3 # WPA2-Enterprise tests
4 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
6 # This software may be distributed under the terms of the BSD license.
7 # See README for more details.
12 logger = logging.getLogger()
18 def eap_connect(dev, ap, method, identity, anonymous_identity=None,
20 phase1=None, phase2=None, ca_cert=None,
21 domain_suffix_match=None, password_hex=None,
22 client_cert=None, private_key=None, sha256=False,
23 fragment_size=None, expect_failure=False,
24 local_error_report=False,
25 ca_cert2=None, client_cert2=None, private_key2=None,
26 pac_file=None, subject_match=None, altsubject_match=None,
27 private_key_passwd=None):
28 hapd = hostapd.Hostapd(ap['ifname'])
29 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
30 eap=method, identity=identity,
31 anonymous_identity=anonymous_identity,
32 password=password, phase1=phase1, phase2=phase2,
33 ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
34 wait_connect=False, scan_freq="2412",
35 password_hex=password_hex,
36 client_cert=client_cert, private_key=private_key,
37 ieee80211w="1", fragment_size=fragment_size,
38 ca_cert2=ca_cert2, client_cert2=client_cert2,
39 private_key2=private_key2, pac_file=pac_file,
40 subject_match=subject_match,
41 altsubject_match=altsubject_match,
42 private_key_passwd=private_key_passwd)
43 eap_check_auth(dev, method, True, sha256=sha256,
44 expect_failure=expect_failure,
45 local_error_report=local_error_report)
48 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
50 raise Exception("No connection event received from hostapd")
53 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
54 expect_failure=False, local_error_report=False):
55 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
57 raise Exception("Association and EAP start timed out")
58 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
60 raise Exception("EAP method selection timed out")
62 raise Exception("Unexpected EAP method")
64 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
66 raise Exception("EAP failure timed out")
67 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
69 raise Exception("Disconnection timed out")
70 if not local_error_report:
71 if "reason=23" not in ev:
72 raise Exception("Proper reason code for disconnection not reported")
74 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
76 raise Exception("EAP success timed out")
79 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
81 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
83 raise Exception("Association with the AP timed out")
84 status = dev.get_status()
85 if status["wpa_state"] != "COMPLETED":
86 raise Exception("Connection not completed")
88 if status["suppPortStatus"] != "Authorized":
89 raise Exception("Port not authorized")
90 if method not in status["selectedMethod"]:
91 raise Exception("Incorrect EAP method status")
95 e = "WPA2/IEEE 802.1X/EAP"
97 e = "WPA/IEEE 802.1X/EAP"
98 if status["key_mgmt"] != e:
99 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
101 def eap_reauth(dev, method, rsn=True, sha256=False):
102 dev.request("REAUTHENTICATE")
103 eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256)
105 def test_ap_wpa2_eap_sim(dev, apdev):
106 """WPA2-Enterprise connection using EAP-SIM"""
107 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
108 logger.info("No hlr_auc_gw available");
110 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
111 hostapd.add_ap(apdev[0]['ifname'], params)
112 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
113 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
114 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
115 eap_reauth(dev[0], "SIM")
117 logger.info("Negative test with incorrect key")
118 dev[0].request("REMOVE_NETWORK all")
119 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
120 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
123 def test_ap_wpa2_eap_aka(dev, apdev):
124 """WPA2-Enterprise connection using EAP-AKA"""
125 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
126 logger.info("No hlr_auc_gw available");
128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
129 hostapd.add_ap(apdev[0]['ifname'], params)
130 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
131 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
132 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
133 eap_reauth(dev[0], "AKA")
135 logger.info("Negative test with incorrect key")
136 dev[0].request("REMOVE_NETWORK all")
137 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
138 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
141 def test_ap_wpa2_eap_aka_prime(dev, apdev):
142 """WPA2-Enterprise connection using EAP-AKA'"""
143 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
144 logger.info("No hlr_auc_gw available");
146 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
147 hostapd.add_ap(apdev[0]['ifname'], params)
148 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
149 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
150 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
151 eap_reauth(dev[0], "AKA'")
153 logger.info("Negative test with incorrect key")
154 dev[0].request("REMOVE_NETWORK all")
155 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
156 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
159 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
160 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
