
="auth_serv/ca.pem",
2245 wait_connect
=True, scan_freq
="2412")
2246 dev
[0].request("DISCONNECT")
2247 dev
[0].wait_disconnected()
2248 dev
[0].dump_monitor()
2249 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2250 dev
[0].select_network(id, freq
="2412")
2252 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2254 raise Exception("EAP-TTLS not re-started")
2256 ev
= dev
[0].wait_disconnected(timeout
=15)
2257 if "reason=23" not in ev
:
2258 raise Exception("Proper reason code for disconnection not reported")
2260 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2261 """WPA2-Enterprise negative test - domain suffix mismatch"""
2262 check_domain_suffix_match(dev
[0])
2263 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2264 hostapd
.add_ap(apdev
[0], params
)
2265 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2266 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2267 password
="password", phase2
="auth=MSCHAPV2",
2268 ca_cert
="auth_serv/ca.pem",
2269 domain_suffix_match
="incorrect.example.com",
2270 wait_connect
=False, scan_freq
="2412")
2272 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2274 raise Exception("Association and EAP start timed out")
2276 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2278 raise Exception("EAP method selection timed out")
2279 if "TTLS" not in ev
:
2280 raise Exception("Unexpected EAP method")
2282 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2283 "CTRL-EVENT-EAP-SUCCESS",
2284 "CTRL-EVENT-EAP-FAILURE",
2285 "CTRL-EVENT-CONNECTED",
2286 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2288 raise Exception("EAP result timed out")
2289 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2290 raise Exception("TLS certificate error not reported")
2291 if "Domain suffix mismatch" not in ev
:
2292 raise Exception("Domain suffix mismatch not reported")
2294 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2295 "CTRL-EVENT-EAP-FAILURE",
2296 "CTRL-EVENT-CONNECTED",
2297 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2299 raise Exception("EAP result(2) timed out")
2300 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2301 raise Exception("EAP failure not reported")
2303 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2304 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2306 raise Exception("EAP result(3) timed out")
2307 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2308 raise Exception("Disconnection not reported")
2310 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2312 raise Exception("Network block disabling not reported")
2314 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2315 """WPA2-Enterprise negative test - domain mismatch"""
2316 check_domain_match(dev
[0])
2317 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2318 hostapd
.add_ap(apdev
[0], params
)
2319 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2320 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2321 password
="password", phase2
="auth=MSCHAPV2",
2322 ca_cert
="auth_serv/ca.pem",
2323 domain_match
="w1.fi",
2324 wait_connect
=False, scan_freq
="2412")
2326 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2328 raise Exception("Association and EAP start timed out")
2330 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2332 raise Exception("EAP method selection timed out")
2333 if "TTLS" not in ev
:
2334 raise Exception("Unexpected EAP method")
2336 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2337 "CTRL-EVENT-EAP-SUCCESS",
2338 "CTRL-EVENT-EAP-FAILURE",
2339 "CTRL-EVENT-CONNECTED",
2340 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2342 raise Exception("EAP result timed out")
2343 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2344 raise Exception("TLS certificate error not reported")
2345 if "Domain mismatch" not in ev
:
2346 raise Exception("Domain mismatch not reported")
2348 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2349 "CTRL-EVENT-EAP-FAILURE",
2350 "CTRL-EVENT-CONNECTED",
2351 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2353 raise Exception("EAP result(2) timed out")
2354 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2355 raise Exception("EAP failure not reported")
2357 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2358 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2360 raise Exception("EAP result(3) timed out")
2361 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2362 raise Exception("Disconnection not reported")
2364 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2366 raise Exception("Network block disabling not reported")
2368 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2369 """WPA2-Enterprise negative test - subject mismatch"""
2370 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2371 hostapd
.add_ap(apdev
[0], params
)
2372 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2373 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2374 password
="password", phase2
="auth=MSCHAPV2",
2375 ca_cert
="auth_serv/ca.pem",
2376 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2377 wait_connect
=False, scan_freq
="2412")
2379 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2381 raise Exception("Association and EAP start timed out")
2383 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2384 "EAP: Failed to initialize EAP method"], timeout
=10)
2386 raise Exception("EAP method selection timed out")
2387 if "EAP: Failed to initialize EAP method" in ev
:
2388 tls
= dev
[0].request("GET tls_library")
2389 if tls
.startswith("OpenSSL"):
2390 raise Exception("Failed to select EAP method")
2391 logger
.info("subject_match not supported - connection failed, so test succeeded")
2393 if "TTLS" not in ev
:
2394 raise Exception("Unexpected EAP method")
2396 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2397 "CTRL-EVENT-EAP-SUCCESS",
2398 "CTRL-EVENT-EAP-FAILURE",
2399 "CTRL-EVENT-CONNECTED",
2400 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2402 raise Exception("EAP result timed out")
2403 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2404 raise Exception("TLS certificate error not reported")
2405 if "Subject mismatch" not in ev
:
2406 raise Exception("Subject mismatch not reported")
2408 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2409 "CTRL-EVENT-EAP-FAILURE",
2410 "CTRL-EVENT-CONNECTED",
2411 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2413 raise Exception("EAP result(2) timed out")
2414 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2415 raise Exception("EAP failure not reported")
2417 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2418 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2420 raise Exception("EAP result(3) timed out")
2421 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2422 raise Exception("Disconnection not reported")
2424 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2426 raise Exception("Network block disabling not reported")
2428 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2429 """WPA2-Enterprise negative test - altsubject mismatch"""
2430 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2431 hostapd
.add_ap(apdev
[0], params
)
2433 tests
= [ "incorrect.example.com",
2434 "DNS:incorrect.example.com",
2438 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2440 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2441 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2442 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2443 password
="password", phase2
="auth=MSCHAPV2",
2444 ca_cert
="auth_serv/ca.pem",
2445 altsubject_match
=match
,
2446 wait_connect
=False, scan_freq
="2412")
2448 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2450 raise Exception("Association and EAP start timed out")
2452 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2453 "EAP: Failed to initialize EAP method"], timeout
=10)
2455 raise Exception("EAP method selection timed out")
2456 if "EAP: Failed to initialize EAP method" in ev
:
2457 tls
= dev
[0].request("GET tls_library")
2458 if tls
.startswith("OpenSSL"):
2459 raise Exception("Failed to select EAP method")
2460 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2462 if "TTLS" not in ev
:
2463 raise Exception("Unexpected EAP method")
2465 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2466 "CTRL-EVENT-EAP-SUCCESS",
2467 "CTRL-EVENT-EAP-FAILURE",
2468 "CTRL-EVENT-CONNECTED",
2469 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2471 raise Exception("EAP result timed out")
2472 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2473 raise Exception("TLS certificate error not reported")
2474 if "AltSubject mismatch" not in ev
:
2475 raise Exception("altsubject mismatch not reported")
2477 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2478 "CTRL-EVENT-EAP-FAILURE",
2479 "CTRL-EVENT-CONNECTED",
2480 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2482 raise Exception("EAP result(2) timed out")
2483 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2484 raise Exception("EAP failure not reported")
2486 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2487 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2489 raise Exception("EAP result(3) timed out")
2490 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2491 raise Exception("Disconnection not reported")
2493 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2495 raise Exception("Network block disabling not reported")
2497 dev
[0].request("REMOVE_NETWORK all")
2499 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2500 """WPA2-Enterprise connection using UNAUTH-TLS"""
2501 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2502 hapd
= hostapd
.add_ap(apdev
[0], params
)
2503 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2504 ca_cert
="auth_serv/ca.pem")
2505 eap_reauth(dev
[0], "UNAUTH-TLS")
2507 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2508 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2509 check_cert_probe_support(dev
[0])
2510 skip_with_fips(dev
[0])
2511 srv_cert_hash
= "53728dde442d4adc27cb10a847234a4315590f0b36786353023c3b0f2e9fdf49"
2512 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2513 hapd
= hostapd
.add_ap(apdev
[0], params
)
2514 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2515 identity
="probe", ca_cert
="probe://",
2516 wait_connect
=False, scan_freq
="2412")
2517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2519 raise Exception("Association and EAP start timed out")
2520 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2522 raise Exception("No peer server certificate event seen")
2523 if "hash=" + srv_cert_hash
not in ev
:
2524 raise Exception("Expected server certificate hash not reported")
2525 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2527 raise Exception("EAP result timed out")
2528 if "Server certificate chain probe" not in ev
:
2529 raise Exception("Server certificate probe not reported")
2530 dev
[0].wait_disconnected(timeout
=10)
2531 dev
[0].request("REMOVE_NETWORK all")
2533 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2534 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2535 password
="password", phase2
="auth=MSCHAPV2",
2536 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2537 wait_connect
=False, scan_freq
="2412")
2538 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2540 raise Exception("Association and EAP start timed out")
2541 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2543 raise Exception("EAP result timed out")
2544 if "Server certificate mismatch" not in ev
:
2545 raise Exception("Server certificate mismatch not reported")
2546 dev
[0].wait_disconnected(timeout
=10)
2547 dev
[0].request("REMOVE_NETWORK all")
2549 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2550 anonymous_identity
="ttls", password
="password",
2551 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2552 phase2
="auth=MSCHAPV2")
2554 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2555 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2556 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2557 hostapd
.add_ap(apdev
[0], params
)
2558 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2559 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2560 password
="password", phase2
="auth=MSCHAPV2",
2561 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2562 wait_connect
=False, scan_freq
="2412")
2563 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2564 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2565 password
="password", phase2
="auth=MSCHAPV2",
2566 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2567 wait_connect
=False, scan_freq
="2412")
2568 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2569 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2570 password
="password", phase2
="auth=MSCHAPV2",
2571 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2572 wait_connect
=False, scan_freq
="2412")
2573 for i
in range(0, 3):
2574 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2576 raise Exception("Association and EAP start timed out")
2577 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2579 raise Exception("Did not report EAP method initialization failure")
2581 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2582 """WPA2-Enterprise connection using EAP-pwd"""
2583 check_eap_capa(dev
[0], "PWD")
2584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2585 hapd
= hostapd
.add_ap(apdev
[0], params
)
2586 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2587 eap_reauth(dev
[0], "PWD")
2588 dev
[0].request("REMOVE_NETWORK all")
2590 eap_connect(dev
[1], hapd
, "PWD",
2591 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2592 password
="secret password",
2595 logger
.info("Negative test with incorrect password")
2596 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2597 expect_failure
=True, local_error_report
=True)
2599 eap_connect(dev
[0], hapd
, "PWD",
2600 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2601 password
="secret password",
2604 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2605 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2606 check_eap_capa(dev
[0], "PWD")
2607 skip_with_fips(dev
[0])
2608 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2609 hapd
= hostapd
.add_ap(apdev
[0], params
)
2610 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2611 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2612 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2613 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2614 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2615 expect_failure
=True, local_error_report
=True)
2617 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2618 """WPA2-Enterprise connection using various EAP-pwd groups"""
2619 check_eap_capa(dev
[0], "PWD")
2620 tls
= dev
[0].request("GET tls_library")
2621 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2622 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2623 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2624 groups
= [ 19, 20, 21, 25, 26 ]
2625 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2626 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2627 groups
+= [ 27, 28, 29, 30 ]
2629 logger
.info("Group %d" % i
)
2630 params
['pwd_group'] = str(i
)
2631 hapd
= hostapd
.add_ap(apdev
[0], params
)
2633 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2634 password
="secret password")
2635 dev
[0].request("REMOVE_NETWORK all")
2636 dev
[0].wait_disconnected()
2637 dev
[0].dump_monitor()
2639 if "BoringSSL" in tls
and i
in [ 25 ]:
2640 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2641 dev
[0].request("DISCONNECT")
2643 dev
[0].request("REMOVE_NETWORK all")
2644 dev
[0].dump_monitor()
2648 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2649 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2650 check_eap_capa(dev
[0], "PWD")
2651 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2652 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2653 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2654 params
['pwd_group'] = "0"
2655 hostapd
.add_ap(apdev
[0], params
)
2656 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2657 identity
="pwd user", password
="secret password",
2658 scan_freq
="2412", wait_connect
=False)
2659 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2661 raise Exception("Timeout on EAP failure report")
2663 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2664 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2665 check_eap_capa(dev
[0], "PWD")
2666 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2667 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2668 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2669 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2670 "pwd_group": "19", "fragment_size": "40" }
2671 hapd
= hostapd
.add_ap(apdev
[0], params
)
2672 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2674 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2675 """WPA2-Enterprise connection using EAP-GPSK"""
2676 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2677 hapd
= hostapd
.add_ap(apdev
[0], params
)
2678 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2679 password
="abcdefghijklmnop0123456789abcdef")
2680 eap_reauth(dev
[0], "GPSK")
2682 logger
.info("Test forced algorithm selection")
2683 for phase1
in [ "cipher=1", "cipher=2" ]:
2684 dev
[0].set_network_quoted(id, "phase1", phase1
)
2685 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2687 raise Exception("EAP success timed out")
2688 dev
[0].wait_connected(timeout
=10)
2690 logger
.info("Test failed algorithm negotiation")
2691 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2692 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2694 raise Exception("EAP failure timed out")
2696 logger
.info("Negative test with incorrect password")
2697 dev
[0].request("REMOVE_NETWORK all")
2698 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2699 password
="ffcdefghijklmnop0123456789abcdef",
2700 expect_failure
=True)
2702 def test_ap_wpa2_eap_sake(dev
, apdev
):
2703 """WPA2-Enterprise connection using EAP-SAKE"""
2704 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2705 hapd
= hostapd
.add_ap(apdev
[0], params
)
2706 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2707 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2708 eap_reauth(dev
[0], "SAKE")
2710 logger
.info("Negative test with incorrect password")
2711 dev
[0].request("REMOVE_NETWORK all")
2712 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2713 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2714 expect_failure
=True)
2716 def test_ap_wpa2_eap_eke(dev
, apdev
):
2717 """WPA2-Enterprise connection using EAP-EKE"""
2718 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2719 hapd
= hostapd
.add_ap(apdev
[0], params
)
2720 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2721 eap_reauth(dev
[0], "EKE")
2723 logger
.info("Test forced algorithm selection")
2724 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2725 "dhgroup=4 encr=1 prf=2 mac=2",
2726 "dhgroup=3 encr=1 prf=2 mac=2",
2727 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2728 dev
[0].set_network_quoted(id, "phase1", phase1
)
2729 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2731 raise Exception("EAP success timed out")
2732 dev
[0].wait_connected(timeout
=10)
2734 logger
.info("Test failed algorithm negotiation")
2735 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2736 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2738 raise Exception("EAP failure timed out")
2740 logger
.info("Negative test with incorrect password")
2741 dev
[0].request("REMOVE_NETWORK all")
2742 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2743 expect_failure
=True)
2745 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2746 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2747 if not params
['long']:
2748 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2750 hostapd
.add_ap(apdev
[0], params
)
2753 for i
in range(100):
2755 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2756 identity
="eke user", password
="hello",
2757 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2758 scan_freq
="2412", wait_connect
=False)
2760 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2761 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2763 raise Exception("No connected/disconnected event")
2764 if "CTRL-EVENT-DISCONNECTED" in ev
:
2766 # The RADIUS server limits on active sessions can be hit when
2767 # going through this test case, so try to give some more time
2768 # for the server to remove sessions.
