1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
91 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
93 raise Exception("EAP method selection timed out")
94 if "CTRL-EVENT-EAP-FAILURE" in ev:
97 raise Exception("Could not select EAP method")
99 raise Exception("Unexpected EAP method")
101 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
103 raise Exception("EAP failure timed out")
104 ev = dev.wait_disconnected(timeout=10)
105 if maybe_local_error and "locally_generated=1" in ev:
107 if not local_error_report:
108 if "reason=23" not in ev:
109 raise Exception("Proper reason code for disconnection not reported")
111 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
113 raise Exception("EAP success timed out")
116 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
118 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
120 raise Exception("Association with the AP timed out")
121 status = dev.get_status()
122 if status["wpa_state"] != "COMPLETED":
123 raise Exception("Connection not completed")
125 if status["suppPortStatus"] != "Authorized":
126 raise Exception("Port not authorized")
127 if method not in status["selectedMethod"]:
128 raise Exception("Incorrect EAP method status")
130 e = "WPA2-EAP-SHA256"
132 e = "WPA2/IEEE 802.1X/EAP"
134 e = "WPA/IEEE 802.1X/EAP"
135 if status["key_mgmt"] != e:
136 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
139 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
140 dev.request("REAUTHENTICATE")
141 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
142 expect_failure=expect_failure)
144 def test_ap_wpa2_eap_sim(dev, apdev):
145 """WPA2-Enterprise connection using EAP-SIM"""
146 check_hlr_auc_gw_support()
147 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
149 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 hwsim_utils.test_connectivity(dev[0], hapd)
152 eap_reauth(dev[0], "SIM")
154 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
155 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
160 logger.info("Negative test with incorrect key")
161 dev[0].request("REMOVE_NETWORK all")
162 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
163 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
166 logger.info("Invalid GSM-Milenage key")
167 dev[0].request("REMOVE_NETWORK all")
168 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
169 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
172 logger.info("Invalid GSM-Milenage key(2)")
173 dev[0].request("REMOVE_NETWORK all")
174 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
175 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
178 logger.info("Invalid GSM-Milenage key(3)")
179 dev[0].request("REMOVE_NETWORK all")
180 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
181 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
184 logger.info("Invalid GSM-Milenage key(4)")
185 dev[0].request("REMOVE_NETWORK all")
186 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
187 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
190 logger.info("Missing key configuration")
191 dev[0].request("REMOVE_NETWORK all")
192 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
195 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
196 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
197 check_hlr_auc_gw_support()
201 raise HwsimSkip("No sqlite3 module available")
202 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
204 params['auth_server_port'] = "1814"
205 hostapd.add_ap(apdev[0]['ifname'], params)
206 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
207 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
209 logger.info("SIM fast re-authentication")
210 eap_reauth(dev[0], "SIM")
212 logger.info("SIM full auth with pseudonym")
215 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
216 eap_reauth(dev[0], "SIM")
218 logger.info("SIM full auth with permanent identity")
221 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
222 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
223 eap_reauth(dev[0], "SIM")
225 logger.info("SIM reauth with mismatching MK")
228 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
229 eap_reauth(dev[0], "SIM", expect_failure=True)
230 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
233 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
236 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
237 eap_reauth(dev[0], "SIM")
240 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with mismatching counter")
242 eap_reauth(dev[0], "SIM")
243 dev[0].request("REMOVE_NETWORK all")
245 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
246 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
250 logger.info("SIM reauth with max reauth count reached")
251 eap_reauth(dev[0], "SIM")
253 def test_ap_wpa2_eap_sim_config(dev, apdev):
254 """EAP-SIM configuration options"""
255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
256 hostapd.add_ap(apdev[0]['ifname'], params)
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=1",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
264 raise Exception("No EAP error message seen")
265 dev[0].request("REMOVE_NETWORK all")
267 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
268 identity="1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=4",
271 wait_connect=False, scan_freq="2412")
272 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
274 raise Exception("No EAP error message seen (2)")
275 dev[0].request("REMOVE_NETWORK all")
277 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
278 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
279 phase1="sim_min_num_chal=2")
280 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
281 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
282 anonymous_identity="345678")
284 def test_ap_wpa2_eap_sim_ext(dev, apdev):
285 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
287 _test_ap_wpa2_eap_sim_ext(dev, apdev)
289 dev[0].request("SET external_sim 0")
291 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
292 check_hlr_auc_gw_support()
293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
294 hostapd.add_ap(apdev[0]['ifname'], params)
295 dev[0].request("SET external_sim 1")
296 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
297 identity="1232010000000000",
298 wait_connect=False, scan_freq="2412")
299 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
301 raise Exception("Network connected timed out")
303 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
305 raise Exception("Wait for external SIM processing request timed out")
307 if p[1] != "GSM-AUTH":
308 raise Exception("Unexpected CTRL-REQ-SIM type")
309 rid = p[0].split('-')[3]
312 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
313 # This will fail during processing, but the ctrl_iface command succeeds
314 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
317 raise Exception("EAP failure not reported")
318 dev[0].request("DISCONNECT")
319 dev[0].wait_disconnected()
322 dev[0].select_network(id, freq="2412")
323 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
325 raise Exception("Wait for external SIM processing request timed out")
327 if p[1] != "GSM-AUTH":
328 raise Exception("Unexpected CTRL-REQ-SIM type")
329 rid = p[0].split('-')[3]
330 # This will fail during GSM auth validation
331 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
332 raise Exception("CTRL-RSP-SIM failed")
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
337 dev[0].wait_disconnected()
340 dev[0].select_network(id, freq="2412")