161 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
162 hostapd.add_ap(apdev[0]['ifname'], params)
163 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
164 anonymous_identity="ttls", password="password",
165 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
166 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
167 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
168 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
169 eap_reauth(dev[0], "TTLS")
171 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
172 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
173 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
174 hostapd.add_ap(apdev[0]['ifname'], params)
175 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
176 anonymous_identity="ttls", password="password",
177 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
178 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
179 eap_reauth(dev[0], "TTLS")
181 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
182 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
183 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
184 hostapd.add_ap(apdev[0]['ifname'], params)
185 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
186 anonymous_identity="ttls", password="password",
187 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
188 domain_suffix_match="server.w1.fi")
189 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
190 eap_reauth(dev[0], "TTLS")
191 dev[0].request("REMOVE_NETWORK all")
192 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
193 anonymous_identity="ttls", password="password",
194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
197 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
198 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
199 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
200 hostapd.add_ap(apdev[0]['ifname'], params)
201 hapd = hostapd.Hostapd(apdev[0]['ifname'])
202 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
203 anonymous_identity="ttls", password="password",
204 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
205 domain_suffix_match="w1.fi")
206 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
207 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
208 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
209 eap_reauth(dev[0], "TTLS")
210 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
211 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
212 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
213 raise Exception("dot1xAuthEapolFramesRx did not increase")
214 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
215 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
216 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
217 raise Exception("backendAuthSuccesses did not increase")
219 logger.info("Password as hash value")
220 dev[0].request("REMOVE_NETWORK all")
221 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
222 anonymous_identity="ttls",
223 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
224 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
226 logger.info("Negative test with incorrect password")
227 dev[0].request("REMOVE_NETWORK all")
228 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
229 anonymous_identity="ttls", password="password1",
230 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
233 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
234 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
235 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
236 hostapd.add_ap(apdev[0]['ifname'], params)
237 eap_connect(dev[0], apdev[0], "TTLS", "user",
238 anonymous_identity="ttls", password="password",
239 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
240 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
241 eap_reauth(dev[0], "TTLS")
243 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
244 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
246 hostapd.add_ap(apdev[0]['ifname'], params)
247 eap_connect(dev[0], apdev[0], "TTLS", "user",
248 anonymous_identity="ttls", password="password",
249 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
250 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
251 eap_reauth(dev[0], "TTLS")
253 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
254 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
256 hostapd.add_ap(apdev[0]['ifname'], params)
257 eap_connect(dev[0], apdev[0], "TTLS", "user",
258 anonymous_identity="ttls", password="password",
259 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
260 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
261 eap_reauth(dev[0], "TTLS")
263 logger.info("Negative test with incorrect password")
264 dev[0].request("REMOVE_NETWORK all")
265 eap_connect(dev[0], apdev[0], "TTLS", "user",
266 anonymous_identity="ttls", password="password1",
267 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
270 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
271 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
272 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
273 hostapd.add_ap(apdev[0]['ifname'], params)
274 eap_connect(dev[0], apdev[0], "PEAP", "user",
275 anonymous_identity="peap", password="password",
276 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
277 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