2769 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2770 dev
[j
].request("REMOVE_NETWORK all")
2774 dev
[j
].request("REMOVE_NETWORK all")
2775 dev
[j
].wait_disconnected()
2776 dev
[j
].dump_monitor()
2777 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2779 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2780 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2781 params
= int_eap_server_params()
2782 params
['server_id'] = 'example.server@w1.fi'
2783 hapd
= hostapd
.add_ap(apdev
[0], params
)
2784 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2786 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2787 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2788 params
= int_eap_server_params()
2789 hapd
= hostapd
.add_ap(apdev
[0], params
)
2790 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2792 for count
,func
in [ (1, "eap_eke_build_commit"),
2793 (2, "eap_eke_build_commit"),
2794 (3, "eap_eke_build_commit"),
2795 (1, "eap_eke_build_confirm"),
2796 (2, "eap_eke_build_confirm"),
2797 (1, "eap_eke_process_commit"),
2798 (2, "eap_eke_process_commit"),
2799 (1, "eap_eke_process_confirm"),
2800 (1, "eap_eke_process_identity"),
2801 (2, "eap_eke_process_identity"),
2802 (3, "eap_eke_process_identity"),
2803 (4, "eap_eke_process_identity") ]:
2804 with
alloc_fail(hapd
, count
, func
):
2805 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2806 expect_failure
=True)
2807 dev
[0].request("REMOVE_NETWORK all")
2809 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2810 (1, "eap_eke_get_session_id", "hello"),
2811 (1, "eap_eke_getKey", "hello"),
2812 (1, "eap_eke_build_msg", "hello"),
2813 (1, "eap_eke_build_failure", "wrong"),
2814 (1, "eap_eke_build_identity", "hello"),
2815 (2, "eap_eke_build_identity", "hello") ]:
2816 with
alloc_fail(hapd
, count
, func
):
2817 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2818 eap
="EKE", identity
="eke user", password
=pw
,
2819 wait_connect
=False, scan_freq
="2412")
2820 # This would eventually time out, but we can stop after having
2821 # reached the allocation failure.
2824 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2826 dev
[0].request("REMOVE_NETWORK all")
2828 for count
in range(1, 1000):
2830 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2831 dev
[0].connect("test-wpa2-eap",
2832 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2833 eap
="EKE", identity
="eke user", password
=pw
,
2834 wait_connect
=False, scan_freq
="2412")
2835 # This would eventually time out, but we can stop after having
2836 # reached the allocation failure.
2839 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2841 dev
[0].request("REMOVE_NETWORK all")
2842 except Exception, e
:
2843 if str(e
) == "Allocation failure did not trigger":
2845 raise Exception("Too few allocation failures")
2846 logger
.info("%d allocation failures tested" % (count
- 1))
2850 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2851 """WPA2-Enterprise connection using EAP-IKEv2"""
2852 check_eap_capa(dev
[0], "IKEV2")
2853 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2854 hapd
= hostapd
.add_ap(apdev
[0], params
)
2855 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2856 password
="ike password")
2857 eap_reauth(dev
[0], "IKEV2")
2858 dev
[0].request("REMOVE_NETWORK all")
2859 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2860 password
="ike password", fragment_size
="50")
2862 logger
.info("Negative test with incorrect password")
2863 dev
[0].request("REMOVE_NETWORK all")
2864 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2865 password
="ike-password", expect_failure
=True)
2866 dev
[0].request("REMOVE_NETWORK all")
2868 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2869 password
="ike password", fragment_size
="0")
2870 dev
[0].request("REMOVE_NETWORK all")
2871 dev
[0].wait_disconnected()
2873 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2874 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2875 check_eap_capa(dev
[0], "IKEV2")
2876 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2877 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2878 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2879 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2880 "fragment_size": "50" }
2881 hapd
= hostapd
.add_ap(apdev
[0], params
)
2882 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2883 password
="ike password")
2884 eap_reauth(dev
[0], "IKEV2")
2886 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2887 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2888 check_eap_capa(dev
[0], "IKEV2")
2889 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2890 hostapd
.add_ap(apdev
[0], params
)
2892 tests
= [ (1, "dh_init"),
2894 (1, "dh_derive_shared") ]
2895 for count
, func
in tests
:
2896 with
alloc_fail(dev
[0], count
, func
):
2897 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2898 identity
="ikev2 user", password
="ike password",
2899 wait_connect
=False, scan_freq
="2412")
2900 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2902 raise Exception("EAP method not selected")
2904 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2907 dev
[0].request("REMOVE_NETWORK all")
2909 tests
= [ (1, "os_get_random;dh_init") ]
2910 for count
, func
in tests
:
2911 with
fail_test(dev
[0], count
, func
):
2912 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2913 identity
="ikev2 user", password
="ike password",
2914 wait_connect
=False, scan_freq
="2412")
2915 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2917 raise Exception("EAP method not selected")
2919 if "0:" in dev
[0].request("GET_FAIL"):
2922 dev
[0].request("REMOVE_NETWORK all")
2924 def test_ap_wpa2_eap_pax(dev
, apdev
):
2925 """WPA2-Enterprise connection using EAP-PAX"""
2926 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2927 hapd
= hostapd
.add_ap(apdev
[0], params
)
2928 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2929 password_hex
="0123456789abcdef0123456789abcdef")
2930 eap_reauth(dev
[0], "PAX")
2932 logger
.info("Negative test with incorrect password")
2933 dev
[0].request("REMOVE_NETWORK all")
2934 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2935 password_hex
="ff23456789abcdef0123456789abcdef",
2936 expect_failure
=True)
2938 def test_ap_wpa2_eap_psk(dev
, apdev
):
2939 """WPA2-Enterprise connection using EAP-PSK"""
2940 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2941 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2942 params
["ieee80211w"] = "2"
2943 hapd
= hostapd
.add_ap(apdev
[0], params
)
2944 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2945 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2946 eap_reauth(dev
[0], "PSK", sha256
=True)
2947 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2948 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2950 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2951 if 'flags' not in bss
:
2952 raise Exception("Could not get BSS flags from BSS table")
2953 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2954 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2956 logger
.info("Negative test with incorrect password")
2957 dev
[0].request("REMOVE_NETWORK all")
2958 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2959 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2960 expect_failure
=True)
2962 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2963 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2964 skip_with_fips(dev
[0])
2965 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2966 hostapd
.add_ap(apdev
[0], params
)
2967 tests
= [ (1, "=aes_128_eax_encrypt"),
2968 (1, "=aes_128_eax_decrypt") ]
2969 for count
, func
in tests
:
2970 with
alloc_fail(dev
[0], count
, func
):
2971 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2972 identity
="psk.user@example.com",
2973 password_hex
="0123456789abcdef0123456789abcdef",
2974 wait_connect
=False, scan_freq
="2412")
2975 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2977 raise Exception("EAP method not selected")
2978 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2979 note
="Failure not triggered: %d:%s" % (count
, func
))
2980 dev
[0].request("REMOVE_NETWORK all")
2981 dev
[0].wait_disconnected()
2983 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
2984 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2985 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2986 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2987 (1, "omac1_aes_vector"),
2988 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2989 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2990 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2991 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
2992 for count
, func
in tests
:
2993 with
fail_test(dev
[0], count
, func
):
2994 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2995 identity
="psk.user@example.com",
2996 password_hex
="0123456789abcdef0123456789abcdef",
2997 wait_connect
=False, scan_freq
="2412")
2998 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3000 raise Exception("EAP method not selected")
3001 wait_fail_trigger(dev
[0], "GET_FAIL",
3002 note
="Failure not triggered: %d:%s" % (count
, func
))
3003 dev
[0].request("REMOVE_NETWORK all")
3004 dev
[0].wait_disconnected()
3006 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3007 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3008 identity
="psk.user@example.com",
3009 password_hex
="0123456789abcdef0123456789abcdef",
3010 wait_connect
=False, scan_freq
="2412")
3011 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3013 raise Exception("EAP method failure not reported")
3014 dev
[0].request("REMOVE_NETWORK all")
3015 dev
[0].wait_disconnected()
3017 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3018 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3019 check_eap_capa(dev
[0], "MSCHAPV2")
3020 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3021 hapd
= hostapd
.add_ap(apdev
[0], params
)
3022 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3023 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3024 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3026 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3027 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3028 eap_reauth(dev
[0], "PEAP", rsn
=False)
3029 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3030 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
3031 status
= dev
[0].get_status(extra
="VERBOSE")
3032 if 'portControl' not in status
:
3033 raise Exception("portControl missing from STATUS-VERBOSE")
3034 if status
['portControl'] != 'Auto':
3035 raise Exception("Unexpected portControl value: " + status
['portControl'])
3036 if 'eap_session_id' not in status
:
3037 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3038 if not status
['eap_session_id'].startswith("19"):
3039 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3041 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3042 """WPA2-Enterprise connection using interactive identity/password entry"""
3043 check_eap_capa(dev
[0], "MSCHAPV2")
3044 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3045 hapd
= hostapd
.add_ap(apdev
[0], params
)
3047 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3048 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3050 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3051 "TTLS", "ttls", None, "auth=MSCHAPV2",
3052 "DOMAIN\mschapv2 user", "password"),
3053 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3054 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3055 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3056 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3057 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3058 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3059 ("Connection with dynamic PEAP/EAP-GTC password entry",
3060 "PEAP", None, "user", "auth=GTC", None, "password") ]
3061 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3063 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3064 anonymous_identity
=anon
, identity
=identity
,
3065 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3066 wait_connect
=False, scan_freq
="2412")
3068 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3070 raise Exception("Request for identity timed out")
3071 id = ev
.split(':')[0].split('-')[-1]
3072 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3073 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3075 raise Exception("Request for password timed out")
3076 id = ev
.split(':')[0].split('-')[-1]
3077 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3078 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3079 dev
[0].wait_connected(timeout
=10)
3080 dev
[0].request("REMOVE_NETWORK all")
3082 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3083 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3084 check_eap_capa(dev
[0], "MSCHAPV2")
3085 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3086 hapd
= hostapd
.add_ap(apdev
[0], params
)
3088 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3089 only_add_network
=True)
3091 req_id
= "DOMAIN\mschapv2 user"
3092 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3093 anonymous_identity
="ttls", identity
=None,
3094 password
="password",
3095 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3096 wait_connect
=False, scan_freq
="2412")
3097 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3099 raise Exception("Request for identity timed out")
3100 id = ev
.split(':')[0].split('-')[-1]
3101 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3102 dev
[0].wait_connected(timeout
=10)
3104 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3105 raise Exception("Failed to enable network")
3106 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3108 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3109 dev
[0].request("REMOVE_NETWORK all")
3111 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3112 """WPA2-Enterprise connection using EAP vendor test"""
3113 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3114 hapd
= hostapd
.add_ap(apdev
[0], params
)
3115 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3116 eap_reauth(dev
[0], "VENDOR-TEST")
3117 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3120 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3121 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3122 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3123 hostapd
.add_ap(apdev
[0], params
)
3125 tests
= [ "eap_vendor_test_init",
3126 "eap_msg_alloc;eap_vendor_test_process",
3127 "eap_vendor_test_getKey" ]
3129 with
alloc_fail(dev
[0], 1, func
):
3130 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3132 eap
="VENDOR-TEST", identity
="vendor-test",
3134 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3135 dev
[0].request("REMOVE_NETWORK all")
3136 dev
[0].wait_disconnected()
3138 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3139 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3140 check_eap_capa(dev
[0], "FAST")
3141 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3142 hapd
= hostapd
.add_ap(apdev
[0], params
)
3143 eap_connect(dev
[0], hapd
, "FAST", "user",
3144 anonymous_identity
="FAST", password
="password",
3145 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3146 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3147 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3148 res
= eap_reauth(dev
[0], "FAST")
3149 if res
['tls_session_reused'] != '1':
3150 raise Exception("EAP-FAST could not use PAC session ticket")
3152 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3153 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3154 check_eap_capa(dev
[0], "FAST")
3155 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3156 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3157 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3158 hapd
= hostapd
.add_ap(apdev
[0], params
)
3161 eap_connect(dev
[0], hapd
, "FAST", "user",
3162 anonymous_identity
="FAST", password
="password",
3163 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3164 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3165 with
open(pac_file
, "r") as f
:
3167 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3168 raise Exception("PAC file header missing")
3169 if "PAC-Key=" not in data
:
3170 raise Exception("PAC-Key missing from PAC file")
3171 dev
[0].request("REMOVE_NETWORK all")
3172 eap_connect(dev
[0], hapd
, "FAST", "user",
3173 anonymous_identity
="FAST", password
="password",
3174 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3177 eap_connect(dev
[1], hapd
, "FAST", "user",
3178 anonymous_identity
="FAST", password
="password",
3179 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3180 phase1
="fast_provisioning=1 fast_pac_format=binary",
3182 dev
[1].request("REMOVE_NETWORK all")
3183 eap_connect(dev
[1], hapd
, "FAST", "user",
3184 anonymous_identity
="FAST", password
="password",
3185 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3186 phase1
="fast_pac_format=binary",
3194 os
.remove(pac_file2
)
3198 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3199 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3200 check_eap_capa(dev
[0], "FAST")
3201 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3202 hapd
= hostapd
.add_ap(apdev
[0], params
)
3203 eap_connect(dev
[0], hapd
, "FAST", "user",
3204 anonymous_identity
="FAST", password
="password",
3205 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3206 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3207 pac_file
="blob://fast_pac_bin")
3208 res
= eap_reauth(dev
[0], "FAST")
3209 if res
['tls_session_reused'] != '1':
3210 raise Exception("EAP-FAST could not use PAC session ticket")
3212 # Verify fast_max_pac_list_len=0 special case
3213 dev
[0].request("REMOVE_NETWORK all")
3214 dev
[0].wait_disconnected()
3215 eap_connect(dev
[0], hapd
, "FAST", "user",
3216 anonymous_identity
="FAST", password
="password",
3217 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3218 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3219 pac_file
="blob://fast_pac_bin")
3221 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3222 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3223 check_eap_capa(dev
[0], "FAST")
3224 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3225 hostapd
.add_ap(apdev
[0], params
)
3227 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3228 identity
="user", anonymous_identity
="FAST",
3229 password
="password",
3230 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3231 pac_file
="blob://fast_pac_not_in_use",
3232 wait_connect
=False, scan_freq
="2412")
3233 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3235 raise Exception("Timeout on EAP failure report")
3236 dev
[0].request("REMOVE_NETWORK all")
3238 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3239 identity
="user", anonymous_identity
="FAST",
3240 password
="password",
3241 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3242 wait_connect
=False, scan_freq
="2412")
3243 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3245 raise Exception("Timeout on EAP failure report")
3247 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3248 """EAP-FAST and binary PAC errors"""
3249 check_eap_capa(dev
[0], "FAST")
3250 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3251 hapd
= hostapd
.add_ap(apdev
[0], params
)
3253 tests
= [ (1, "=eap_fast_save_pac_bin"),
3254 (1, "eap_fast_write_pac"),
3255 (2, "eap_fast_write_pac"), ]
3256 for count
, func
in tests
:
3257 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3258 raise Exception("Could not set blob")
3260 with
alloc_fail(dev
[0], count
, func
):
3261 eap_connect(dev
[0], hapd
, "FAST", "user",
3262 anonymous_identity
="FAST", password
="password",
3263 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3264 phase1
="fast_provisioning=1 fast_pac_format=binary",