341 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
343 raise Exception("Wait for external SIM processing request timed out")
345 if p[1] != "GSM-AUTH":
346 raise Exception("Unexpected CTRL-REQ-SIM type")
347 rid = p[0].split('-')[3]
348 # This will fail during GSM auth validation
349 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
350 raise Exception("CTRL-RSP-SIM failed")
351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
353 raise Exception("EAP failure not reported")
354 dev[0].request("DISCONNECT")
355 dev[0].wait_disconnected()
358 dev[0].select_network(id, freq="2412")
359 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
361 raise Exception("Wait for external SIM processing request timed out")
363 if p[1] != "GSM-AUTH":
364 raise Exception("Unexpected CTRL-REQ-SIM type")
365 rid = p[0].split('-')[3]
366 # This will fail during GSM auth validation
367 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
368 raise Exception("CTRL-RSP-SIM failed")
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
371 raise Exception("EAP failure not reported")
372 dev[0].request("DISCONNECT")
373 dev[0].wait_disconnected()
376 dev[0].select_network(id, freq="2412")
377 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
379 raise Exception("Wait for external SIM processing request timed out")
381 if p[1] != "GSM-AUTH":
382 raise Exception("Unexpected CTRL-REQ-SIM type")
383 rid = p[0].split('-')[3]
384 # This will fail during GSM auth validation
385 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
386 raise Exception("CTRL-RSP-SIM failed")
387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
389 raise Exception("EAP failure not reported")
390 dev[0].request("DISCONNECT")
391 dev[0].wait_disconnected()
394 dev[0].select_network(id, freq="2412")
395 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
397 raise Exception("Wait for external SIM processing request timed out")
399 if p[1] != "GSM-AUTH":
400 raise Exception("Unexpected CTRL-REQ-SIM type")
401 rid = p[0].split('-')[3]
402 # This will fail during GSM auth validation
403 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
404 raise Exception("CTRL-RSP-SIM failed")
405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
407 raise Exception("EAP failure not reported")
408 dev[0].request("DISCONNECT")
409 dev[0].wait_disconnected()
412 dev[0].select_network(id, freq="2412")
413 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
415 raise Exception("Wait for external SIM processing request timed out")
417 if p[1] != "GSM-AUTH":
418 raise Exception("Unexpected CTRL-REQ-SIM type")
419 rid = p[0].split('-')[3]
420 # This will fail during GSM auth validation
421 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
422 raise Exception("CTRL-RSP-SIM failed")
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
425 raise Exception("EAP failure not reported")
427 def test_ap_wpa2_eap_sim_oom(dev, apdev):
428 """EAP-SIM and OOM"""
429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
430 hostapd.add_ap(apdev[0]['ifname'], params)
431 tests = [ (1, "milenage_f2345"),
432 (2, "milenage_f2345"),
433 (3, "milenage_f2345"),
434 (4, "milenage_f2345"),
435 (5, "milenage_f2345"),
436 (6, "milenage_f2345"),
437 (7, "milenage_f2345"),
438 (8, "milenage_f2345"),
439 (9, "milenage_f2345"),
440 (10, "milenage_f2345"),
441 (11, "milenage_f2345"),
442 (12, "milenage_f2345") ]
443 for count, func in tests:
444 with alloc_fail(dev[0], count, func):
445 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
446 identity="1232010000000000",
447 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
448 wait_connect=False, scan_freq="2412")
449 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
451 raise Exception("EAP method not selected")
452 dev[0].wait_disconnected()
453 dev[0].request("REMOVE_NETWORK all")
455 def test_ap_wpa2_eap_aka(dev, apdev):
456 """WPA2-Enterprise connection using EAP-AKA"""
457 check_hlr_auc_gw_support()
458 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
459 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
460 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
461 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
462 hwsim_utils.test_connectivity(dev[0], hapd)
463 eap_reauth(dev[0], "AKA")
465 logger.info("Negative test with incorrect key")
466 dev[0].request("REMOVE_NETWORK all")
467 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
468 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
471 logger.info("Invalid Milenage key")
472 dev[0].request("REMOVE_NETWORK all")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
477 logger.info("Invalid Milenage key(2)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
482 logger.info("Invalid Milenage key(3)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
487 logger.info("Invalid Milenage key(4)")
488 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
492 logger.info("Invalid Milenage key(5)")
493 dev[0].request("REMOVE_NETWORK all")
494 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
495 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
498 logger.info("Invalid Milenage key(6)")
499 dev[0].request("REMOVE_NETWORK all")
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
504 logger.info("Missing key configuration")
505 dev[0].request("REMOVE_NETWORK all")
506 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
509 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
510 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
511 check_hlr_auc_gw_support()
515 raise HwsimSkip("No sqlite3 module available")
516 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
517 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
518 params['auth_server_port'] = "1814"
519 hostapd.add_ap(apdev[0]['ifname'], params)
520 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
521 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
523 logger.info("AKA fast re-authentication")
524 eap_reauth(dev[0], "AKA")
526 logger.info("AKA full auth with pseudonym")
529 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
530 eap_reauth(dev[0], "AKA")
532 logger.info("AKA full auth with permanent identity")
535 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
536 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
537 eap_reauth(dev[0], "AKA")
539 logger.info("AKA reauth with mismatching MK")
542 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
543 eap_reauth(dev[0], "AKA", expect_failure=True)
544 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
547 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
550 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
551 eap_reauth(dev[0], "AKA")
554 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with mismatching counter")
556 eap_reauth(dev[0], "AKA")
557 dev[0].request("REMOVE_NETWORK all")
559 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
560 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
564 logger.info("AKA reauth with max reauth count reached")
565 eap_reauth(dev[0], "AKA")
567 def test_ap_wpa2_eap_aka_config(dev, apdev):
568 """EAP-AKA configuration options"""
569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
570 hostapd.add_ap(apdev[0]['ifname'], params)
571 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
572 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
573 anonymous_identity="2345678")
575 def test_ap_wpa2_eap_aka_ext(dev, apdev):
576 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
578 _test_ap_wpa2_eap_aka_ext(dev, apdev)
580 dev[0].request("SET external_sim 0")