278 eap_reauth(dev[0], "PEAP")
279 dev[0].request("REMOVE_NETWORK all")
280 eap_connect(dev[0], apdev[0], "PEAP", "user",
281 anonymous_identity="peap", password="password",
282 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
285 logger.info("Password as hash value")
286 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "PEAP", "user",
288 anonymous_identity="peap",
289 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
290 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
292 logger.info("Negative test with incorrect password")
293 dev[0].request("REMOVE_NETWORK all")
294 eap_connect(dev[0], apdev[0], "PEAP", "user",
295 anonymous_identity="peap", password="password1",
296 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
299 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
300 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
302 hostapd.add_ap(apdev[0]['ifname'], params)
303 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
304 ca_cert="auth_serv/ca.pem",
305 phase1="peapver=0 crypto_binding=2",
306 phase2="auth=MSCHAPV2")
307 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
308 eap_reauth(dev[0], "PEAP")
310 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
311 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
312 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
313 hostapd.add_ap(apdev[0]['ifname'], params)
314 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
315 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
316 ca_cert2="auth_serv/ca.pem",
317 client_cert2="auth_serv/user.pem",
318 private_key2="auth_serv/user.key")
319 eap_reauth(dev[0], "PEAP")
321 def test_ap_wpa2_eap_tls(dev, apdev):
322 """WPA2-Enterprise connection using EAP-TLS"""
323 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
324 hostapd.add_ap(apdev[0]['ifname'], params)
325 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
326 client_cert="auth_serv/user.pem",
327 private_key="auth_serv/user.key")
328 eap_reauth(dev[0], "TLS")
330 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
331 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
333 hostapd.add_ap(apdev[0]['ifname'], params)
334 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
335 private_key="auth_serv/user.pkcs12",
336 private_key_passwd="whatever")
337 dev[0].request("REMOVE_NETWORK all")
338 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
340 ca_cert="auth_serv/ca.pem",
341 private_key="auth_serv/user.pkcs12",
342 wait_connect=False, scan_freq="2412")
343 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
345 raise Exception("Request for private key passphrase timed out")
346 id = ev.split(':')[0].split('-')[-1]
347 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
348 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
350 raise Exception("Connection timed out")
352 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
353 """WPA2-Enterprise negative test - incorrect trust root"""
354 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
355 hostapd.add_ap(apdev[0]['ifname'], params)
356 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
357 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
358 password="password", phase2="auth=MSCHAPV2",
359 ca_cert="auth_serv/ca-incorrect.pem",
360 wait_connect=False, scan_freq="2412")
362 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
364 raise Exception("Association and EAP start timed out")
366 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
368 raise Exception("EAP method selection timed out")
370 raise Exception("Unexpected EAP method")
372 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
373 "CTRL-EVENT-EAP-SUCCESS",
374 "CTRL-EVENT-EAP-FAILURE",
375 "CTRL-EVENT-CONNECTED",
376 "CTRL-EVENT-DISCONNECTED"], timeout=10)
378 raise Exception("EAP result timed out")
379 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
380 raise Exception("TLS certificate error not reported")
382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
383 "CTRL-EVENT-EAP-FAILURE",
384 "CTRL-EVENT-CONNECTED",
385 "CTRL-EVENT-DISCONNECTED"], timeout=10)
387 raise Exception("EAP result(2) timed out")
388 if "CTRL-EVENT-EAP-FAILURE" not in ev:
389 raise Exception("EAP failure not reported")
391 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
392 "CTRL-EVENT-DISCONNECTED"], timeout=10)
394 raise Exception("EAP result(3) timed out")
395 if "CTRL-EVENT-DISCONNECTED" not in ev:
396 raise Exception("Disconnection not reported")
398 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
400 raise Exception("Network block disabling not reported")
402 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
403 """WPA2-Enterprise negative test - domain suffix mismatch"""
404 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
405 hostapd.add_ap(apdev[0]['ifname'], params)
406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
407 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
408 password="password", phase2="auth=MSCHAPV2",
409 ca_cert="auth_serv/ca.pem",
410 domain_suffix_match="incorrect.example.com",
411 wait_connect=False, scan_freq="2412")
413 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
415 raise Exception("Association and EAP start timed out")
417 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
419 raise Exception("EAP method selection timed out")
421 raise Exception("Unexpected EAP method")