3265 pac_file
="blob://fast_pac_bin_errors")
3266 dev
[0].request("REMOVE_NETWORK all")
3267 dev
[0].wait_disconnected()
3269 tests
= [ "00", "000000000000", "6ae4920c0001",
3271 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3272 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3273 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3274 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3276 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3277 raise Exception("Could not set blob")
3279 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3280 identity
="user", anonymous_identity
="FAST",
3281 password
="password",
3282 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3283 phase1
="fast_provisioning=1 fast_pac_format=binary",
3284 pac_file
="blob://fast_pac_bin_errors",
3285 scan_freq
="2412", wait_connect
=False)
3286 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3289 raise Exception("Failure not reported")
3290 dev
[0].request("REMOVE_NETWORK all")
3291 dev
[0].wait_disconnected()
3293 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3294 tests
= [ (1, "eap_fast_load_pac_bin"),
3295 (2, "eap_fast_load_pac_bin"),
3296 (3, "eap_fast_load_pac_bin") ]
3297 for count
, func
in tests
:
3298 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3299 raise Exception("Could not set blob")
3301 with
alloc_fail(dev
[0], count
, func
):
3302 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3303 identity
="user", anonymous_identity
="FAST",
3304 password
="password",
3305 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3306 phase1
="fast_provisioning=1 fast_pac_format=binary",
3307 pac_file
="blob://fast_pac_bin_errors",
3308 scan_freq
="2412", wait_connect
=False)
3309 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3312 raise Exception("Failure not reported")
3313 dev
[0].request("REMOVE_NETWORK all")
3314 dev
[0].wait_disconnected()
3316 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3317 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3318 raise Exception("Could not set blob")
3320 eap_connect(dev
[0], hapd
, "FAST", "user",
3321 anonymous_identity
="FAST", password
="password",
3322 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3323 phase1
="fast_provisioning=1 fast_pac_format=binary",
3324 pac_file
="blob://fast_pac_bin_errors")
3325 dev
[0].request("REMOVE_NETWORK all")
3326 dev
[0].wait_disconnected()
3328 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3329 tests
= [ (1, "eap_fast_pac_get_a_id"),
3330 (2, "eap_fast_pac_get_a_id") ]
3331 for count
, func
in tests
:
3332 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3333 raise Exception("Could not set blob")
3334 with
alloc_fail(dev
[0], count
, func
):
3335 eap_connect(dev
[0], hapd
, "FAST", "user",
3336 anonymous_identity
="FAST", password
="password",
3337 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3338 phase1
="fast_provisioning=1 fast_pac_format=binary",
3339 pac_file
="blob://fast_pac_bin_errors")
3340 dev
[0].request("REMOVE_NETWORK all")
3341 dev
[0].wait_disconnected()
3343 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3344 """EAP-FAST and text PAC errors"""
3345 check_eap_capa(dev
[0], "FAST")
3346 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3347 hostapd
.add_ap(apdev
[0], params
)
3349 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3350 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3351 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3352 (1, "eap_fast_parse_start"),
3353 (1, "eap_fast_save_pac") ]
3354 for count
, func
in tests
:
3355 dev
[0].request("FLUSH")
3356 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3357 raise Exception("Could not set blob")
3359 with
alloc_fail(dev
[0], count
, func
):
3360 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3361 identity
="user", anonymous_identity
="FAST",
3362 password
="password",
3363 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3364 phase1
="fast_provisioning=1",
3365 pac_file
="blob://fast_pac_text_errors",
3366 scan_freq
="2412", wait_connect
=False)
3367 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3368 dev
[0].request("REMOVE_NETWORK all")
3369 dev
[0].wait_disconnected()
3371 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3375 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3376 raise Exception("Could not set blob")
3378 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3379 identity
="user", anonymous_identity
="FAST",
3380 password
="password",
3381 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3382 phase1
="fast_provisioning=1",
3383 pac_file
="blob://fast_pac_text_errors",
3384 scan_freq
="2412", wait_connect
=False)
3385 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3387 raise Exception("Failure not reported")
3388 dev
[0].request("REMOVE_NETWORK all")
3389 dev
[0].wait_disconnected()
3391 dev
[0].request("FLUSH")
3392 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3393 raise Exception("Could not set blob")
3395 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3397 params
= int_eap_server_params()
3398 params
['ssid'] = "test-wpa2-eap-2"
3399 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3400 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3401 params
['eap_fast_a_id_info'] = "test server %d" % i
3403 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3405 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3406 identity
="user", anonymous_identity
="FAST",
3407 password
="password",
3408 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3409 phase1
="fast_provisioning=1",
3410 pac_file
="blob://fast_pac_text_errors",
3411 scan_freq
="2412", wait_connect
=False)
3412 dev
[0].wait_connected()
3413 dev
[0].request("REMOVE_NETWORK all")
3414 dev
[0].wait_disconnected()
3418 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3419 """EAP-FAST and PAC list truncation"""
3420 check_eap_capa(dev
[0], "FAST")
3421 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3422 raise Exception("Could not set blob")
3424 params
= int_eap_server_params()
3425 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3426 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3427 params
['eap_fast_a_id_info'] = "test server %d" % i
3428 hapd
= hostapd
.add_ap(apdev
[0], params
)
3430 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3431 identity
="user", anonymous_identity
="FAST",
3432 password
="password",
3433 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3434 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3435 pac_file
="blob://fast_pac_truncate",
3436 scan_freq
="2412", wait_connect
=False)
3437 dev
[0].wait_connected()
3438 dev
[0].request("REMOVE_NETWORK all")
3439 dev
[0].wait_disconnected()
3443 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3444 """EAP-FAST and PAC refresh"""
3445 check_eap_capa(dev
[0], "FAST")
3446 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3447 raise Exception("Could not set blob")
3449 params
= int_eap_server_params()
3450 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3451 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3452 params
['eap_fast_a_id_info'] = "test server %d" % i
3453 params
['pac_key_refresh_time'] = "1"
3454 params
['pac_key_lifetime'] = "10"
3455 hapd
= hostapd
.add_ap(apdev
[0], params
)
3457 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3458 identity
="user", anonymous_identity
="FAST",
3459 password
="password",
3460 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3461 phase1
="fast_provisioning=1",
3462 pac_file
="blob://fast_pac_refresh",
3463 scan_freq
="2412", wait_connect
=False)
3464 dev
[0].wait_connected()
3465 dev
[0].request("REMOVE_NETWORK all")
3466 dev
[0].wait_disconnected()
3471 params
= int_eap_server_params()
3472 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3473 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3474 params
['eap_fast_a_id_info'] = "test server %d" % i
3475 params
['pac_key_refresh_time'] = "10"
3476 params
['pac_key_lifetime'] = "10"
3477 hapd
= hostapd
.add_ap(apdev
[0], params
)
3479 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3480 identity
="user", anonymous_identity
="FAST",
3481 password
="password",
3482 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3483 phase1
="fast_provisioning=1",
3484 pac_file
="blob://fast_pac_refresh",
3485 scan_freq
="2412", wait_connect
=False)
3486 dev
[0].wait_connected()
3487 dev
[0].request("REMOVE_NETWORK all")
3488 dev
[0].wait_disconnected()
3492 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3493 """EAP-FAST and PAC lifetime"""
3494 check_eap_capa(dev
[0], "FAST")
3495 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3496 raise Exception("Could not set blob")
3499 params
= int_eap_server_params()
3500 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3501 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3502 params
['eap_fast_a_id_info'] = "test server %d" % i
3503 params
['pac_key_refresh_time'] = "0"
3504 params
['pac_key_lifetime'] = "2"
3505 hapd
= hostapd
.add_ap(apdev
[0], params
)
3507 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3508 identity
="user", anonymous_identity
="FAST",
3509 password
="password",
3510 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3511 phase1
="fast_provisioning=2",
3512 pac_file
="blob://fast_pac_refresh",
3513 scan_freq
="2412", wait_connect
=False)
3514 dev
[0].wait_connected()
3515 dev
[0].request("DISCONNECT")
3516 dev
[0].wait_disconnected()
3519 dev
[0].request("PMKSA_FLUSH")
3520 dev
[0].request("RECONNECT")
3521 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3523 raise Exception("No EAP-Failure seen after expired PAC")
3524 dev
[0].request("DISCONNECT")
3525 dev
[0].wait_disconnected()
3527 dev
[0].select_network(id)
3528 dev
[0].wait_connected()
3529 dev
[0].request("REMOVE_NETWORK all")
3530 dev
[0].wait_disconnected()
3532 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3533 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3534 check_eap_capa(dev
[0], "FAST")
3535 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3536 hapd
= hostapd
.add_ap(apdev
[0], params
)
3537 eap_connect(dev
[0], hapd
, "FAST", "user",
3538 anonymous_identity
="FAST", password
="password",
3539 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3540 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3541 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3542 res
= eap_reauth(dev
[0], "FAST")
3543 if res
['tls_session_reused'] != '1':
3544 raise Exception("EAP-FAST could not use PAC session ticket")
3546 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3547 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3548 check_eap_capa(dev
[0], "FAST")
3549 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3550 hapd
= hostapd
.add_ap(apdev
[0], params
)
3551 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3552 anonymous_identity
="FAST", password
="password",
3553 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3554 phase1
="fast_provisioning=2",
3555 pac_file
="blob://fast_pac_auth")
3556 dev
[0].set_network_quoted(id, "identity", "user2")
3557 dev
[0].wait_disconnected()
3558 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3560 raise Exception("EAP-FAST not started")
3561 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3563 raise Exception("EAP failure not reported")
3564 dev
[0].wait_disconnected()
3566 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3567 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3568 check_eap_capa(dev
[0], "FAST")
3569 tls
= dev
[0].request("GET tls_library")
3570 if tls
.startswith("OpenSSL"):
3571 func
= "tls_connection_get_eap_fast_key"
3573 elif tls
.startswith("internal"):
3574 func
= "tls_connection_prf"
3577 raise HwsimSkip("Unsupported TLS library")
3578 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3579 hapd
= hostapd
.add_ap(apdev
[0], params
)
3580 with
alloc_fail(dev
[0], count
, func
):
3581 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3582 identity
="user", anonymous_identity
="FAST",
3583 password
="password", ca_cert
="auth_serv/ca.pem",
3585 phase1
="fast_provisioning=2",
3586 pac_file
="blob://fast_pac_auth",
3587 wait_connect
=False, scan_freq
="2412")
3588 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3590 raise Exception("EAP failure not reported")
3591 dev
[0].request("DISCONNECT")
3593 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3594 """EAP-FAST/MSCHAPv2 and server OOM"""
3595 check_eap_capa(dev
[0], "FAST")
3597 params
= int_eap_server_params()
3598 params
['dh_file'] = 'auth_serv/dh.conf'
3599 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3600 params
['eap_fast_a_id'] = '1011'
3601 params
['eap_fast_a_id_info'] = 'another test server'
3602 hapd
= hostapd
.add_ap(apdev
[0], params
)
3604 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3605 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3606 anonymous_identity
="FAST", password
="password",
3607 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3608 phase1
="fast_provisioning=1",
3609 pac_file
="blob://fast_pac",
3610 expect_failure
=True)
3611 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3613 raise Exception("No EAP failure reported")
3614 dev
[0].wait_disconnected()
3615 dev
[0].request("DISCONNECT")
3617 dev
[0].select_network(id, freq
="2412")
3619 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3620 """EAP-FAST and different TLS cipher suites"""
3621 check_eap_capa(dev
[0], "FAST")
3622 tls
= dev
[0].request("GET tls_library")
3623 if not tls
.startswith("OpenSSL"):
3624 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3627 hapd
= hostapd
.add_ap(apdev
[0], params
)
3629 dev
[0].request("SET blob fast_pac_ciphers ")
3630 eap_connect(dev
[0], hapd
, "FAST", "user",
3631 anonymous_identity
="FAST", password
="password",
3632 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3633 phase1
="fast_provisioning=2",
3634 pac_file
="blob://fast_pac_ciphers")
3635 res
= dev
[0].get_status_field('EAP TLS cipher')
3636 dev
[0].request("REMOVE_NETWORK all")
3637 dev
[0].wait_disconnected()
3638 if res
!= "DHE-RSA-AES256-SHA":
3639 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3641 tests
= [ "DHE-RSA-AES128-SHA",
3645 "DHE-RSA-AES256-SHA" ]
3646 for cipher
in tests
:
3647 dev
[0].dump_monitor()
3648 logger
.info("Testing " + cipher
)
3650 eap_connect(dev
[0], hapd
, "FAST", "user",
3651 openssl_ciphers
=cipher
,
3652 anonymous_identity
="FAST", password
="password",
3653 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3654 pac_file
="blob://fast_pac_ciphers")
3655 except Exception, e
:
3656 if "Could not select EAP method" in str(e
) and cipher
== "RC4-SHA":
3657 tls
= dev
[0].request("GET tls_library")
3658 if "run=OpenSSL 1.1" in tls
:
3659 logger
.info("Allow failure due to missing TLS library support")
3660 dev
[0].request("REMOVE_NETWORK all")
3661 dev
[0].wait_disconnected()
3664 res
= dev
[0].get_status_field('EAP TLS cipher')
3665 dev
[0].request("REMOVE_NETWORK all")
3666 dev
[0].wait_disconnected()
3668 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3670 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3671 """EAP-FAST and provisioning options"""
3672 check_eap_capa(dev
[0], "FAST")
3673 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3674 raise Exception("Could not set blob")
3677 params
= int_eap_server_params()
3678 params
['disable_pmksa_caching'] = '1'
3679 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3680 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3681 params
['eap_fast_a_id_info'] = "test server %d" % i
3682 params
['eap_fast_prov'] = "0"
3683 hapd
= hostapd
.add_ap(apdev
[0], params
)
3685 logger
.info("Provisioning attempt while server has provisioning disabled")
3686 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3687 identity
="user", anonymous_identity
="FAST",
3688 password
="password",
3689 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3690 phase1
="fast_provisioning=2",
3691 pac_file
="blob://fast_pac_prov",
3692 scan_freq
="2412", wait_connect
=False)
3693 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3696 raise Exception("EAP result not reported")
3697 if "parameter='failure'" not in ev
:
3698 raise Exception("Unexpected EAP result: " + ev
)
3699 dev
[0].wait_disconnected()
3700 dev
[0].request("DISCONNECT")
3701 dev
[0].dump_monitor()
3704 logger
.info("Authenticated provisioning")
3705 hapd
.set("eap_fast_prov", "2")
3708 dev
[0].select_network(id, freq
="2412")
3709 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3712 raise Exception("EAP result not reported")
3713 if "parameter='success'" not in ev
:
3714 raise Exception("Unexpected EAP result: " + ev
)
3715 dev
[0].wait_connected()
3716 dev
[0].request("DISCONNECT")
3717 dev
[0].wait_disconnected()
3718 dev
[0].dump_monitor()
3721 logger
.info("Provisioning disabled - using previously provisioned PAC")
3722 hapd
.set("eap_fast_prov", "0")
3725 dev
[0].select_network(id, freq
="2412")
3726 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3729 raise Exception("EAP result not reported")
3730 if "parameter='success'" not in ev
:
3731 raise Exception("Unexpected EAP result: " + ev
)
3732 dev
[0].wait_connected()
3733 dev
[0].request("DISCONNECT")
3734 dev
[0].wait_disconnected()
3735 dev
[0].dump_monitor()
3737 logger
.info("Drop PAC and verify connection failure")
3738 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3739 raise Exception("Could not set blob")
3741 dev
[0].select_network(id, freq
="2412")
3742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3745 raise Exception("EAP result not reported")
3746 if "parameter='failure'" not in ev
:
3747 raise Exception("Unexpected EAP result: " + ev
)
3748 dev
[0].wait_disconnected()
3749 dev
[0].request("DISCONNECT")
3750 dev
[0].dump_monitor()
3753 logger
.info("Anonymous provisioning")
3754 hapd
.set("eap_fast_prov", "1")
3756 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3757 dev
[0].select_network(id, freq
="2412")
3758 # Anonymous provisioning results in EAP-Failure first
3759 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3762 raise Exception("EAP result not reported")
3763 if "parameter='failure'" not in ev
:
3764 raise Exception("Unexpected EAP result: " + ev
)
3765 dev
[0].wait_disconnected()
3766 # And then the actual data connection
3767 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3770 raise Exception("EAP result not reported")
3771 if "parameter='success'" not in ev
:
3772 raise Exception("Unexpected EAP result: " + ev
)
3773 dev
[0].wait_connected()
3774 dev
[0].request("DISCONNECT")
3775 dev
[0].wait_disconnected()
3776 dev
[0].dump_monitor()
3779 logger
.info("Provisioning disabled - using previously provisioned PAC")
3780 hapd
.set("eap_fast_prov", "0")
3783 dev
[0].select_network(id, freq
="2412")
3784 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3787 raise Exception("EAP result not reported")
3788 if "parameter='success'" not in ev
:
3789 raise Exception("Unexpected EAP result: " + ev
)
3790 dev
[0].wait_connected()
3791 dev
[0].request("DISCONNECT")
3792 dev
[0].wait_disconnected()
3793 dev
[0].dump_monitor()
3795 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3796 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3797 check_ocsp_support(dev
[0])
3798 check_pkcs12_support(dev
[0])
3799 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3800 hapd
= hostapd
.add_ap(apdev
[0], params
)
3801 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3802 private_key
="auth_serv/user.pkcs12",
3803 private_key_passwd
="whatever", ocsp
=2)
3805 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3806 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3807 check_ocsp_multi_support(dev
[0])
3808 check_pkcs12_support(dev
[0])
3810 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3811 hapd
= hostapd
.add_ap(apdev
[0], params
)
3812 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3813 private_key