582 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
583 check_hlr_auc_gw_support()
584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
585 hostapd.add_ap(apdev[0]['ifname'], params)
586 dev[0].request("SET external_sim 1")
587 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
588 identity="0232010000000000",
589 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
590 wait_connect=False, scan_freq="2412")
591 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
593 raise Exception("Network connected timed out")
595 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p[1] != "UMTS-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid = p[0].split('-')[3]
604 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
605 # This will fail during processing, but the ctrl_iface command succeeds
606 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
607 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
609 raise Exception("EAP failure not reported")
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
614 dev[0].select_network(id, freq="2412")
615 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
617 raise Exception("Wait for external SIM processing request timed out")
619 if p[1] != "UMTS-AUTH":
620 raise Exception("Unexpected CTRL-REQ-SIM type")
621 rid = p[0].split('-')[3]
622 # This will fail during UMTS auth validation
623 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
624 raise Exception("CTRL-RSP-SIM failed")
625 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
627 raise Exception("Wait for external SIM processing request timed out")
629 if p[1] != "UMTS-AUTH":
630 raise Exception("Unexpected CTRL-REQ-SIM type")
631 rid = p[0].split('-')[3]
632 # This will fail during UMTS auth validation
633 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
634 raise Exception("CTRL-RSP-SIM failed")
635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
637 raise Exception("EAP failure not reported")
638 dev[0].request("DISCONNECT")
639 dev[0].wait_disconnected()
642 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
644 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
645 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
646 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
647 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
648 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
650 dev[0].select_network(id, freq="2412")
651 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
653 raise Exception("Wait for external SIM processing request timed out")
655 if p[1] != "UMTS-AUTH":
656 raise Exception("Unexpected CTRL-REQ-SIM type")
657 rid = p[0].split('-')[3]
658 # This will fail during UMTS auth validation
659 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
660 raise Exception("CTRL-RSP-SIM failed")
661 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
663 raise Exception("EAP failure not reported")
664 dev[0].request("DISCONNECT")
665 dev[0].wait_disconnected()
668 def test_ap_wpa2_eap_aka_prime(dev, apdev):
669 """WPA2-Enterprise connection using EAP-AKA'"""
670 check_hlr_auc_gw_support()
671 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
672 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
673 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
674 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
675 hwsim_utils.test_connectivity(dev[0], hapd)
676 eap_reauth(dev[0], "AKA'")
678 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
679 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
680 identity="6555444333222111@both",
681 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 wait_connect=False, scan_freq="2412")
683 dev[1].wait_connected(timeout=15)
685 logger.info("Negative test with incorrect key")
686 dev[0].request("REMOVE_NETWORK all")
687 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
688 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
691 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
692 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
693 check_hlr_auc_gw_support()
697 raise HwsimSkip("No sqlite3 module available")
698 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
699 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
700 params['auth_server_port'] = "1814"
701 hostapd.add_ap(apdev[0]['ifname'], params)
702 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
703 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
705 logger.info("AKA' fast re-authentication")
706 eap_reauth(dev[0], "AKA'")
708 logger.info("AKA' full auth with pseudonym")
711 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
712 eap_reauth(dev[0], "AKA'")
714 logger.info("AKA' full auth with permanent identity")
717 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
718 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
719 eap_reauth(dev[0], "AKA'")
721 logger.info("AKA' reauth with mismatching k_aut")
724 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
725 eap_reauth(dev[0], "AKA'", expect_failure=True)
726 dev[0].request("REMOVE_NETWORK all")
728 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
729 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
732 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
733 eap_reauth(dev[0], "AKA'")
736 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with mismatching counter")
738 eap_reauth(dev[0], "AKA'")
739 dev[0].request("REMOVE_NETWORK all")
741 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
742 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
745 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
746 logger.info("AKA' reauth with max reauth count reached")
747 eap_reauth(dev[0], "AKA'")
749 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
750 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
751 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
752 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
753 key_mgmt = hapd.get_config()['key_mgmt']
754 if key_mgmt.split(' ')[0] != "WPA-EAP":
755 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
756 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
757 anonymous_identity="ttls", password="password",
758 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
759 hwsim_utils.test_connectivity(dev[0], hapd)
760 eap_reauth(dev[0], "TTLS")
761 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
762 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
764 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
765 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
766 check_subject_match_support(dev[0])
767 check_altsubject_match_support(dev[0])
768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
769 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
770 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
771 anonymous_identity="ttls", password="password",
772 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
773 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
774 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
775 eap_reauth(dev[0], "TTLS")
777 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
778 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
781 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
782 anonymous_identity="ttls", password="wrong",
783 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 eap_connect(dev[1], apdev[0], "TTLS", "user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
791 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
792 skip_with_fips(dev[0])
793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