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
424 "CTRL-EVENT-EAP-SUCCESS",
425 "CTRL-EVENT-EAP-FAILURE",
426 "CTRL-EVENT-CONNECTED",
427 "CTRL-EVENT-DISCONNECTED"], timeout=10)
429 raise Exception("EAP result timed out")
430 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
431 raise Exception("TLS certificate error not reported")
432 if "Domain suffix mismatch" not in ev:
433 raise Exception("Domain suffix mismatch not reported")
435 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
436 "CTRL-EVENT-EAP-FAILURE",
437 "CTRL-EVENT-CONNECTED",
438 "CTRL-EVENT-DISCONNECTED"], timeout=10)
440 raise Exception("EAP result(2) timed out")
441 if "CTRL-EVENT-EAP-FAILURE" not in ev:
442 raise Exception("EAP failure not reported")
444 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
445 "CTRL-EVENT-DISCONNECTED"], timeout=10)
447 raise Exception("EAP result(3) timed out")
448 if "CTRL-EVENT-DISCONNECTED" not in ev:
449 raise Exception("Disconnection not reported")
451 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
453 raise Exception("Network block disabling not reported")
455 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
456 """WPA2-Enterprise negative test - subject mismatch"""
457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
458 hostapd.add_ap(apdev[0]['ifname'], params)
459 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
460 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
461 password="password", phase2="auth=MSCHAPV2",
462 ca_cert="auth_serv/ca.pem",
463 subject_match="/C=FI/O=w1.fi/CN=example.com",
464 wait_connect=False, scan_freq="2412")
466 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
468 raise Exception("Association and EAP start timed out")
470 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
472 raise Exception("EAP method selection timed out")
474 raise Exception("Unexpected EAP method")
476 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
477 "CTRL-EVENT-EAP-SUCCESS",
478 "CTRL-EVENT-EAP-FAILURE",
479 "CTRL-EVENT-CONNECTED",
480 "CTRL-EVENT-DISCONNECTED"], timeout=10)
482 raise Exception("EAP result timed out")
483 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
484 raise Exception("TLS certificate error not reported")
485 if "Subject mismatch" not in ev:
486 raise Exception("Subject mismatch not reported")
488 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
489 "CTRL-EVENT-EAP-FAILURE",
490 "CTRL-EVENT-CONNECTED",
491 "CTRL-EVENT-DISCONNECTED"], timeout=10)
493 raise Exception("EAP result(2) timed out")
494 if "CTRL-EVENT-EAP-FAILURE" not in ev:
495 raise Exception("EAP failure not reported")
497 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
498 "CTRL-EVENT-DISCONNECTED"], timeout=10)
500 raise Exception("EAP result(3) timed out")
501 if "CTRL-EVENT-DISCONNECTED" not in ev:
502 raise Exception("Disconnection not reported")
504 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
506 raise Exception("Network block disabling not reported")
508 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
509 """WPA2-Enterprise negative test - altsubject mismatch"""
510 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
511 hostapd.add_ap(apdev[0]['ifname'], params)
512 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
513 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
514 password="password", phase2="auth=MSCHAPV2",
515 ca_cert="auth_serv/ca.pem",
516 altsubject_match="incorrect.example.com",
517 wait_connect=False, scan_freq="2412")
519 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
521 raise Exception("Association and EAP start timed out")
523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
525 raise Exception("EAP method selection timed out")
527 raise Exception("Unexpected EAP method")
529 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
530 "CTRL-EVENT-EAP-SUCCESS",
531 "CTRL-EVENT-EAP-FAILURE",
532 "CTRL-EVENT-CONNECTED",
533 "CTRL-EVENT-DISCONNECTED"], timeout=10)
535 raise Exception("EAP result timed out")
536 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
537 raise Exception("TLS certificate error not reported")
538 if "AltSubject mismatch" not in ev:
539 raise Exception("altsubject mismatch not reported")
541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
542 "CTRL-EVENT-EAP-FAILURE",
543 "CTRL-EVENT-CONNECTED",
544 "CTRL-EVENT-DISCONNECTED"], timeout=10)
546 raise Exception("EAP result(2) timed out")
547 if "CTRL-EVENT-EAP-FAILURE" not in ev:
548 raise Exception("EAP failure not reported")
550 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
551 "CTRL-EVENT-DISCONNECTED"], timeout=10)
553 raise Exception("EAP result(3) timed out")
554 if "CTRL-EVENT-DISCONNECTED" not in ev:
555 raise Exception("Disconnection not reported")
557 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
559 raise Exception("Network block disabling not reported")
561 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
562 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
563 srv_cert_hash = "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
565 hostapd.add_ap(apdev[0]['ifname'], params)
566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
567 identity="probe", ca_cert="probe://",
568 wait_connect=False, scan_freq="2412")
569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
571 raise Exception("Association and EAP start timed out")