="auth_serv/user.pkcs12",
3814 private_key_passwd
="whatever", ocsp
=2)
3816 def int_eap_server_params():
3817 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3818 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3819 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3820 "ca_cert": "auth_serv/ca.pem",
3821 "server_cert": "auth_serv/server.pem",
3822 "private_key": "auth_serv/server.key",
3823 "dh_file": "auth_serv/dh.conf" }
3826 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3827 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3828 check_ocsp_support(dev
[0])
3829 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3830 if not os
.path
.exists(ocsp
):
3831 raise HwsimSkip("No OCSP response available")
3832 params
= int_eap_server_params()
3833 params
["ocsp_stapling_response"] = ocsp
3834 hostapd
.add_ap(apdev
[0], params
)
3835 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3836 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3837 private_key
="auth_serv/user.pkcs12",
3838 private_key_passwd
="whatever", ocsp
=2,
3841 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3842 """EAP-TLS and CA signed OCSP response (good)"""
3843 check_ocsp_support(dev
[0])
3844 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3845 if not os
.path
.exists(ocsp
):
3846 raise HwsimSkip("No OCSP response available")
3847 params
= int_eap_server_params()
3848 params
["ocsp_stapling_response"] = ocsp
3849 hostapd
.add_ap(apdev
[0], params
)
3850 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3851 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3852 private_key
="auth_serv/user.pkcs12",
3853 private_key_passwd
="whatever", ocsp
=2,
3856 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3857 """EAP-TLS and CA signed OCSP response (revoked)"""
3858 check_ocsp_support(dev
[0])
3859 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3860 if not os
.path
.exists(ocsp
):
3861 raise HwsimSkip("No OCSP response available")
3862 params
= int_eap_server_params()
3863 params
["ocsp_stapling_response"] = ocsp
3864 hostapd
.add_ap(apdev
[0], params
)
3865 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3866 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3867 private_key
="auth_serv/user.pkcs12",
3868 private_key_passwd
="whatever", ocsp
=2,
3869 wait_connect
=False, scan_freq
="2412")
3872 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3874 raise Exception("Timeout on EAP status")
3875 if 'bad certificate status response' in ev
:
3877 if 'certificate revoked' in ev
:
3881 raise Exception("Unexpected number of EAP status messages")
3883 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3885 raise Exception("Timeout on EAP failure report")
3887 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3888 """EAP-TLS and CA signed OCSP response (unknown)"""
3889 check_ocsp_support(dev
[0])
3890 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3891 if not os
.path
.exists(ocsp
):
3892 raise HwsimSkip("No OCSP response available")
3893 params
= int_eap_server_params()
3894 params
["ocsp_stapling_response"] = ocsp
3895 hostapd
.add_ap(apdev
[0], params
)
3896 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3897 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3898 private_key
="auth_serv/user.pkcs12",
3899 private_key_passwd
="whatever", ocsp
=2,
3900 wait_connect
=False, scan_freq
="2412")
3903 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3905 raise Exception("Timeout on EAP status")
3906 if 'bad certificate status response' in ev
:
3910 raise Exception("Unexpected number of EAP status messages")
3912 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3914 raise Exception("Timeout on EAP failure report")
3916 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3917 """EAP-TLS and server signed OCSP response"""
3918 check_ocsp_support(dev
[0])
3919 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3920 if not os
.path
.exists(ocsp
):
3921 raise HwsimSkip("No OCSP response available")
3922 params
= int_eap_server_params()
3923 params
["ocsp_stapling_response"] = ocsp
3924 hostapd
.add_ap(apdev
[0], params
)
3925 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3926 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3927 private_key
="auth_serv/user.pkcs12",
3928 private_key_passwd
="whatever", ocsp
=2,
3929 wait_connect
=False, scan_freq
="2412")
3932 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3934 raise Exception("Timeout on EAP status")
3935 if 'bad certificate status response' in ev
:
3939 raise Exception("Unexpected number of EAP status messages")
3941 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3943 raise Exception("Timeout on EAP failure report")
3945 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3946 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3947 check_ocsp_support(dev
[0])
3948 params
= int_eap_server_params()
3949 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3950 hostapd
.add_ap(apdev
[0], params
)
3951 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3952 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3953 private_key
="auth_serv/user.pkcs12",
3954 private_key_passwd
="whatever", ocsp
=2,
3955 wait_connect
=False, scan_freq
="2412")
3958 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3960 raise Exception("Timeout on EAP status")
3961 if 'bad certificate status response' in ev
:
3965 raise Exception("Unexpected number of EAP status messages")
3967 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3969 raise Exception("Timeout on EAP failure report")
3971 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3972 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3973 check_ocsp_support(dev
[0])
3974 params
= int_eap_server_params()
3975 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3976 hostapd
.add_ap(apdev
[0], params
)
3977 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3978 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3979 private_key
="auth_serv/user.pkcs12",
3980 private_key_passwd
="whatever", ocsp
=2,
3981 wait_connect
=False, scan_freq
="2412")
3984 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3986 raise Exception("Timeout on EAP status")
3987 if 'bad certificate status response' in ev
:
3991 raise Exception("Unexpected number of EAP status messages")
3993 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3995 raise Exception("Timeout on EAP failure report")
3997 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
3998 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3999 check_ocsp_support(dev
[0])
4000 params
= int_eap_server_params()
4001 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4002 hostapd
.add_ap(apdev
[0], params
)
4003 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4004 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4005 private_key
="auth_serv/user.pkcs12",
4006 private_key_passwd
="whatever", ocsp
=2,
4007 wait_connect
=False, scan_freq
="2412")
4010 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4012 raise Exception("Timeout on EAP status")
4013 if 'bad certificate status response' in ev
:
4017 raise Exception("Unexpected number of EAP status messages")
4019 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4021 raise Exception("Timeout on EAP failure report")
4023 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4024 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4025 check_ocsp_support(dev
[0])
4026 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4027 if not os
.path
.exists(ocsp
):
4028 raise HwsimSkip("No OCSP response available")
4029 params
= int_eap_server_params()
4030 params
["ocsp_stapling_response"] = ocsp
4031 hostapd
.add_ap(apdev
[0], params
)
4032 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4033 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4034 anonymous_identity
="ttls", password
="password",
4035 phase2
="auth=PAP", ocsp
=2,
4036 wait_connect
=False, scan_freq
="2412")
4039 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4041 raise Exception("Timeout on EAP status")
4042 if 'bad certificate status response' in ev
:
4044 if 'certificate revoked' in ev
:
4048 raise Exception("Unexpected number of EAP status messages")
4050 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4052 raise Exception("Timeout on EAP failure report")
4054 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4055 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4056 check_ocsp_support(dev
[0])
4057 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4058 if not os
.path
.exists(ocsp
):
4059 raise HwsimSkip("No OCSP response available")
4060 params
= int_eap_server_params()
4061 params
["ocsp_stapling_response"] = ocsp
4062 hostapd
.add_ap(apdev
[0], params
)
4063 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4064 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4065 anonymous_identity
="ttls", password
="password",
4066 phase2
="auth=PAP", ocsp
=2,
4067 wait_connect
=False, scan_freq
="2412")
4070 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4072 raise Exception("Timeout on EAP status")
4073 if 'bad certificate status response' in ev
:
4077 raise Exception("Unexpected number of EAP status messages")
4079 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4081 raise Exception("Timeout on EAP failure report")
4083 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4084 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4085 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4086 if not os
.path
.exists(ocsp
):
4087 raise HwsimSkip("No OCSP response available")
4088 params
= int_eap_server_params()
4089 params
["ocsp_stapling_response"] = ocsp
4090 hostapd
.add_ap(apdev
[0], params
)
4091 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4092 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4093 anonymous_identity
="ttls", password
="password",
4094 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4096 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4097 """EAP-TLS with intermediate server/user CA"""
4098 params
= int_eap_server_params()
4099 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4100 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4101 params
["private_key"] = "auth_serv/iCA-server/server.key"
4102 hostapd
.add_ap(apdev
[0], params
)
4103 tls
= dev
[0].request("GET tls_library")
4105 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4106 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4108 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4109 client_cert
= "auth_serv/iCA-user/user.pem"
4110 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4111 identity
="tls user",
4113 client_cert
=client_cert
,
4114 private_key
="auth_serv/iCA-user/user.key",
4117 def root_ocsp(cert
):
4118 ca
= "auth_serv/ca.pem"
4120 fd2
, fn2
= tempfile
.mkstemp()
4123 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4124 "-cert", cert
, "-no_nonce", "-text" ]
4125 logger
.info(' '.join(arg
))
4126 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4127 stderr
=subprocess
.PIPE
)
4128 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4132 if cmd
.returncode
!= 0:
4133 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4134 logger
.info("OCSP request:\n" + res
)
4136 fd
, fn
= tempfile
.mkstemp()
4138 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4139 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4140 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4141 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4143 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4144 stderr
=subprocess
.PIPE
)
4145 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4149 if cmd
.returncode
!= 0:
4150 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4151 logger
.info("OCSP response:\n" + res
)
4155 def ica_ocsp(cert
, md
="-sha256"):
4156 prefix
= "auth_serv/iCA-server/"
4157 ca
= prefix
+ "cacert.pem"
4158 cert
= prefix
+ cert
4160 fd2
, fn2
= tempfile
.mkstemp()
4163 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4164 "-cert", cert
, "-no_nonce", "-text" ]
4165 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4166 stderr
=subprocess
.PIPE
)
4167 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4171 if cmd
.returncode
!= 0:
4172 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4173 logger
.info("OCSP request:\n" + res
)
4175 fd
, fn
= tempfile
.mkstemp()
4177 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4178 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4179 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4180 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4182 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4183 stderr
=subprocess
.PIPE
)
4184 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4188 if cmd
.returncode
!= 0:
4189 raise Exception("bad return code from openssl ocsp\n\n" + res
)
4190 logger
.info("OCSP response:\n" + res
)
4194 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4195 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4196 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4198 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4199 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4200 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4202 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4203 params
= int_eap_server_params()
4204 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4205 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4206 params
["private_key"] = "auth_serv/iCA-server/server.key"
4207 fn
= ica_ocsp("server.pem", md
)
4208 params
["ocsp_stapling_response"] = fn
4210 hostapd
.add_ap(apdev
[0], params
)
4211 tls
= dev
[0].request("GET tls_library")
4213 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4214 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4216 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4217 client_cert
= "auth_serv/iCA-user/user.pem"
4218 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4219 identity
="tls user",
4221 client_cert
=client_cert
,
4222 private_key
="auth_serv/iCA-user/user.key",
4223 scan_freq
="2412", ocsp
=2)
4227 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4228 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4229 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4232 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4233 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4234 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4237 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4238 params
= int_eap_server_params()
4239 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4240 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4241 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4242 fn
= ica_ocsp("server-revoked.pem", md
)
4243 params
["ocsp_stapling_response"] = fn
4245 hostapd
.add_ap(apdev
[0], params
)
4246 tls
= dev
[0].request("GET tls_library")
4248 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4249 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4251 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4252 client_cert
= "auth_serv/iCA-user/user.pem"
4253 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4254 identity
="tls user",
4256 client_cert
=client_cert
,
4257 private_key
="auth_serv/iCA-user/user.key",
4258 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4261 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4262 "CTRL-EVENT-EAP-SUCCESS"])
4264 raise Exception("Timeout on EAP status")
4265 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4266 raise Exception("Unexpected EAP-Success")
4267 if 'bad certificate status response' in ev
:
4269 if 'certificate revoked' in ev
:
4273 raise Exception("Unexpected number of EAP status messages")
4275 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4277 raise Exception("Timeout on EAP failure report")
4278 dev
[0].request("REMOVE_NETWORK all")
4279 dev
[0].wait_disconnected()
4283 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4284 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4285 check_ocsp_support(dev
[0])
4286 check_ocsp_multi_support(dev
[0])
4288 params
= int_eap_server_params()
4289 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4290 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4291 params
["private_key"] = "auth_serv/iCA-server/server.key"
4292 fn
= ica_ocsp("server.pem")
4293 params
["ocsp_stapling_response"] = fn
4295 hostapd
.add_ap(apdev
[0], params
)
4296 tls
= dev
[0].request("GET tls_library")
4298 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4299 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4301 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4302 client_cert
= "auth_serv/iCA-user/user.pem"
4303 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4304 identity
="tls user",
4306 client_cert
=client_cert
,
4307 private_key
="auth_serv/iCA-user/user.key",
4308 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4311 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4312 "CTRL-EVENT-EAP-SUCCESS"])
4314 raise Exception("Timeout on EAP status")
4315 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4316 raise Exception("Unexpected EAP-Success")
4317 if 'bad certificate status response' in ev
:
4319 if 'certificate revoked' in ev
:
4323 raise Exception("Unexpected number of EAP status messages")
4325 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4327 raise Exception("Timeout on EAP failure report")
4328 dev
[0].request("REMOVE_NETWORK all")
4329 dev
[0].wait_disconnected()
4333 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4334 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4335 check_ocsp_support(dev
[0])
4336 check_ocsp_multi_support(dev
[0])
4338 params
= int_eap_server_params()
4339 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4340 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4341 params
["private_key"] = "auth_serv/iCA-server/server.key"
4342 fn
= ica_ocsp("server.pem")
4343 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4344 params
["ocsp_stapling_response"] = fn
4346 with
open(fn
, "r") as f
:
4347 resp_server
= f
.read()
4348 with
open(fn2
, "r") as f
:
4351 fd3
, fn3
= tempfile
.mkstemp()
4353 f
= os
.fdopen(fd3
, 'w')
4354 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4355 f
.write(resp_server
)
4356 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4360 params
["ocsp_stapling_response_multi"] = fn3
4362 hostapd
.add_ap(apdev
[0], params
)
4363 tls
= dev
[0].request("GET tls_library")
4365 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4366 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4368 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4369 client_cert
= "auth_serv/iCA-user/user.pem"
4370 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4371 identity
="tls user",
4373 client_cert
=client_cert
,
4374 private_key
="auth_serv/iCA-user/user.key",
4375 scan_freq
="2412", ocsp
=3)
4376 dev
[0].request("REMOVE_NETWORK all")
4377 dev
[0].wait_disconnected()
4383 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4384 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4385 check_ocsp_support(dev
[0])
4386 check_ocsp_multi_support(dev
[0])
4388 ocsp_revoked
= os
.path
.join(params
['logdir'],
4389 "ocsp-resp-ca-signed-revoked.der")
4390 if not os
.path
.exists(ocsp_revoked
):
4391 raise HwsimSkip("No OCSP response (revoked) available")
4392 ocsp_unknown
= os
.path
.join(params
['logdir'],
4393 "ocsp-resp-ca-signed-unknown.der")
4394 if not os
.path
.exists(ocsp_unknown
):
4395 raise HwsimSkip("No OCSP response(unknown) available")
4397 with
open(ocsp_revoked
, "r") as f
:
4398 resp_revoked
= f
.read()
4399 with
open(ocsp_unknown
, "r") as f
:
4400 resp_unknown
= f
.read()
4402 fd
, fn
= tempfile
.mkstemp()
4404 # This is not really a valid order of the OCSPResponse items in the
4405 # list, but this works for now to verify parsing and processing of
4406 # multiple responses.