794 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
795 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
796 anonymous_identity="ttls", password="password",
797 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
798 hwsim_utils.test_connectivity(dev[0], hapd)
799 eap_reauth(dev[0], "TTLS")
801 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
802 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
803 skip_with_fips(dev[0])
804 check_altsubject_match_support(dev[0])
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
808 anonymous_identity="ttls", password="password",
809 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
810 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
811 eap_reauth(dev[0], "TTLS")
813 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
814 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
815 skip_with_fips(dev[0])
816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
817 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
818 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
819 anonymous_identity="ttls", password="wrong",
820 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 eap_connect(dev[1], apdev[0], "TTLS", "user",
823 anonymous_identity="ttls", password="password",
824 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
827 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
828 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
829 skip_with_fips(dev[0])
830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
831 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
832 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
833 anonymous_identity="ttls", password="password",
834 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
835 domain_suffix_match="server.w1.fi")
836 hwsim_utils.test_connectivity(dev[0], hapd)
837 eap_reauth(dev[0], "TTLS")
838 dev[0].request("REMOVE_NETWORK all")
839 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
844 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
846 skip_with_fips(dev[0])
847 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
848 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
849 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
850 anonymous_identity="ttls", password="wrong",
851 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
853 eap_connect(dev[1], apdev[0], "TTLS", "user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
858 anonymous_identity="ttls", password="password",
859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
862 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
864 check_eap_capa(dev[0], "MSCHAPV2")
865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
866 hostapd.add_ap(apdev[0]['ifname'], params)
867 hapd = hostapd.Hostapd(apdev[0]['ifname'])
868 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
869 anonymous_identity="ttls", password="password",
870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
871 domain_suffix_match="server.w1.fi")
872 hwsim_utils.test_connectivity(dev[0], hapd)
873 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
874 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
875 eap_reauth(dev[0], "TTLS")
876 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
877 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
878 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
879 raise Exception("dot1xAuthEapolFramesRx did not increase")
880 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
881 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
882 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
883 raise Exception("backendAuthSuccesses did not increase")
885 logger.info("Password as hash value")
886 dev[0].request("REMOVE_NETWORK all")
887 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
888 anonymous_identity="ttls",
889 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
892 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
893 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
894 check_domain_match_full(dev[0])
895 skip_with_fips(dev[0])
896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
897 hostapd.add_ap(apdev[0]['ifname'], params)
898 hapd = hostapd.Hostapd(apdev[0]['ifname'])
899 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
900 anonymous_identity="ttls", password="password",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
902 domain_suffix_match="w1.fi")
903 hwsim_utils.test_connectivity(dev[0], hapd)
904 eap_reauth(dev[0], "TTLS")
906 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
908 skip_with_fips(dev[0])
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 hostapd.add_ap(apdev[0]['ifname'], params)
911 hapd = hostapd.Hostapd(apdev[0]['ifname'])
912 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
913 anonymous_identity="ttls", password="password",
914 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 domain_match="Server.w1.fi")
916 hwsim_utils.test_connectivity(dev[0], hapd)
917 eap_reauth(dev[0], "TTLS")
919 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
921 skip_with_fips(dev[0])
922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
923 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
924 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
925 anonymous_identity="ttls", password="password1",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 eap_connect(dev[1], apdev[0], "TTLS", "user",
929 anonymous_identity="ttls", password="password",
930 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
933 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
934 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
935 skip_with_fips(dev[0])
936 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
937 hostapd.add_ap(apdev[0]['ifname'], params)
938 hapd = hostapd.Hostapd(apdev[0]['ifname'])
939 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
940 anonymous_identity="ttls", password="secret-åäö-€-password",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
943 anonymous_identity="ttls",
944 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
945 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
954 hwsim_utils.test_connectivity(dev[0], hapd)
955 eap_reauth(dev[0], "TTLS")
957 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
958 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
959 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
960 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="wrong",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
966 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
967 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
968 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
970 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
971 anonymous_identity="ttls", password="password",
972 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
975 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
976 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
977 params = int_eap_server_params()
978 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
979 with alloc_fail(hapd, 1, "eap_gtc_init"):
980 eap_connect(dev[0], apdev[0], "TTLS", "user",
981 anonymous_identity="ttls", password="password",
982 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
984 dev[0].request("REMOVE_NETWORK all")
986 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
988 eap="TTLS", identity="user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
991 wait_connect=False, scan_freq="2412")
992 # This would eventually time out, but we can stop after having reached
993 # the allocation failure.