572 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
574 raise Exception("No peer server certificate event seen")
575 if "hash=" + srv_cert_hash not in ev:
576 raise Exception("Expected server certificate hash not reported")
577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
579 raise Exception("EAP result timed out")
580 if "Server certificate chain probe" not in ev:
581 raise Exception("Server certificate probe not reported")
582 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
584 raise Exception("Disconnection event not seen")
585 dev[0].request("REMOVE_NETWORK all")
587 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
588 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
589 password="password", phase2="auth=MSCHAPV2",
590 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
591 wait_connect=False, scan_freq="2412")
592 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
594 raise Exception("Association and EAP start timed out")
595 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
597 raise Exception("EAP result timed out")
598 if "Server certificate mismatch" not in ev:
599 raise Exception("Server certificate mismatch not reported")
600 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
602 raise Exception("Disconnection event not seen")
603 dev[0].request("REMOVE_NETWORK all")
605 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
606 anonymous_identity="ttls", password="password",
607 ca_cert="hash://server/sha256/" + srv_cert_hash,
608 phase2="auth=MSCHAPV2")
610 def test_ap_wpa2_eap_pwd(dev, apdev):
611 """WPA2-Enterprise connection using EAP-pwd"""
612 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
613 hostapd.add_ap(apdev[0]['ifname'], params)
614 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
615 eap_reauth(dev[0], "PWD")
617 dev[0].request("REMOVE_NETWORK all")
618 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password",
621 logger.info("Negative test with incorrect password")
622 dev[0].request("REMOVE_NETWORK all")
623 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret-password",
624 expect_failure=True, local_error_report=True)
626 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
627 """WPA2-Enterprise connection using various EAP-pwd groups"""
628 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
629 "rsn_pairwise": "CCMP", "ieee8021x": "1",
630 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
631 for i in [ 19, 20, 21, 25, 26 ]:
632 params['pwd_group'] = str(i)
633 hostapd.add_ap(apdev[0]['ifname'], params)
634 dev[0].request("REMOVE_NETWORK all")
635 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
637 def test_ap_wpa2_eap_gpsk(dev, apdev):
638 """WPA2-Enterprise connection using EAP-GPSK"""
639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
640 hostapd.add_ap(apdev[0]['ifname'], params)
641 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
642 password="abcdefghijklmnop0123456789abcdef")
643 eap_reauth(dev[0], "GPSK")
645 logger.info("Test forced algorithm selection")
646 for phase1 in [ "cipher=1", "cipher=2" ]:
647 dev[0].set_network_quoted(id, "phase1", phase1)
648 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
650 raise Exception("EAP success timed out")
651 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
653 raise Exception("Association with the AP timed out")
655 logger.info("Test failed algorithm negotiation")
656 dev[0].set_network_quoted(id, "phase1", "cipher=9")
657 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
659 raise Exception("EAP failure timed out")
661 logger.info("Negative test with incorrect password")
662 dev[0].request("REMOVE_NETWORK all")
663 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
664 password="ffcdefghijklmnop0123456789abcdef",
667 def test_ap_wpa2_eap_sake(dev, apdev):
668 """WPA2-Enterprise connection using EAP-SAKE"""
669 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
670 hostapd.add_ap(apdev[0]['ifname'], params)
671 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
672 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
673 eap_reauth(dev[0], "SAKE")
675 logger.info("Negative test with incorrect password")
676 dev[0].request("REMOVE_NETWORK all")
677 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
678 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
681 def test_ap_wpa2_eap_eke(dev, apdev):
682 """WPA2-Enterprise connection using EAP-EKE"""
683 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
684 hostapd.add_ap(apdev[0]['ifname'], params)
685 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
686 eap_reauth(dev[0], "EKE")
688 logger.info("Test forced algorithm selection")
689 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
690 "dhgroup=4 encr=1 prf=2 mac=2",
691 "dhgroup=3 encr=1 prf=2 mac=2",
692 "dhgroup=3 encr=1 prf=1 mac=1" ]:
693 dev[0].set_network_quoted(id, "phase1", phase1)
694 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
696 raise Exception("EAP success timed out")
697 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
699 raise Exception("Association with the AP timed out")
701 logger.info("Test failed algorithm negotiation")
702 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
705 raise Exception("EAP failure timed out")
707 logger.info("Negative test with incorrect password")
708 dev[0].request("REMOVE_NETWORK all")
709 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