4407 f
= os
.fdopen(fd
, 'w')
4408 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4409 f
.write(resp_unknown
)
4410 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4411 f
.write(resp_revoked
)
4412 f
.write(struct
.pack(">L", 0)[1:4])
4413 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4414 f
.write(resp_unknown
)
4417 params
= int_eap_server_params()
4418 params
["ocsp_stapling_response_multi"] = fn
4419 hostapd
.add_ap(apdev
[0], params
)
4420 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4421 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4422 private_key
="auth_serv/user.pkcs12",
4423 private_key_passwd
="whatever", ocsp
=1,
4424 wait_connect
=False, scan_freq
="2412")
4427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4428 "CTRL-EVENT-EAP-SUCCESS"])
4430 raise Exception("Timeout on EAP status")
4431 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4432 raise Exception("Unexpected EAP-Success")
4433 if 'bad certificate status response' in ev
:
4435 if 'certificate revoked' in ev
:
4439 raise Exception("Unexpected number of EAP status messages")
4443 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4444 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4445 check_domain_match_full(dev
[0])
4446 params
= int_eap_server_params()
4447 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4448 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4449 hostapd
.add_ap(apdev
[0], params
)
4450 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4451 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4452 private_key
="auth_serv/user.pkcs12",
4453 private_key_passwd
="whatever",
4454 domain_suffix_match
="server3.w1.fi",
4457 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4458 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4459 check_domain_match(dev
[0])
4460 params
= int_eap_server_params()
4461 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4462 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4463 hostapd
.add_ap(apdev
[0], params
)
4464 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4465 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4466 private_key
="auth_serv/user.pkcs12",
4467 private_key_passwd
="whatever",
4468 domain_match
="server3.w1.fi",
4471 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4472 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4473 check_domain_match_full(dev
[0])
4474 params
= int_eap_server_params()
4475 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4476 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4477 hostapd
.add_ap(apdev
[0], params
)
4478 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4479 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4480 private_key
="auth_serv/user.pkcs12",
4481 private_key_passwd
="whatever",
4482 domain_suffix_match
="w1.fi",
4485 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4486 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4487 check_domain_suffix_match(dev
[0])
4488 params
= int_eap_server_params()
4489 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4490 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4491 hostapd
.add_ap(apdev
[0], params
)
4492 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4493 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4494 private_key
="auth_serv/user.pkcs12",
4495 private_key_passwd
="whatever",
4496 domain_suffix_match
="example.com",
4499 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4500 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4501 private_key
="auth_serv/user.pkcs12",
4502 private_key_passwd
="whatever",
4503 domain_suffix_match
="erver3.w1.fi",
4506 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4508 raise Exception("Timeout on EAP failure report")
4509 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4511 raise Exception("Timeout on EAP failure report (2)")
4513 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4514 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4515 check_domain_match(dev
[0])
4516 params
= int_eap_server_params()
4517 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4518 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4519 hostapd
.add_ap(apdev
[0], params
)
4520 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4521 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4522 private_key
="auth_serv/user.pkcs12",
4523 private_key_passwd
="whatever",
4524 domain_match
="example.com",
4527 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4528 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4529 private_key
="auth_serv/user.pkcs12",
4530 private_key_passwd
="whatever",
4531 domain_match
="w1.fi",
4534 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4536 raise Exception("Timeout on EAP failure report")
4537 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4539 raise Exception("Timeout on EAP failure report (2)")
4541 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4542 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4543 skip_with_fips(dev
[0])
4544 params
= int_eap_server_params()
4545 params
["server_cert"] = "auth_serv/server-expired.pem"
4546 params
["private_key"] = "auth_serv/server-expired.key"
4547 hostapd
.add_ap(apdev
[0], params
)
4548 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4549 identity
="mschap user", password
="password",
4550 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4555 raise Exception("Timeout on EAP certificate error report")
4556 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4557 raise Exception("Unexpected failure reason: " + ev
)
4558 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4560 raise Exception("Timeout on EAP failure report")
4562 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4563 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4564 skip_with_fips(dev
[0])
4565 params
= int_eap_server_params()
4566 params
["server_cert"] = "auth_serv/server-expired.pem"
4567 params
["private_key"] = "auth_serv/server-expired.key"
4568 hostapd
.add_ap(apdev
[0], params
)
4569 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4570 identity
="mschap user", password
="password",
4571 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4572 phase1
="tls_disable_time_checks=1",
4575 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4576 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4577 skip_with_fips(dev
[0])
4578 params
= int_eap_server_params()
4579 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4580 params
["private_key"] = "auth_serv/server-long-duration.key"
4581 hostapd
.add_ap(apdev
[0], params
)
4582 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4583 identity
="mschap user", password
="password",
4584 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4587 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4588 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4589 skip_with_fips(dev
[0])
4590 params
= int_eap_server_params()
4591 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4592 params
["private_key"] = "auth_serv/server-eku-client.key"
4593 hostapd
.add_ap(apdev
[0], params
)
4594 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4595 identity
="mschap user", password
="password",
4596 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4599 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4601 raise Exception("Timeout on EAP failure report")
4603 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4604 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4605 skip_with_fips(dev
[0])
4606 params
= int_eap_server_params()
4607 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4608 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4609 hostapd
.add_ap(apdev
[0], params
)
4610 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4611 identity
="mschap user", password
="password",
4612 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4615 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4616 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4617 skip_with_fips(dev
[0])
4618 params
= int_eap_server_params()
4619 del params
["server_cert"]
4620 params
["private_key"] = "auth_serv/server.pkcs12"
4621 hostapd
.add_ap(apdev
[0], params
)
4622 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4623 identity
="mschap user", password
="password",
4624 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4627 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4628 """EAP-TTLS and server PKCS#12 file with extra certs"""
4629 skip_with_fips(dev
[0])
4630 params
= int_eap_server_params()
4631 del params
["server_cert"]
4632 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4633 params
["private_key_passwd"] = "whatever"
4634 hostapd
.add_ap(apdev
[0], params
)
4635 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4636 identity
="mschap user", password
="password",
4637 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4640 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4641 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4642 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4643 hapd
= hostapd
.add_ap(apdev
[0], params
)
4644 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4645 anonymous_identity
="ttls", password
="password",
4646 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4647 dh_file
="auth_serv/dh.conf")
4649 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4650 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4651 check_dh_dsa_support(dev
[0])
4652 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4653 hapd
= hostapd
.add_ap(apdev
[0], params
)
4654 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4655 anonymous_identity
="ttls", password
="password",
4656 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4657 dh_file
="auth_serv/dsaparam.pem")
4659 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4660 """EAP-TTLS and DH params file not found"""
4661 skip_with_fips(dev
[0])
4662 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4663 hostapd
.add_ap(apdev
[0], params
)
4664 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4665 identity
="mschap user", password
="password",
4666 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4667 dh_file
="auth_serv/dh-no-such-file.conf",
4668 scan_freq
="2412", wait_connect
=False)
4669 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4671 raise Exception("EAP failure timed out")
4672 dev
[0].request("REMOVE_NETWORK all")
4673 dev
[0].wait_disconnected()
4675 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4676 """EAP-TTLS and invalid DH params file"""
4677 skip_with_fips(dev
[0])
4678 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4679 hostapd
.add_ap(apdev
[0], params
)
4680 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4681 identity
="mschap user", password
="password",
4682 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4683 dh_file
="auth_serv/ca.pem",
4684 scan_freq
="2412", wait_connect
=False)
4685 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4687 raise Exception("EAP failure timed out")
4688 dev
[0].request("REMOVE_NETWORK all")
4689 dev
[0].wait_disconnected()
4691 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4692 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4693 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4694 hapd
= hostapd
.add_ap(apdev
[0], params
)
4695 dh
= read_pem("auth_serv/dh2.conf")
4696 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4697 raise Exception("Could not set dhparams blob")
4698 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4699 anonymous_identity
="ttls", password
="password",
4700 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4701 dh_file
="blob://dhparams")
4703 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4704 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4705 params
= int_eap_server_params()
4706 params
["dh_file"] = "auth_serv/dh2.conf"
4707 hapd
= hostapd
.add_ap(apdev
[0], params
)
4708 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4709 anonymous_identity
="ttls", password
="password",
4710 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4712 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4713 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4714 params
= int_eap_server_params()
4715 params
["dh_file"] = "auth_serv/dsaparam.pem"
4716 hapd
= hostapd
.add_ap(apdev
[0], params
)
4717 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4718 anonymous_identity
="ttls", password
="password",
4719 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4721 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4722 """EAP-TLS server and dhparams file not found"""
4723 params
= int_eap_server_params()
4724 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4725 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4726 if "FAIL" not in hapd
.request("ENABLE"):
4727 raise Exception("Invalid configuration accepted")
4729 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4730 """EAP-TLS server and invalid dhparams file"""
4731 params
= int_eap_server_params()
4732 params
["dh_file"] = "auth_serv/ca.pem"
4733 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4734 if "FAIL" not in hapd
.request("ENABLE"):
4735 raise Exception("Invalid configuration accepted")
4737 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4738 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4739 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4740 params
['eap_reauth_period'] = '2'
4741 hapd
= hostapd
.add_ap(apdev
[0], params
)
4742 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4743 password_hex
="0123456789abcdef0123456789abcdef")
4744 logger
.info("Wait for reauthentication")
4745 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4747 raise Exception("Timeout on reauthentication")
4748 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4750 raise Exception("Timeout on reauthentication")
4751 for i
in range(0, 20):
4752 state
= dev
[0].get_status_field("wpa_state")
4753 if state
== "COMPLETED":
4756 if state
!= "COMPLETED":
4757 raise Exception("Reauthentication did not complete")
4759 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4760 """Optional displayable message in EAP Request-Identity"""
4761 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4762 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4763 hapd
= hostapd
.add_ap(apdev
[0], params
)
4764 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4765 password_hex
="0123456789abcdef0123456789abcdef")
4767 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4768 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4769 check_hlr_auc_gw_support()
4770 params
= int_eap_server_params()
4771 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4772 params
['eap_sim_aka_result_ind'] = "1"
4773 hapd
= hostapd
.add_ap(apdev
[0], params
)
4775 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4776 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4777 phase1
="result_ind=1")
4778 eap_reauth(dev
[0], "SIM")
4779 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4780 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4782 dev
[0].request("REMOVE_NETWORK all")
4783 dev
[1].request("REMOVE_NETWORK all")
4785 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4786 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4787 phase1
="result_ind=1")
4788 eap_reauth(dev
[0], "AKA")
4789 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4790 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4792 dev
[0].request("REMOVE_NETWORK all")
4793 dev
[1].request("REMOVE_NETWORK all")
4795 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4796 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4797 phase1
="result_ind=1")
4798 eap_reauth(dev
[0], "AKA'")
4799 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4800 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4802 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4803 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4804 check_hlr_auc_gw_support()
4805 params
= int_eap_server_params()
4806 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4807 params
['eap_sim_db_timeout'] = "0"
4808 params
['disable_pmksa_caching'] = '1'
4809 hapd
= hostapd
.add_ap(apdev
[0], params
)
4811 # Run multiple iterations to make it more likely to hit the case where the
4812 # DB request times out and response is lost.
4814 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4815 identity
="1232010000000000",
4816 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4817 wait_connect
=False, scan_freq
="2412")
4818 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4819 "CTRL-EVENT-DISCONNECTED" ],
4822 raise Exception("No connection result")
4823 dev
[0].request("REMOVE_NETWORK all")
4824 if "CTRL-EVENT-DISCONNECTED" in ev
:
4826 dev
[0].wait_disconnected()
4829 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4830 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4831 skip_with_fips(dev
[0])
4832 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4833 hostapd
.add_ap(apdev
[0], params
)
4834 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4835 eap
="TTLS", identity
="mschap user",
4836 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4837 anonymous_identity
="ttls", password
="password",
4838 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4840 ev
= dev
[0].wait_event(["EAP: more than",
4841 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4842 if ev
is None or "EAP: more than" not in ev
:
4843 raise Exception("EAP roundtrip limit not reached")
4845 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4846 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4847 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4848 hostapd
.add_ap(apdev
[0], params
)
4849 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4850 eap
="PSK", identity
="vendor-test",
4851 password_hex
="ff23456789abcdef0123456789abcdef",
4855 for i
in range(0, 5):
4856 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4858 raise Exception("Association and EAP start timed out")
4859 if "refuse proposed method" in ev
:
4863 raise Exception("Unexpected EAP status: " + ev
)
4865 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4867 raise Exception("EAP failure timed out")
4869 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4870 """WPA2-Enterprise connection using SQLite for user DB"""
4871 skip_with_fips(dev
[0])
4875 raise HwsimSkip("No sqlite3 module available")
4876 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4881 con
= sqlite3
.connect(dbfile
)
4884 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4885 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4886 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4887 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4888 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4889 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4890 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4891 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4894 params
= int_eap_server_params()
4895 params
["eap_user_file"] = "sqlite:" + dbfile
4896 hapd
= hostapd
.add_ap(apdev
[0], params
)
4897 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4898 anonymous_identity
="ttls", password
="password",
4899 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4900 dev
[0].request("REMOVE_NETWORK all")
4901 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4902 anonymous_identity
="ttls", password
="password",
4903 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4904 dev
[1].request("REMOVE_NETWORK all")
4905 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4906 anonymous_identity
="ttls", password
="password",
4907 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4908 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4909 anonymous_identity
="ttls", password
="password",
4910 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4914 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4915 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4916 params
= int_eap_server_params()
4917 hostapd
.add_ap(apdev
[0], params
)
4918 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4919 identity
="\x80", password
="password", wait_connect
=False)
4920 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4921 identity
="a\x80", password
="password", wait_connect
=False)
4922 for i
in range(0, 2):
4923 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4925 raise Exception("Association and EAP start timed out")
4926 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4928 raise Exception("EAP method selection timed out")
4930 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4931 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4932 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4933 hostapd
.add_ap(apdev
[0], params
)
4934 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4935 identity
="\x80", password
="password", wait_connect
=False)
4936 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4937 identity
="a\x80", password
="password", wait_connect
=False)
4938 for i
in range(0, 2):
4939 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4941 raise Exception("Association and EAP start timed out")
4942 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4944 raise Exception("EAP method selection timed out")
4946 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4947 """OpenSSL cipher suite configuration on wpa_supplicant"""
4948 tls
= dev
[0].request("GET tls_library")
4949 if not tls
.startswith("OpenSSL"):
4950 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4951 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4952 hapd
= hostapd
.add_ap(apdev
[0], params
)
4953 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4954 anonymous_identity
="ttls", password
="password",
4955 openssl_ciphers
="AES128",
4956 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4957 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4958 anonymous_identity
="ttls", password
="password",
4959 openssl_ciphers
="EXPORT",
4960 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4961 expect_failure
=True, maybe_local_error
=True)
4962 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4963 identity
="pap user", anonymous_identity
="ttls",
4964 password
="password",
4965 openssl_ciphers
="FOO",
4966 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4968 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4970 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4971 dev
[2].request("DISCONNECT")
4973 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
4974 """OpenSSL cipher suite configuration on hostapd"""
4975 tls
= dev
[0].request("GET tls_library")
4976 if not tls
.startswith("OpenSSL"):
4977 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
4978 params
= int_eap_server_params()
4979 params
['openssl_ciphers'] = "AES256"
4980 hapd
= hostapd
.add_ap(apdev
[0], params
)
4981 tls
= hapd
.request("GET tls_library")
4982 if not tls
.startswith("OpenSSL"):
4983 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
4984 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4985 anonymous_identity
="ttls", password
="password",
4986 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4987 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4988 anonymous_identity
="ttls", password
="password",
4989 openssl_ciphers
="AES128",
4990 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4991 expect_failure
=True)
4992 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
4993 anonymous_identity
="ttls", password
="password",
4994 openssl_ciphers
="HIGH:!ADH",
4995 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4997 params
['openssl_ciphers'] = "FOO"
4998 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
4999 if "FAIL" not in hapd2
.request("ENABLE"):
5000 raise Exception("Invalid openssl_ciphers value accepted")
5002 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5003 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5004 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5005 hapd
= hostapd
.add_ap(apdev
[0], p
)
5006 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5007 pid
= find_wpas_process(dev
[0])
5008 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5009 anonymous_identity
="ttls", password
=password
,
5010 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5011 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5012 # event has been delivered, so verify that wpa_supplicant has returned to
5013 # eloop before reading process memory.