996 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
999 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1001 check_eap_capa(dev[0], "MD5")
1002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1003 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1004 eap_connect(dev[0], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1007 hwsim_utils.test_connectivity(dev[0], hapd)
1008 eap_reauth(dev[0], "TTLS")
1010 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1011 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1012 check_eap_capa(dev[0], "MD5")
1013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1014 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1015 eap_connect(dev[0], apdev[0], "TTLS", "user",
1016 anonymous_identity="ttls", password="wrong",
1017 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1018 expect_failure=True)
1020 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1021 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1022 check_eap_capa(dev[0], "MD5")
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1028 expect_failure=True)
1030 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1032 check_eap_capa(dev[0], "MD5")
1033 params = int_eap_server_params()
1034 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1035 with alloc_fail(hapd, 1, "eap_md5_init"):
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1039 expect_failure=True)
1040 dev[0].request("REMOVE_NETWORK all")
1042 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1043 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1044 eap="TTLS", identity="user",
1045 anonymous_identity="ttls", password="password",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1047 wait_connect=False, scan_freq="2412")
1048 # This would eventually time out, but we can stop after having reached
1049 # the allocation failure.
1052 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1055 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1057 check_eap_capa(dev[0], "MSCHAPV2")
1058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1059 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="password",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1063 hwsim_utils.test_connectivity(dev[0], hapd)
1064 eap_reauth(dev[0], "TTLS")
1066 logger.info("Negative test with incorrect password")
1067 dev[0].request("REMOVE_NETWORK all")
1068 eap_connect(dev[0], apdev[0], "TTLS", "user",
1069 anonymous_identity="ttls", password="password1",
1070 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1071 expect_failure=True)
1073 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1074 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1075 check_eap_capa(dev[0], "MSCHAPV2")
1076 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1077 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1078 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1079 anonymous_identity="ttls", password="password",
1080 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1081 expect_failure=True)
1083 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1085 check_eap_capa(dev[0], "MSCHAPV2")
1086 params = int_eap_server_params()
1087 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1088 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1089 eap_connect(dev[0], apdev[0], "TTLS", "user",
1090 anonymous_identity="ttls", password="password",
1091 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1092 expect_failure=True)
1093 dev[0].request("REMOVE_NETWORK all")
1095 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1096 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1097 eap="TTLS", identity="user",
1098 anonymous_identity="ttls", password="password",
1099 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1100 wait_connect=False, scan_freq="2412")
1101 # This would eventually time out, but we can stop after having reached
1102 # the allocation failure.
1105 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1107 dev[0].request("REMOVE_NETWORK all")
1109 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1111 eap="TTLS", identity="user",
1112 anonymous_identity="ttls", password="password",
1113 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1114 wait_connect=False, scan_freq="2412")
1115 # This would eventually time out, but we can stop after having reached
1116 # the allocation failure.
1119 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1121 dev[0].request("REMOVE_NETWORK all")
1123 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1125 eap="TTLS", identity="user",
1126 anonymous_identity="ttls", password="wrong",
1127 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1128 wait_connect=False, scan_freq="2412")
1129 # This would eventually time out, but we can stop after having reached
1130 # the allocation failure.