712 def test_ap_wpa2_eap_ikev2(dev, apdev):
713 """WPA2-Enterprise connection using EAP-IKEv2"""
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
717 password="ike password")
718 eap_reauth(dev[0], "IKEV2")
719 dev[0].request("REMOVE_NETWORK all")
720 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
721 password="ike password", fragment_size="250")
723 logger.info("Negative test with incorrect password")
724 dev[0].request("REMOVE_NETWORK all")
725 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
726 password="ike-password", expect_failure=True)
728 def test_ap_wpa2_eap_pax(dev, apdev):
729 """WPA2-Enterprise connection using EAP-PAX"""
730 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
731 hostapd.add_ap(apdev[0]['ifname'], params)
732 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
733 password_hex="0123456789abcdef0123456789abcdef")
734 eap_reauth(dev[0], "PAX")
736 logger.info("Negative test with incorrect password")
737 dev[0].request("REMOVE_NETWORK all")
738 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
739 password_hex="ff23456789abcdef0123456789abcdef",
742 def test_ap_wpa2_eap_psk(dev, apdev):
743 """WPA2-Enterprise connection using EAP-PSK"""
744 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
745 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
746 params["ieee80211w"] = "2"
747 hostapd.add_ap(apdev[0]['ifname'], params)
748 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
749 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
750 eap_reauth(dev[0], "PSK", sha256=True)
752 logger.info("Negative test with incorrect password")
753 dev[0].request("REMOVE_NETWORK all")
754 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
755 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
758 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
759 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
760 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
761 hostapd.add_ap(apdev[0]['ifname'], params)
762 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
763 identity="user", password="password", phase2="auth=MSCHAPV2",
764 ca_cert="auth_serv/ca.pem", wait_connect=False,
766 eap_check_auth(dev[0], "PEAP", True, rsn=False)
767 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
768 eap_reauth(dev[0], "PEAP", rsn=False)
770 def test_ap_wpa2_eap_interactive(dev, apdev):
771 """WPA2-Enterprise connection using interactive identity/password entry"""
772 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
773 hostapd.add_ap(apdev[0]['ifname'], params)
774 hapd = hostapd.Hostapd(apdev[0]['ifname'])
776 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
777 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
779 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
780 "TTLS", "ttls", None, "auth=MSCHAPV2",
781 "DOMAIN\mschapv2 user", "password"),
782 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
783 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
784 ("Connection with dynamic TTLS/EAP-MD5 password entry",
785 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
786 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
787 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
788 ("Connection with dynamic PEAP/EAP-GTC password entry",
789 "PEAP", None, "user", "auth=GTC", None, "password") ]
790 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
792 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
793 anonymous_identity=anon, identity=identity,
794 ca_cert="auth_serv/ca.pem", phase2=phase2,
795 wait_connect=False, scan_freq="2412")
797 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
799 raise Exception("Request for identity timed out")
800 id = ev.split(':')[0].split('-')[-1]
801 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
802 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
804 raise Exception("Request for password timed out")
805 id = ev.split(':')[0].split('-')[-1]
806 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
807 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
808 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
810 raise Exception("Connection timed out")
811 dev[0].request("REMOVE_NETWORK all")
813 def test_ap_wpa2_eap_vendor_test(dev, apdev):
814 """WPA2-Enterprise connection using EAP vendor test"""
815 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
816 hostapd.add_ap(apdev[0]['ifname'], params)
817 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
818 eap_reauth(dev[0], "VENDOR-TEST")
820 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
821 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "FAST", "user",
825 anonymous_identity="FAST", password="password",
826 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
827 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
828 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
829 eap_reauth(dev[0], "FAST")
831 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
832 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
834 hostapd.add_ap(apdev[0]['ifname'], params)
835 eap_connect(dev[0], apdev[0], "FAST", "user",
836 anonymous_identity="FAST", password="password",
837 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
838 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
839 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
840 eap_reauth(dev[0], "FAST")