5016 buf
= read_process_memory(pid
, password
)
5018 dev
[0].request("DISCONNECT")
5019 dev
[0].wait_disconnected()
5027 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5028 for l
in f
.readlines():
5029 if "EAP-TTLS: Derived key - hexdump" in l
:
5030 val
= l
.strip().split(':')[3].replace(' ', '')
5031 msk
= binascii
.unhexlify(val
)
5032 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
5033 val
= l
.strip().split(':')[3].replace(' ', '')
5034 emsk
= binascii
.unhexlify(val
)
5035 if "WPA: PMK - hexdump" in l
:
5036 val
= l
.strip().split(':')[3].replace(' ', '')
5037 pmk
= binascii
.unhexlify(val
)
5038 if "WPA: PTK - hexdump" in l
:
5039 val
= l
.strip().split(':')[3].replace(' ', '')
5040 ptk
= binascii
.unhexlify(val
)
5041 if "WPA: Group Key - hexdump" in l
:
5042 val
= l
.strip().split(':')[3].replace(' ', '')
5043 gtk
= binascii
.unhexlify(val
)
5044 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5045 raise Exception("Could not find keys from debug log")
5047 raise Exception("Unexpected GTK length")
5053 fname
= os
.path
.join(params
['logdir'],
5054 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5056 logger
.info("Checking keys in memory while associated")
5057 get_key_locations(buf
, password
, "Password")
5058 get_key_locations(buf
, pmk
, "PMK")
5059 get_key_locations(buf
, msk
, "MSK")
5060 get_key_locations(buf
, emsk
, "EMSK")
5061 if password
not in buf
:
5062 raise HwsimSkip("Password not found while associated")
5064 raise HwsimSkip("PMK not found while associated")
5066 raise Exception("KCK not found while associated")
5068 raise Exception("KEK not found while associated")
5070 # raise Exception("TK found from memory")
5072 logger
.info("Checking keys in memory after disassociation")
5073 buf
= read_process_memory(pid
, password
)
5075 # Note: Password is still present in network configuration
5076 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5078 get_key_locations(buf
, password
, "Password")
5079 get_key_locations(buf
, pmk
, "PMK")
5080 get_key_locations(buf
, msk
, "MSK")
5081 get_key_locations(buf
, emsk
, "EMSK")
5082 verify_not_present(buf
, kck
, fname
, "KCK")
5083 verify_not_present(buf
, kek
, fname
, "KEK")
5084 verify_not_present(buf
, tk
, fname
, "TK")
5086 get_key_locations(buf
, gtk
, "GTK")
5087 verify_not_present(buf
, gtk
, fname
, "GTK")
5089 dev
[0].request("PMKSA_FLUSH")
5090 dev
[0].set_network_quoted(id, "identity", "foo")
5091 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5092 buf
= read_process_memory(pid
, password
)
5093 get_key_locations(buf
, password
, "Password")
5094 get_key_locations(buf
, pmk
, "PMK")
5095 get_key_locations(buf
, msk
, "MSK")
5096 get_key_locations(buf
, emsk
, "EMSK")
5097 verify_not_present(buf
, pmk
, fname
, "PMK")
5099 dev
[0].request("REMOVE_NETWORK all")
5101 logger
.info("Checking keys in memory after network profile removal")
5102 buf
= read_process_memory(pid
, password
)
5104 get_key_locations(buf
, password
, "Password")
5105 get_key_locations(buf
, pmk
, "PMK")
5106 get_key_locations(buf
, msk
, "MSK")
5107 get_key_locations(buf
, emsk
, "EMSK")
5108 verify_not_present(buf
, password
, fname
, "password")
5109 verify_not_present(buf
, pmk
, fname
, "PMK")
5110 verify_not_present(buf
, kck
, fname
, "KCK")
5111 verify_not_present(buf
, kek
, fname
, "KEK")
5112 verify_not_present(buf
, tk
, fname
, "TK")
5113 verify_not_present(buf
, gtk
, fname
, "GTK")
5114 verify_not_present(buf
, msk
, fname
, "MSK")
5115 verify_not_present(buf
, emsk
, fname
, "EMSK")
5117 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5118 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5119 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5120 hapd
= hostapd
.add_ap(apdev
[0], params
)
5121 bssid
= apdev
[0]['bssid']
5122 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5123 anonymous_identity
="ttls", password
="password",
5124 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5126 # Send unexpected WEP EAPOL-Key; this gets dropped
5127 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5129 raise Exception("EAPOL_RX to wpa_supplicant failed")
5131 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5132 """WPA2-EAP and wpas interface in a bridge"""
5136 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5138 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5139 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5140 subprocess
.call(['brctl', 'delbr', br_ifname
])
5141 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5143 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5144 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5145 hapd
= hostapd
.add_ap(apdev
[0], params
)
5149 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5150 subprocess
.call(['brctl', 'addbr', br_ifname
])
5151 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5152 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5153 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5154 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5155 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5158 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5159 password_hex
="0123456789abcdef0123456789abcdef")
5161 eap_reauth(wpas
, "PAX")
5163 # Try again as a regression test for packet socket workaround
5164 eap_reauth(wpas
, "PAX")
5166 wpas
.request("DISCONNECT")
5167 wpas
.wait_disconnected()
5169 wpas
.request("RECONNECT")
5170 wpas
.wait_connected()
5173 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5174 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5175 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5176 hapd
= hostapd
.add_ap(apdev
[0], params
)
5177 key_mgmt
= hapd
.get_config()['key_mgmt']
5178 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5179 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5180 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5181 anonymous_identity
="ttls", password
="password",
5182 ca_cert
="auth_serv/ca.pem",
5183 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5184 eap_reauth(dev
[0], "TTLS")
5186 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5187 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5188 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5189 hapd
= hostapd
.add_ap(apdev
[0], params
)
5190 key_mgmt
= hapd
.get_config()['key_mgmt']
5191 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5192 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5193 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5194 anonymous_identity
="ttls", password
="password",
5195 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5197 eap_reauth(dev
[0], "TTLS")
5199 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5200 """EAP-TLS and server checking CRL"""
5201 params
= int_eap_server_params()
5202 params
['check_crl'] = '1'
5203 hapd
= hostapd
.add_ap(apdev
[0], params
)
5205 # check_crl=1 and no CRL available --> reject connection
5206 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5207 client_cert
="auth_serv/user.pem",
5208 private_key
="auth_serv/user.key", expect_failure
=True)
5209 dev
[0].request("REMOVE_NETWORK all")
5212 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5215 # check_crl=1 and valid CRL --> accept
5216 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5217 client_cert
="auth_serv/user.pem",
5218 private_key
="auth_serv/user.key")
5219 dev
[0].request("REMOVE_NETWORK all")
5222 hapd
.set("check_crl", "2")
5225 # check_crl=2 and valid CRL --> accept
5226 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5227 client_cert
="auth_serv/user.pem",
5228 private_key
="auth_serv/user.key")
5229 dev
[0].request("REMOVE_NETWORK all")
5231 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5232 """EAP-TLS and OOM"""
5233 check_subject_match_support(dev
[0])
5234 check_altsubject_match_support(dev
[0])
5235 check_domain_match(dev
[0])
5236 check_domain_match_full(dev
[0])
5238 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5239 hostapd
.add_ap(apdev
[0], params
)
5241 tests
= [ (1, "tls_connection_set_subject_match"),
5242 (2, "tls_connection_set_subject_match"),
5243 (3, "tls_connection_set_subject_match"),
5244 (4, "tls_connection_set_subject_match") ]
5245 for count
, func
in tests
:
5246 with
alloc_fail(dev
[0], count
, func
):
5247 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5248 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5249 client_cert
="auth_serv/user.pem",
5250 private_key
="auth_serv/user.key",
5251 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5252 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5253 domain_suffix_match
="server.w1.fi",
5254 domain_match
="server.w1.fi",
5255 wait_connect
=False, scan_freq
="2412")
5256 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5257 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5259 raise Exception("No passphrase request")
5260 dev
[0].request("REMOVE_NETWORK all")
5261 dev
[0].wait_disconnected()
5263 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5264 """WPA2-Enterprise connection using MAC ACL"""
5265 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5266 params
["macaddr_acl"] = "2"
5267 hapd
= hostapd
.add_ap(apdev
[0], params
)
5268 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5269 client_cert
="auth_serv/user.pem",
5270 private_key
="auth_serv/user.key")
5272 def test_ap_wpa2_eap_oom(dev
, apdev
):
5273 """EAP server and OOM"""
5274 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5275 hapd
= hostapd
.add_ap(apdev
[0], params
)
5276 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5278 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5279 # The first attempt fails, but STA will send EAPOL-Start to retry and
5281 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5282 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5283 client_cert
="auth_serv/user.pem",
5284 private_key
="auth_serv/user.key",
5287 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5288 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5289 client_cert
="auth_serv/user.pem",
5290 private_key
="auth_serv/user.key",
5292 ver
= dev
.get_status_field("eap_tls_version")
5294 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5296 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5297 """EAP-TLS and TLS version configuration"""
5298 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5299 hapd
= hostapd
.add_ap(apdev
[0], params
)
5301 tls
= dev
[0].request("GET tls_library")
5302 if tls
.startswith("OpenSSL"):
5303 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5304 check_tls_ver(dev
[0], hapd
,
5305 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5307 elif tls
.startswith("internal"):
5308 check_tls_ver(dev
[0], hapd
,
5309 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5310 check_tls_ver(dev
[1], hapd
,
5311 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5312 check_tls_ver(dev
[2], hapd
,
5313 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5315 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5316 """RSN element protocol testing for EAP cases on STA side"""
5317 bssid
= apdev
[0]['bssid']
5318 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5319 # This is the RSN element used normally by hostapd
5320 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5321 hapd
= hostapd
.add_ap(apdev
[0], params
)
5322 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5323 identity
="gpsk user",
5324 password
="abcdefghijklmnop0123456789abcdef",
5327 tests
= [ ('No RSN Capabilities field',
5328 '30120100000fac040100000fac040100000fac01'),
5329 ('No AKM Suite fields',
5330 '300c0100000fac040100000fac04'),
5331 ('No Pairwise Cipher Suite fields',
5332 '30060100000fac04'),
5333 ('No Group Data Cipher Suite field',
5335 for txt
,ie
in tests
:
5336 dev
[0].request("DISCONNECT")
5337 dev
[0].wait_disconnected()
5340 hapd
.set('own_ie_override', ie
)
5342 dev
[0].request("BSS_FLUSH 0")
5343 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5344 dev
[0].select_network(id, freq
=2412)
5345 dev
[0].wait_connected()
5347 dev
[0].request("DISCONNECT")
5348 dev
[0].wait_disconnected()
5349 dev
[0].flush_scan_cache()
5351 def check_tls_session_resumption_capa(dev
, hapd
):
5352 tls
= hapd
.request("GET tls_library")
5353 if not tls
.startswith("OpenSSL"):
5354 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5356 tls
= dev
.request("GET tls_library")
5357 if not tls
.startswith("OpenSSL"):
5358 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5360 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5361 """EAP-TTLS/PAP session resumption"""
5362 params
= int_eap_server_params()
5363 params
['tls_session_lifetime'] = '60'
5364 hapd
= hostapd
.add_ap(apdev
[0], params
)
5365 check_tls_session_resumption_capa(dev
[0], hapd
)
5366 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5367 anonymous_identity
="ttls", password
="password",
5368 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5370 if dev
[0].get_status_field("tls_session_reused") != '0':
5371 raise Exception("Unexpected session resumption on the first connection")
5373 dev
[0].request("REAUTHENTICATE")
5374 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5376 raise Exception("EAP success timed out")
5377 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5379 raise Exception("Key handshake with the AP timed out")
5380 if dev
[0].get_status_field("tls_session_reused") != '1':
5381 raise Exception("Session resumption not used on the second connection")
5383 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5384 """EAP-TTLS/CHAP session resumption"""
5385 params
= int_eap_server_params()
5386 params
['tls_session_lifetime'] = '60'
5387 hapd
= hostapd
.add_ap(apdev
[0], params
)
5388 check_tls_session_resumption_capa(dev
[0], hapd
)
5389 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5390 anonymous_identity
="ttls", password
="password",
5391 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5392 if dev
[0].get_status_field("tls_session_reused") != '0':
5393 raise Exception("Unexpected session resumption on the first connection")
5395 dev
[0].request("REAUTHENTICATE")
5396 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5398 raise Exception("EAP success timed out")
5399 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5401 raise Exception("Key handshake with the AP timed out")
5402 if dev
[0].get_status_field("tls_session_reused") != '1':
5403 raise Exception("Session resumption not used on the second connection")
5405 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5406 """EAP-TTLS/MSCHAP session resumption"""
5407 check_domain_suffix_match(dev
[0])
5408 params
= int_eap_server_params()
5409 params
['tls_session_lifetime'] = '60'
5410 hapd
= hostapd
.add_ap(apdev
[0], params
)
5411 check_tls_session_resumption_capa(dev
[0], hapd
)
5412 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5413 anonymous_identity
="ttls", password
="password",
5414 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5415 domain_suffix_match
="server.w1.fi")
5416 if dev
[0].get_status_field("tls_session_reused") != '0':
5417 raise Exception("Unexpected session resumption on the first connection")
5419 dev
[0].request("REAUTHENTICATE")
5420 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5422 raise Exception("EAP success timed out")
5423 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5425 raise Exception("Key handshake with the AP timed out")
5426 if dev
[0].get_status_field("tls_session_reused") != '1':
5427 raise Exception("Session resumption not used on the second connection")
5429 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5430 """EAP-TTLS/MSCHAPv2 session resumption"""
5431 check_domain_suffix_match(dev
[0])
5432 check_eap_capa(dev
[0], "MSCHAPV2")
5433 params
= int_eap_server_params()
5434 params
['tls_session_lifetime'] = '60'
5435 hapd
= hostapd
.add_ap(apdev
[0], params
)
5436 check_tls_session_resumption_capa(dev
[0], hapd
)
5437 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5438 anonymous_identity
="ttls", password
="password",
5439 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5440 domain_suffix_match
="server.w1.fi")
5441 if dev
[0].get_status_field("tls_session_reused") != '0':
5442 raise Exception("Unexpected session resumption on the first connection")
5444 dev
[0].request("REAUTHENTICATE")
5445 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5447 raise Exception("EAP success timed out")
5448 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5450 raise Exception("Key handshake with the AP timed out")
5451 if dev
[0].get_status_field("tls_session_reused") != '1':
5452 raise Exception("Session resumption not used on the second connection")
5454 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5455 """EAP-TTLS/EAP-GTC session resumption"""
5456 params
= int_eap_server_params()
5457 params
['tls_session_lifetime'] = '60'
5458 hapd
= hostapd
.add_ap(apdev
[0], params
)
5459 check_tls_session_resumption_capa(dev
[0], hapd
)
5460 eap_connect(dev
[0], hapd
, "TTLS", "user",
5461 anonymous_identity
="ttls", password
="password",
5462 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5463 if dev