1133 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1135 dev[0].request("REMOVE_NETWORK all")
1137 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1138 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1140 hostapd.add_ap(apdev[0]['ifname'], params)
1141 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1142 anonymous_identity="0232010000000000@ttls",
1143 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1144 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1146 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1147 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1148 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1149 hostapd.add_ap(apdev[0]['ifname'], params)
1150 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1151 anonymous_identity="0232010000000000@peap",
1152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1155 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1156 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1157 check_eap_capa(dev[0], "FAST")
1158 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1159 hostapd.add_ap(apdev[0]['ifname'], params)
1160 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1161 anonymous_identity="0232010000000000@fast",
1162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1163 phase1="fast_provisioning=2",
1164 pac_file="blob://fast_pac_auth_aka",
1165 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1167 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1168 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1169 check_eap_capa(dev[0], "MSCHAPV2")
1170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1171 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1172 eap_connect(dev[0], apdev[0], "PEAP", "user",
1173 anonymous_identity="peap", password="password",
1174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1175 hwsim_utils.test_connectivity(dev[0], hapd)
1176 eap_reauth(dev[0], "PEAP")
1177 dev[0].request("REMOVE_NETWORK all")
1178 eap_connect(dev[0], apdev[0], "PEAP", "user",
1179 anonymous_identity="peap", password="password",
1180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1181 fragment_size="200")
1183 logger.info("Password as hash value")
1184 dev[0].request("REMOVE_NETWORK all")
1185 eap_connect(dev[0], apdev[0], "PEAP", "user",
1186 anonymous_identity="peap",
1187 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1190 logger.info("Negative test with incorrect password")
1191 dev[0].request("REMOVE_NETWORK all")
1192 eap_connect(dev[0], apdev[0], "PEAP", "user",
1193 anonymous_identity="peap", password="password1",
1194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1195 expect_failure=True)
1197 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1198 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1199 check_eap_capa(dev[0], "MSCHAPV2")
1200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1201 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1202 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1203 anonymous_identity="peap", password="password",
1204 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1205 hwsim_utils.test_connectivity(dev[0], hapd)
1206 eap_reauth(dev[0], "PEAP")
1208 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1209 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1210 check_eap_capa(dev[0], "MSCHAPV2")
1211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 eap_connect(dev[0], apdev[0], "PEAP", "user",
1214 anonymous_identity="peap", password="wrong",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1220 check_eap_capa(dev[0], "MSCHAPV2")
1221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1223 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1224 ca_cert="auth_serv/ca.pem",
1225 phase1="peapver=0 crypto_binding=2",
1226 phase2="auth=MSCHAPV2")
1227 hwsim_utils.test_connectivity(dev[0], hapd)
1228 eap_reauth(dev[0], "PEAP")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peapver=0 crypto_binding=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peapver=0 crypto_binding=0",
1237 phase2="auth=MSCHAPV2")
1239 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1240 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1241 check_eap_capa(dev[0], "MSCHAPV2")
1242 params = int_eap_server_params()
1243 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1244 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1245 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1246 ca_cert="auth_serv/ca.pem",
1247 phase1="peapver=0 crypto_binding=2",
1248 phase2="auth=MSCHAPV2",
1249 expect_failure=True, local_error_report=True)
1251 def test_ap_wpa2_eap_peap_params(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1253 check_eap_capa(dev[0], "MSCHAPV2")
1254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1255 hostapd.add_ap(apdev[0]['ifname'], params)
1256 eap_connect(dev[0], apdev[0], "PEAP", "user",
1257 anonymous_identity="peap", password="password",
1258 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1259 phase1="peapver=0 peaplabel=1",
1260 expect_failure=True)
1261 dev[0].request("REMOVE_NETWORK all")
1262 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1263 ca_cert="auth_serv/ca.pem",
1264 phase1="peap_outer_success=1",
1265 phase2="auth=MSCHAPV2")
1266 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1267 ca_cert="auth_serv/ca.pem",
1268 phase1="peap_outer_success=2",
1269 phase2="auth=MSCHAPV2")
1270 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1272 anonymous_identity="peap", password="password",
1273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1274 phase1="peapver=1 peaplabel=1",
1275 wait_connect=False, scan_freq="2412")
1276 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1278 raise Exception("No EAP success seen")
1279 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1281 raise Exception("Unexpected connection")
1283 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1284 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1286 hostapd.add_ap(apdev[0]['ifname'], params)
1287 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1288 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1289 ca_cert2="auth_serv/ca.pem",
1290 client_cert2="auth_serv/user.pem",
1291 private_key2="auth_serv/user.key")
1292 eap_reauth(dev[0], "PEAP")
1294 def test_ap_wpa2_eap_tls(dev, apdev):
1295 """WPA2-Enterprise connection using EAP-TLS"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1299 client_cert="auth_serv/user.pem",
1300 private_key="auth_serv/user.key")
1301 eap_reauth(dev[0], "TLS")
1303 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1304 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1305 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1306 hostapd.add_ap(apdev[0]['ifname'], params)
1307 cert = read_pem("auth_serv/ca.pem")
1308 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1309 raise Exception("Could not set cacert blob")
1310 cert = read_pem("auth_serv/user.pem")
1311 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1312 raise Exception("Could not set usercert blob")
1313 key = read_pem("auth_serv/user.rsa-key")
1314 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1315 raise Exception("Could not set cacert blob")
1316 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1317 client_cert="blob://usercert",
1318 private_key="blob://userkey")
1320 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1321 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1322 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1323 hostapd.add_ap(apdev[0]['ifname'], params)
1324 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1325 private_key="auth_serv/user.pkcs12",
1326 private_key_passwd="whatever")
1327 dev[0].request("REMOVE_NETWORK all")
1328 dev[0].wait_disconnected()
1330 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1331 identity="tls user",
1332 ca_cert="auth_serv/ca.pem",
1333 private_key="auth_serv/user.pkcs12",
1334 wait_connect=False, scan_freq="2412")
1335 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1337 raise Exception("Request for private key passphrase timed out")
1338 id = ev.split(':')[0].split('-')[-1]
1339 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1340 dev[0].wait_connected(timeout=10)
1341 dev[0].request("REMOVE_NETWORK all")
1342 dev[0].wait_disconnected()
1344 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1345 # different files to cover both cases of the extra certificate being the
1346 # one that signed the client certificate and it being unrelated to the
1347 # client certificate.