[0].get_status_field("tls_session_reused") != '0':
5464 raise Exception("Unexpected session resumption on the first connection")
5466 dev
[0].request("REAUTHENTICATE")
5467 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5469 raise Exception("EAP success timed out")
5470 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5472 raise Exception("Key handshake with the AP timed out")
5473 if dev
[0].get_status_field("tls_session_reused") != '1':
5474 raise Exception("Session resumption not used on the second connection")
5476 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5477 """EAP-TTLS session resumption disabled on server"""
5478 params
= int_eap_server_params()
5479 params
['tls_session_lifetime'] = '0'
5480 hapd
= hostapd
.add_ap(apdev
[0], params
)
5481 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5482 anonymous_identity
="ttls", password
="password",
5483 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5485 if dev
[0].get_status_field("tls_session_reused") != '0':
5486 raise Exception("Unexpected session resumption on the first connection")
5488 dev
[0].request("REAUTHENTICATE")
5489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5491 raise Exception("EAP success timed out")
5492 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5494 raise Exception("Key handshake with the AP timed out")
5495 if dev
[0].get_status_field("tls_session_reused") != '0':
5496 raise Exception("Unexpected session resumption on the second connection")
5498 def test_eap_peap_session_resumption(dev
, apdev
):
5499 """EAP-PEAP session resumption"""
5500 params
= int_eap_server_params()
5501 params
['tls_session_lifetime'] = '60'
5502 hapd
= hostapd
.add_ap(apdev
[0], params
)
5503 check_tls_session_resumption_capa(dev
[0], hapd
)
5504 eap_connect(dev
[0], hapd
, "PEAP", "user",
5505 anonymous_identity
="peap", password
="password",
5506 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5507 if dev
[0].get_status_field("tls_session_reused") != '0':
5508 raise Exception("Unexpected session resumption on the first connection")
5510 dev
[0].request("REAUTHENTICATE")
5511 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5513 raise Exception("EAP success timed out")
5514 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5516 raise Exception("Key handshake with the AP timed out")
5517 if dev
[0].get_status_field("tls_session_reused") != '1':
5518 raise Exception("Session resumption not used on the second connection")
5520 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5521 """EAP-PEAP session resumption with crypto binding"""
5522 params
= int_eap_server_params()
5523 params
['tls_session_lifetime'] = '60'
5524 hapd
= hostapd
.add_ap(apdev
[0], params
)
5525 check_tls_session_resumption_capa(dev
[0], hapd
)
5526 eap_connect(dev
[0], hapd
, "PEAP", "user",
5527 anonymous_identity
="peap", password
="password",
5528 phase1
="peapver=0 crypto_binding=2",
5529 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5530 if dev
[0].get_status_field("tls_session_reused") != '0':
5531 raise Exception("Unexpected session resumption on the first connection")
5533 dev
[0].request("REAUTHENTICATE")
5534 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5536 raise Exception("EAP success timed out")
5537 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5539 raise Exception("Key handshake with the AP timed out")
5540 if dev
[0].get_status_field("tls_session_reused") != '1':
5541 raise Exception("Session resumption not used on the second connection")
5543 def test_eap_peap_no_session_resumption(dev
, apdev
):
5544 """EAP-PEAP session resumption disabled on server"""
5545 params
= int_eap_server_params()
5546 hapd
= hostapd
.add_ap(apdev
[0], params
)
5547 eap_connect(dev
[0], hapd
, "PEAP", "user",
5548 anonymous_identity
="peap", password
="password",
5549 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5550 if dev
[0].get_status_field("tls_session_reused") != '0':
5551 raise Exception("Unexpected session resumption on the first connection")
5553 dev
[0].request("REAUTHENTICATE")
5554 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5556 raise Exception("EAP success timed out")
5557 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5559 raise Exception("Key handshake with the AP timed out")
5560 if dev
[0].get_status_field("tls_session_reused") != '0':
5561 raise Exception("Unexpected session resumption on the second connection")
5563 def test_eap_tls_session_resumption(dev
, apdev
):
5564 """EAP-TLS session resumption"""
5565 params
= int_eap_server_params()
5566 params
['tls_session_lifetime'] = '60'
5567 hapd
= hostapd
.add_ap(apdev
[0], params
)
5568 check_tls_session_resumption_capa(dev
[0], hapd
)
5569 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5570 client_cert
="auth_serv/user.pem",
5571 private_key
="auth_serv/user.key")
5572 if dev
[0].get_status_field("tls_session_reused") != '0':
5573 raise Exception("Unexpected session resumption on the first connection")
5575 dev
[0].request("REAUTHENTICATE")
5576 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5578 raise Exception("EAP success timed out")
5579 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5581 raise Exception("Key handshake with the AP timed out")
5582 if dev
[0].get_status_field("tls_session_reused") != '1':
5583 raise Exception("Session resumption not used on the second connection")
5585 dev
[0].request("REAUTHENTICATE")
5586 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5588 raise Exception("EAP success timed out")
5589 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5591 raise Exception("Key handshake with the AP timed out")
5592 if dev
[0].get_status_field("tls_session_reused") != '1':
5593 raise Exception("Session resumption not used on the third connection")
5595 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5596 """EAP-TLS session resumption"""
5597 params
= int_eap_server_params()
5598 params
['tls_session_lifetime'] = '1'
5599 hapd
= hostapd
.add_ap(apdev
[0], params
)
5600 check_tls_session_resumption_capa(dev
[0], hapd
)
5601 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5602 client_cert
="auth_serv/user.pem",
5603 private_key
="auth_serv/user.key")
5604 if dev
[0].get_status_field("tls_session_reused") != '0':
5605 raise Exception("Unexpected session resumption on the first connection")
5607 # Allow multiple attempts since OpenSSL may not expire the cached entry
5612 dev
[0].request("REAUTHENTICATE")
5613 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5615 raise Exception("EAP success timed out")
5616 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5618 raise Exception("Key handshake with the AP timed out")
5619 if dev
[0].get_status_field("tls_session_reused") == '0':
5621 if dev
[0].get_status_field("tls_session_reused") != '0':
5622 raise Exception("Session resumption used after lifetime expiration")
5624 def test_eap_tls_no_session_resumption(dev
, apdev
):
5625 """EAP-TLS session resumption disabled on server"""
5626 params
= int_eap_server_params()
5627 hapd
= hostapd
.add_ap(apdev
[0], params
)
5628 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5629 client_cert
="auth_serv/user.pem",
5630 private_key
="auth_serv/user.key")
5631 if dev
[0].get_status_field("tls_session_reused") != '0':
5632 raise Exception("Unexpected session resumption on the first connection")
5634 dev
[0].request("REAUTHENTICATE")
5635 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5637 raise Exception("EAP success timed out")
5638 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5640 raise Exception("Key handshake with the AP timed out")
5641 if dev
[0].get_status_field("tls_session_reused") != '0':
5642 raise Exception("Unexpected session resumption on the second connection")
5644 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5645 """EAP-TLS session resumption (RADIUS)"""
5646 params
= { "ssid": "as", "beacon_int": "2000",
5647 "radius_server_clients": "auth_serv/radius_clients.conf",
5648 "radius_server_auth_port": '18128',
5650 "eap_user_file": "auth_serv/eap_user.conf",
5651 "ca_cert": "auth_serv/ca.pem",
5652 "server_cert": "auth_serv/server.pem",
5653 "private_key": "auth_serv/server.key",
5654 "tls_session_lifetime": "60" }
5655 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5656 check_tls_session_resumption_capa(dev
[0], authsrv
)
5658 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5659 params
['auth_server_port'] = "18128"
5660 hapd
= hostapd
.add_ap(apdev
[0], params
)
5661 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5662 client_cert
="auth_serv/user.pem",
5663 private_key
="auth_serv/user.key")
5664 if dev
[0].get_status_field("tls_session_reused") != '0':
5665 raise Exception("Unexpected session resumption on the first connection")
5667 dev
[0].request("REAUTHENTICATE")
5668 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5670 raise Exception("EAP success timed out")
5671 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5673 raise Exception("Key handshake with the AP timed out")
5674 if dev
[0].get_status_field("tls_session_reused") != '1':
5675 raise Exception("Session resumption not used on the second connection")
5677 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5678 """EAP-TLS session resumption disabled (RADIUS)"""
5679 params
= { "ssid": "as", "beacon_int": "2000",
5680 "radius_server_clients": "auth_serv/radius_clients.conf",
5681 "radius_server_auth_port": '18128',
5683 "eap_user_file": "auth_serv/eap_user.conf",
5684 "ca_cert": "auth_serv/ca.pem",
5685 "server_cert": "auth_serv/server.pem",
5686 "private_key": "auth_serv/server.key",
5687 "tls_session_lifetime": "0" }
5688 hostapd
.add_ap(apdev
[1], params
)
5690 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5691 params
['auth_server_port'] = "18128"
5692 hapd
= hostapd
.add_ap(apdev
[0], params
)
5693 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5694 client_cert
="auth_serv/user.pem",
5695 private_key
="auth_serv/user.key")
5696 if dev
[0].get_status_field("tls_session_reused") != '0':
5697 raise Exception("Unexpected session resumption on the first connection")
5699 dev
[0].request("REAUTHENTICATE")
5700 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5702 raise Exception("EAP success timed out")
5703 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5705 raise Exception("Key handshake with the AP timed out")
5706 if dev
[0].get_status_field("tls_session_reused") != '0':
5707 raise Exception("Unexpected session resumption on the second connection")
5709 def test_eap_mschapv2_errors(dev
, apdev
):
5710 """EAP-MSCHAPv2 error cases"""
5711 check_eap_capa(dev
[0], "MSCHAPV2")
5712 check_eap_capa(dev
[0], "FAST")
5714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5715 hapd
= hostapd
.add_ap(apdev
[0], params
)
5716 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5717 identity
="phase1-user", password
="password",
5719 dev
[0].request("REMOVE_NETWORK all")
5720 dev
[0].wait_disconnected()
5722 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5723 (1, "nt_password_hash;mschapv2_derive_response"),
5724 (1, "nt_password_hash;=mschapv2_derive_response"),
5725 (1, "generate_nt_response;mschapv2_derive_response"),
5726 (1, "generate_authenticator_response;mschapv2_derive_response"),
5727 (1, "nt_password_hash;=mschapv2_derive_response"),
5728 (1, "get_master_key;mschapv2_derive_response"),
5729 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5730 for count
, func
in tests
:
5731 with
fail_test(dev
[0], count
, func
):
5732 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5733 identity
="phase1-user", password
="password",
5734 wait_connect
=False, scan_freq
="2412")
5735 wait_fail_trigger(dev
[0], "GET_FAIL")
5736 dev
[0].request("REMOVE_NETWORK all")
5737 dev
[0].wait_disconnected()
5739 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5740 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5741 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5742 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5743 for count
, func
in tests
:
5744 with
fail_test(dev
[0], count
, func
):
5745 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5746 identity
="phase1-user",
5747 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5748 wait_connect
=False, scan_freq
="2412")
5749 wait_fail_trigger(dev
[0], "GET_FAIL")
5750 dev
[0].request("REMOVE_NETWORK all")
5751 dev
[0].wait_disconnected()
5753 tests
= [ (1, "eap_mschapv2_init"),
5754 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5755 (1, "eap_msg_alloc;eap_mschapv2_success"),
5756 (1, "eap_mschapv2_getKey") ]
5757 for count
, func
in tests
:
5758 with
alloc_fail(dev
[0], count
, func
):
5759 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5760 identity
="phase1-user", password
="password",
5761 wait_connect
=False, scan_freq
="2412")
5762 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5763 dev
[0].request("REMOVE_NETWORK all")
5764 dev
[0].wait_disconnected()
5766 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5767 for count
, func
in tests
:
5768 with
alloc_fail(dev
[0], count
, func
):
5769 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5770 identity
="phase1-user", password
="wrong password",
5771 wait_connect
=False, scan_freq
="2412")
5772 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5773 dev
[0].request("REMOVE_NETWORK all")
5774 dev
[0].wait_disconnected()
5776 tests
= [ (2, "eap_mschapv2_init"),
5777 (3, "eap_mschapv2_init") ]
5778 for count
, func
in tests
:
5779 with
alloc_fail(dev
[0], count
, func
):
5780 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5781 anonymous_identity
="FAST", identity
="user",
5782 password
="password",
5783 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5784 phase1
="fast_provisioning=1",
5785 pac_file
="blob://fast_pac",
5786 wait_connect
=False, scan_freq
="2412")
5787 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5788 dev
[0].request("REMOVE_NETWORK all")
5789 dev
[0].wait_disconnected()
5791 def test_eap_gpsk_errors(dev
, apdev
):
5792 """EAP-GPSK error cases"""
5793 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5794 hapd
= hostapd
.add_ap(apdev
[0], params
)
5795 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5796 identity
="gpsk user",
5797 password
="abcdefghijklmnop0123456789abcdef",
5799 dev
[0].request("REMOVE_NETWORK all")
5800 dev
[0].wait_disconnected()
5802 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5803 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5805 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5807 (1, "eap_gpsk_derive_keys_helper", None),
5808 (2, "eap_gpsk_derive_keys_helper", None),
5809 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5811 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5813 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5814 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5815 (1, "eap_gpsk_derive_mid_helper", None) ]
5816 for count
, func
, phase1
in tests
:
5817 with
fail_test(dev
[0], count
, func
):
5818 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5819 identity
="gpsk user",
5820 password
="abcdefghijklmnop0123456789abcdef",
5822 wait_connect
=False, scan_freq
="2412")
5823 wait_fail_trigger(dev
[0], "GET_FAIL")
5824 dev
[0].request("REMOVE_NETWORK all")
5825 dev
[0].wait_disconnected()
5827 tests
= [ (1, "eap_gpsk_init"),
5828 (2, "eap_gpsk_init"),
5829 (3, "eap_gpsk_init"),
5830 (1, "eap_gpsk_process_id_server"),
5831 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5832 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5833 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5834 (1, "eap_gpsk_derive_keys"),
5835 (1, "eap_gpsk_derive_keys_helper"),
5836 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5837 (1, "eap_gpsk_getKey"),
5838 (1, "eap_gpsk_get_emsk"),
5839 (1, "eap_gpsk_get_session_id") ]
5840 for count
, func
in tests
:
5841 with
alloc_fail(dev
[0], count
, func
):
5842 dev
[0].request("ERP_FLUSH")
5843 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5844 identity
="gpsk user@domain", erp
="1",
5845 password
="abcdefghijklmnop0123456789abcdef",
5846 wait_connect
=False, scan_freq
="2412")
5847 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5848 dev
[0].request("REMOVE_NETWORK all")
5849 dev
[0].wait_disconnected()
5851 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5852 """EAP-SIM DB error cases"""
5853 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5858 hparams
= int_eap_server_params()
5859 hparams
['eap_sim_db'] = 'unix:' + sockpath
5860 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5862 # Initial test with hlr_auc_gw socket not available
5863 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5864 eap
="SIM", identity
="1232010000000000",
5865 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5866 scan_freq
="2412", wait_connect
=False)
5867 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5869 raise Exception("EAP-Failure not reported")
5870 dev
[0].wait_disconnected()
5871 dev
[0].request("DISCONNECT")
5873 # Test with invalid responses and response timeout
5875 class test_handler(SocketServer
.DatagramRequestHandler
):
5877 data
= self
.request
[0].strip()
5878 socket
= self
.request