1348 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1350 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1351 ca_cert="auth_serv/ca.pem",
1353 private_key_passwd="whatever")
1354 dev[0].request("REMOVE_NETWORK all")
1355 dev[0].wait_disconnected()
1357 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1358 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1360 hostapd.add_ap(apdev[0]['ifname'], params)
1361 cert = read_pem("auth_serv/ca.pem")
1362 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1363 raise Exception("Could not set cacert blob")
1364 with open("auth_serv/user.pkcs12", "rb") as f:
1365 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1366 raise Exception("Could not set pkcs12 blob")
1367 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1368 private_key="blob://pkcs12",
1369 private_key_passwd="whatever")
1371 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1372 """WPA2-Enterprise negative test - incorrect trust root"""
1373 check_eap_capa(dev[0], "MSCHAPV2")
1374 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1375 hostapd.add_ap(apdev[0]['ifname'], params)
1376 cert = read_pem("auth_serv/ca-incorrect.pem")
1377 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1378 raise Exception("Could not set cacert blob")
1379 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1380 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1381 password="password", phase2="auth=MSCHAPV2",
1382 ca_cert="blob://cacert",
1383 wait_connect=False, scan_freq="2412")
1384 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1386 password="password", phase2="auth=MSCHAPV2",
1387 ca_cert="auth_serv/ca-incorrect.pem",
1388 wait_connect=False, scan_freq="2412")
1390 for dev in (dev[0], dev[1]):
1391 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1393 raise Exception("Association and EAP start timed out")
1395 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1397 raise Exception("EAP method selection timed out")
1398 if "TTLS" not in ev:
1399 raise Exception("Unexpected EAP method")
1401 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1402 "CTRL-EVENT-EAP-SUCCESS",
1403 "CTRL-EVENT-EAP-FAILURE",
1404 "CTRL-EVENT-CONNECTED",
1405 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1407 raise Exception("EAP result timed out")
1408 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1409 raise Exception("TLS certificate error not reported")
1411 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1412 "CTRL-EVENT-EAP-FAILURE",
1413 "CTRL-EVENT-CONNECTED",
1414 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1416 raise Exception("EAP result(2) timed out")
1417 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1418 raise Exception("EAP failure not reported")
1420 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1421 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1423 raise Exception("EAP result(3) timed out")
1424 if "CTRL-EVENT-DISCONNECTED" not in ev:
1425 raise Exception("Disconnection not reported")
1427 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1429 raise Exception("Network block disabling not reported")
1431 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1432 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1436 identity="pap user", anonymous_identity="ttls",
1437 password="password", phase2="auth=PAP",
1438 ca_cert="auth_serv/ca.pem",
1439 wait_connect=True, scan_freq="2412")
1440 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441 identity="pap user", anonymous_identity="ttls",
1442 password="password", phase2="auth=PAP",
1443 ca_cert="auth_serv/ca-incorrect.pem",
1444 only_add_network=True, scan_freq="2412")
1446 dev[0].request("DISCONNECT")
1447 dev[0].wait_disconnected()
1448 dev[0].dump_monitor()
1449 dev[0].select_network(id, freq="2412")
1451 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1453 raise Exception("EAP-TTLS not re-started")
1455 ev = dev[0].wait_disconnected(timeout=15)
1456 if "reason=23" not in ev:
1457 raise Exception("Proper reason code for disconnection not reported")
1459 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1460 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1461 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1462 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1463 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1464 identity="pap user", anonymous_identity="ttls",
1465 password="password", phase2="auth=PAP",
1466 wait_connect=True, scan_freq="2412")
1467 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1468 identity="pap user", anonymous_identity="ttls",
1469 password="password", phase2="auth=PAP",
1470 ca_cert="auth_serv/ca-incorrect.pem",
1471 only_add_network=True, scan_freq="2412")
1473 dev[0].request("DISCONNECT")
1474 dev[0].wait_disconnected()
1475 dev[0].dump_monitor()
1476 dev[0].select_network(id, freq="2412")
1478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1480 raise Exception("EAP-TTLS not re-started")
1482 ev = dev[0].wait_disconnected(timeout=15)
1483 if "reason=23" not in ev:
1484 raise Exception("Proper reason code for disconnection not reported")
1486 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1487 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1488 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1489 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1490 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1491 identity="pap user", anonymous_identity="ttls",
1492 password="password", phase2="auth=PAP",
1493 ca_cert="auth_serv/ca.pem",
1494 wait_connect=True, scan_freq="2412")
1495 dev[0].request("DISCONNECT")
1496 dev[0].wait_disconnected()
1497 dev[0].dump_monitor()
1498 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1499 dev[0].select_network(id, freq="2412")
1501 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1503 raise Exception("EAP-TTLS not re-started")