[1]
5879 logger
.debug("Received hlr_auc_gw request: " + data
)
5880 # EAP-SIM DB: Failed to parse response string
5881 socket
.sendto("FOO", self
.client_address
)
5882 # EAP-SIM DB: Failed to parse response string
5883 socket
.sendto("FOO 1", self
.client_address
)
5884 # EAP-SIM DB: Unknown external response
5885 socket
.sendto("FOO 1 2", self
.client_address
)
5886 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5888 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5891 dev
[0].select_network(id)
5892 server
.handle_request()
5893 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5895 raise Exception("EAP-Failure not reported")
5896 dev
[0].wait_disconnected()
5897 dev
[0].request("DISCONNECT")
5899 # Test with a valid response
5901 class test_handler2(SocketServer
.DatagramRequestHandler
):
5903 data
= self
.request
[0].strip()
5904 socket
= self
.request
[1]
5905 logger
.debug("Received hlr_auc_gw request: " + data
)
5906 fname
= os
.path
.join(params
['logdir'],
5907 'hlr_auc_gw.milenage_db')
5908 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5910 stdout
=subprocess
.PIPE
)
5911 res
= cmd
.stdout
.read().strip()
5913 logger
.debug("hlr_auc_gw response: " + res
)
5914 socket
.sendto(res
, self
.client_address
)
5916 server
.RequestHandlerClass
= test_handler2
5918 dev
[0].select_network(id)
5919 server
.handle_request()
5920 dev
[0].wait_connected()
5921 dev
[0].request("DISCONNECT")
5922 dev
[0].wait_disconnected()
5924 def test_eap_tls_sha512(dev
, apdev
, params
):
5925 """EAP-TLS with SHA512 signature"""
5926 params
= int_eap_server_params()
5927 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5928 params
["server_cert"] = "auth_serv/sha512-server.pem"
5929 params
["private_key"] = "auth_serv/sha512-server.key"
5930 hostapd
.add_ap(apdev
[0], params
)
5932 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5933 identity
="tls user sha512",
5934 ca_cert
="auth_serv/sha512-ca.pem",
5935 client_cert
="auth_serv/sha512-user.pem",
5936 private_key
="auth_serv/sha512-user.key",
5938 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5939 identity
="tls user sha512",
5940 ca_cert
="auth_serv/sha512-ca.pem",
5941 client_cert
="auth_serv/sha384-user.pem",
5942 private_key
="auth_serv/sha384-user.key",
5945 def test_eap_tls_sha384(dev
, apdev
, params
):
5946 """EAP-TLS with SHA384 signature"""
5947 params
= int_eap_server_params()
5948 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5949 params
["server_cert"] = "auth_serv/sha384-server.pem"
5950 params
["private_key"] = "auth_serv/sha384-server.key"
5951 hostapd
.add_ap(apdev
[0], params
)
5953 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5954 identity
="tls user sha512",
5955 ca_cert
="auth_serv/sha512-ca.pem",
5956 client_cert
="auth_serv/sha512-user.pem",
5957 private_key
="auth_serv/sha512-user.key",
5959 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5960 identity
="tls user sha512",
5961 ca_cert
="auth_serv/sha512-ca.pem",
5962 client_cert
="auth_serv/sha384-user.pem",
5963 private_key
="auth_serv/sha384-user.key",
5966 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
5967 """WPA2-Enterprise AP and association request RSN IE differences"""
5968 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5969 hostapd
.add_ap(apdev
[0], params
)
5971 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
5972 params
["ieee80211w"] = "2"
5973 hostapd
.add_ap(apdev
[1], params
)
5975 # Success cases with optional RSN IE fields removed one by one
5976 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5977 "30140100000fac040100000fac040100000fac010000"),
5978 ("Extra PMKIDCount field in RSN IE",
5979 "30160100000fac040100000fac040100000fac0100000000"),
5980 ("Extra Group Management Cipher Suite in RSN IE",
5981 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5982 ("Extra undefined extension field in RSN IE",
5983 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5984 ("RSN IE without RSN Capabilities",
5985 "30120100000fac040100000fac040100000fac01"),
5986 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5987 ("RSN IE without pairwise", "30060100000fac04"),
5988 ("RSN IE without group", "30020100") ]
5989 for title
, ie
in tests
:
5991 set_test_assoc_ie(dev
[0], ie
)
5992 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5993 identity
="gpsk user",
5994 password
="abcdefghijklmnop0123456789abcdef",
5996 dev
[0].request("REMOVE_NETWORK all")
5997 dev
[0].wait_disconnected()
5999 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
6000 "30140100000fac040100000fac040100000fac01cc00"),
6001 ("Group management cipher included in assoc req RSN IE",
6002 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
6003 for title
, ie
in tests
:
6005 set_test_assoc_ie(dev
[0], ie
)
6006 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6007 eap
="GPSK", identity
="gpsk user",
6008 password
="abcdefghijklmnop0123456789abcdef",
6010 dev
[0].request("REMOVE_NETWORK all")
6011 dev
[0].wait_disconnected()
6013 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
6014 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
6015 for title
, ie
, status
in tests
:
6017 set_test_assoc_ie(dev
[0], ie
)
6018 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6019 identity
="gpsk user",
6020 password
="abcdefghijklmnop0123456789abcdef",
6021 scan_freq
="2412", wait_connect
=False)
6022 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6024 raise Exception("Association rejection not reported")
6025 if "status_code=" + str(status
) not in ev
:
6026 raise Exception("Unexpected status code: " + ev
)
6027 dev
[0].request("REMOVE_NETWORK all")
6028 dev
[0].dump_monitor()
6030 tests
= [ ("Management frame protection not enabled",
6031 "30140100000fac040100000fac040100000fac010000", 31),
6032 ("Unsupported management group cipher",
6033 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
6034 for title
, ie
, status
in tests
:
6036 set_test_assoc_ie(dev
[0], ie
)
6037 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6038 eap
="GPSK", identity
="gpsk user",
6039 password
="abcdefghijklmnop0123456789abcdef",
6040 scan_freq
="2412", wait_connect
=False)
6041 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6043 raise Exception("Association rejection not reported")
6044 if "status_code=" + str(status
) not in ev
:
6045 raise Exception("Unexpected status code: " + ev
)
6046 dev
[0].request("REMOVE_NETWORK all")
6047 dev
[0].dump_monitor()
6049 def test_eap_tls_ext_cert_check(dev
, apdev
):
6050 """EAP-TLS and external server certification validation"""
6051 # With internal server certificate chain validation
6052 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6053 identity
="tls user",
6054 ca_cert
="auth_serv/ca.pem",
6055 client_cert
="auth_serv/user.pem",
6056 private_key
="auth_serv/user.key",
6057 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6058 only_add_network
=True)
6059 run_ext_cert_check(dev
, apdev
, id)
6061 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6062 """EAP-TTLS and external server certification validation"""
6063 # Without internal server certificate chain validation
6064 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6065 identity
="pap user", anonymous_identity
="ttls",
6066 password
="password", phase2
="auth=PAP",
6067 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6068 only_add_network
=True)
6069 run_ext_cert_check(dev
, apdev
, id)
6071 def test_eap_peap_ext_cert_check(dev
, apdev
):
6072 """EAP-PEAP and external server certification validation"""
6073 # With internal server certificate chain validation
6074 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6075 identity
="user", anonymous_identity
="peap",
6076 ca_cert
="auth_serv/ca.pem",
6077 password
="password", phase2
="auth=MSCHAPV2",
6078 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6079 only_add_network
=True)
6080 run_ext_cert_check(dev
, apdev
, id)
6082 def test_eap_fast_ext_cert_check(dev
, apdev
):
6083 """EAP-FAST and external server certification validation"""
6084 check_eap_capa(dev
[0], "FAST")
6085 # With internal server certificate chain validation
6086 dev
[0].request("SET blob fast_pac_auth_ext ")
6087 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6088 identity
="user", anonymous_identity
="FAST",
6089 ca_cert
="auth_serv/ca.pem",
6090 password
="password", phase2
="auth=GTC",
6091 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6092 pac_file
="blob://fast_pac_auth_ext",
6094 only_add_network
=True)
6095 run_ext_cert_check(dev
, apdev
, id)
6097 def run_ext_cert_check(dev
, apdev
, net_id
):
6098 check_ext_cert_check_support(dev
[0])
6099 if not openssl_imported
:
6100 raise HwsimSkip("OpenSSL python method not available")
6102 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6103 hapd
= hostapd
.add_ap(apdev
[0], params
)
6105 dev
[0].select_network(net_id
)
6108 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6109 "CTRL-REQ-EXT_CERT_CHECK",
6110 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6112 raise Exception("No peer server certificate event seen")
6113 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6116 vals
= ev
.split(' ')
6118 if v
.startswith("depth="):
6119 depth
= int(v
.split('=')[1])
6120 elif v
.startswith("cert="):
6121 cert
= v
.split('=')[1]
6122 if depth
is not None and cert
:
6123 certs
[depth
] = binascii
.unhexlify(cert
)
6124 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6125 raise Exception("Unexpected EAP-Success")
6126 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6127 id = ev
.split(':')[0].split('-')[-1]
6130 raise Exception("Server certificate not received")
6132 raise Exception("Server certificate issuer not received")
6134 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6136 cn
= cert
.get_subject().commonName
6137 logger
.info("Server certificate CN=" + cn
)
6139 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6141 icn
= issuer
.get_subject().commonName
6142 logger
.info("Issuer certificate CN=" + icn
)
6144 if cn
!= "server.w1.fi":
6145 raise Exception("Unexpected server certificate CN: " + cn
)
6146 if icn
!= "Root CA":
6147 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6149 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6151 raise Exception("Unexpected EAP-Success before external check result indication")
6153 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6154 dev
[0].wait_connected()
6156 dev
[0].request("DISCONNECT")
6157 dev
[0].wait_disconnected()
6158 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6159 raise Exception("PMKSA_FLUSH failed")
6160 dev
[0].request("SET blob fast_pac_auth_ext ")
6161 dev
[0].request("RECONNECT")
6163 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6165 raise Exception("No peer server certificate event seen (2)")
6166 id = ev
.split(':')[0].split('-')[-1]
6167 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6168 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6170 raise Exception("EAP-Failure not reported")
6171 dev
[0].request("REMOVE_NETWORK all")
6172 dev
[0].wait_disconnected()
6174 def test_eap_tls_errors(dev
, apdev
):
6175 """EAP-TLS error cases"""
6176 params
= int_eap_server_params()
6177 params
['fragment_size'] = '100'
6178 hostapd
.add_ap(apdev
[0], params
)
6179 with
alloc_fail(dev
[0], 1,
6180 "eap_peer_tls_reassemble_fragment"):
6181 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6182 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6183 client_cert
="auth_serv/user.pem",
6184 private_key
="auth_serv/user.key",
6185 wait_connect
=False, scan_freq
="2412")
6186 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6187 dev
[0].request("REMOVE_NETWORK all")
6188 dev
[0].wait_disconnected()
6190 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6191 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6192 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6193 client_cert
="auth_serv/user.pem",
6194 private_key
="auth_serv/user.key",
6195 wait_connect
=False, scan_freq
="2412")
6196 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6197 dev
[0].request("REMOVE_NETWORK all")
6198 dev
[0].wait_disconnected()
6200 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6201 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6202 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6203 client_cert
="auth_serv/user.pem",
6204 private_key
="auth_serv/user.key",
6206 wait_connect
=False, scan_freq
="2412")
6207 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6208 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6210 raise Exception("No CTRL-REQ-PIN seen")
6211 dev
[0].request("REMOVE_NETWORK all")
6212 dev
[0].wait_disconnected()
6214 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6215 "eap_peer_tls_derive_session_id;eap_tls_success",
6218 "eap_tls_get_session_id" ]
6220 with
alloc_fail(dev
[0], 1, func
):
6221 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6222 identity
="tls user@domain",
6223 ca_cert
="auth_serv/ca.pem",
6224 client_cert
="auth_serv/user.pem",
6225 private_key
="auth_serv/user.key",
6227 wait_connect
=False, scan_freq
="2412")
6228 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6229 dev
[0].request("REMOVE_NETWORK all")
6230 dev
[0].wait_disconnected()
6232 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6233 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6234 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6235 wait_connect
=False, scan_freq
="2412")
6236 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6237 dev
[0].request("REMOVE_NETWORK all")
6238 dev
[0].wait_disconnected()
6240 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6241 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6242 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6243 wait_connect
=False, scan_freq
="2412")
6244 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6245 dev
[0].request("REMOVE_NETWORK all")
6246 dev
[0].wait_disconnected()
6248 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6249 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6250 eap
="WFA-UNAUTH-TLS",
6251 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6252 wait_connect
=False, scan_freq
="2412")
6253 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6254 dev
[0].request("REMOVE_NETWORK all")
6255 dev
[0].wait_disconnected()
6257 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6258 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6259 eap
="WFA-UNAUTH-TLS",
6260 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6261 wait_connect
=False, scan_freq
="2412")
6262 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6263 dev
[0].request("REMOVE_NETWORK all")
6264 dev
[0].wait_disconnected()
6266 def test_ap_wpa2_eap_status(dev
, apdev
):
6267 """EAP state machine status information"""
6268 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6269 hostapd
.add_ap(apdev
[0], params
)
6270 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6271 identity
="cert user",
6272 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6273 ca_cert2
="auth_serv/ca.pem",
6274 client_cert2
="auth_serv/user.pem",
6275 private_key2
="auth_serv/user.key",
6276 scan_freq
="2412", wait_connect
=False)
6282 selected_methods
= []
6283 for i
in range(100000):
6284 s
= dev
[0].get_status(extra
="VERBOSE")
6285 if 'EAP state' in s
:
6286 state
= s
['EAP state']
6288 if state
not in states
:
6289 states
.append(state
)
6290 if state
== "SUCCESS":
6293 if 'methodState' in s
:
6294 val
= s
['methodState']
6295 if val
not in method_states
:
6296 method_states
.append(val
)
6299 if val
not in decisions
:
6300 decisions
.append(val
)
6301 if 'reqMethod' in s
:
6302 val
= s
['reqMethod']
6303 if val
not in req_methods
:
6304 req_methods
.append(val
)
6305 if 'selectedMethod' in s
:
6306 val
= s
['selectedMethod']
6307 if val
not in selected_methods
:
6308 selected_methods
.append(val
)
6309 logger
.info("Iterations: %d" % i
)
6310 logger
.info("EAP states: " + str(states
))
6311 logger
.info("methodStates: " + str(method_states
))
6312 logger
.info("decisions: " + str(decisions
))
6313 logger
.info("reqMethods: " + str(req_methods
))
6314 logger
.info("selectedMethods: " + str(selected_methods
))
6316 raise Exception("EAP did not succeed")
6317 dev
[0].wait_connected()
6318 dev
[0].request("REMOVE_NETWORK all")
6319 dev
[0].wait_disconnected()
6321 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6322 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6323 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6324 params
['wpa_ptk_rekey'] = '2'
6325 hapd
= hostapd
.add_ap(apdev
[0], params
)
6326 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6327 password
="abcdefghijklmnop0123456789abcdef")
6328 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6330 raise Exception("PTK rekey timed out")
6331 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6333 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6334 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6336 hapd
= hostapd
.add_ap(apdev
[0], params
)
6337 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6338 identity
="gpsk user",
6339 password
="abcdefghijklmnop0123456789abcdef",