1505 ev = dev[0].wait_disconnected(timeout=15)
1506 if "reason=23" not in ev:
1507 raise Exception("Proper reason code for disconnection not reported")
1509 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1510 """WPA2-Enterprise negative test - domain suffix mismatch"""
1511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1512 hostapd.add_ap(apdev[0]['ifname'], params)
1513 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1514 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1515 password="password", phase2="auth=MSCHAPV2",
1516 ca_cert="auth_serv/ca.pem",
1517 domain_suffix_match="incorrect.example.com",
1518 wait_connect=False, scan_freq="2412")
1520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1522 raise Exception("Association and EAP start timed out")
1524 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1526 raise Exception("EAP method selection timed out")
1527 if "TTLS" not in ev:
1528 raise Exception("Unexpected EAP method")
1530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1531 "CTRL-EVENT-EAP-SUCCESS",
1532 "CTRL-EVENT-EAP-FAILURE",
1533 "CTRL-EVENT-CONNECTED",
1534 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1536 raise Exception("EAP result timed out")
1537 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1538 raise Exception("TLS certificate error not reported")
1539 if "Domain suffix mismatch" not in ev:
1540 raise Exception("Domain suffix mismatch not reported")
1542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1543 "CTRL-EVENT-EAP-FAILURE",
1544 "CTRL-EVENT-CONNECTED",
1545 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1547 raise Exception("EAP result(2) timed out")
1548 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1549 raise Exception("EAP failure not reported")
1551 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1552 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1554 raise Exception("EAP result(3) timed out")
1555 if "CTRL-EVENT-DISCONNECTED" not in ev:
1556 raise Exception("Disconnection not reported")
1558 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1560 raise Exception("Network block disabling not reported")
1562 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1563 """WPA2-Enterprise negative test - domain mismatch"""
1564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1565 hostapd.add_ap(apdev[0]['ifname'], params)
1566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1567 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1568 password="password", phase2="auth=MSCHAPV2",
1569 ca_cert="auth_serv/ca.pem",
1570 domain_match="w1.fi",
1571 wait_connect=False, scan_freq="2412")
1573 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1575 raise Exception("Association and EAP start timed out")
1577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1579 raise Exception("EAP method selection timed out")
1580 if "TTLS" not in ev:
1581 raise Exception("Unexpected EAP method")
1583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1584 "CTRL-EVENT-EAP-SUCCESS",
1585 "CTRL-EVENT-EAP-FAILURE",
1586 "CTRL-EVENT-CONNECTED",
1587 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1589 raise Exception("EAP result timed out")
1590 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1591 raise Exception("TLS certificate error not reported")
1592 if "Domain mismatch" not in ev:
1593 raise Exception("Domain mismatch not reported")
1595 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1596 "CTRL-EVENT-EAP-FAILURE",
1597 "CTRL-EVENT-CONNECTED",
1598 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1600 raise Exception("EAP result(2) timed out")
1601 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1602 raise Exception("EAP failure not reported")
1604 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1605 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1607 raise Exception("EAP result(3) timed out")
1608 if "CTRL-EVENT-DISCONNECTED" not in ev:
1609 raise Exception("Disconnection not reported")
1611 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1613 raise Exception("Network block disabling not reported")
1615 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1616 """WPA2-Enterprise negative test - subject mismatch"""
1617 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1618 hostapd.add_ap(apdev[0]['ifname'], params)
1619 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1620 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1621 password="password", phase2="auth=MSCHAPV2",
1622 ca_cert="auth_serv/ca.pem",
1623 subject_match="/C=FI/O=w1.fi/CN=example.com",
1624 wait_connect=False, scan_freq="2412")
1626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1628 raise Exception("Association and EAP start timed out")
1630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1631 "EAP: Failed to initialize EAP method"], timeout=10)
1633 raise Exception("EAP method selection timed out")
1634 if "EAP: Failed to initialize EAP method" in ev:
1635 tls = dev[0].request("GET tls_library")
1636 if tls.startswith("OpenSSL"):
1637 raise Exception("Failed to select EAP method")
1638 logger.info("subject_match not supported - connection failed, so test succeeded")
1640 if "TTLS" not in ev:
1641 raise Exception("Unexpected EAP method")
1643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1644 "CTRL-EVENT-EAP-SUCCESS",
1645 "CTRL-EVENT-EAP-FAILURE",
1646 "CTRL-EVENT-CONNECTED",
1647 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1649 raise Exception("EAP result timed out")
1650 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1651 raise Exception("TLS certificate error not reported")
1652 if "Subject mismatch" not in ev:
1653 raise Exception("Subject mismatch not reported")
1655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1656 "CTRL-EVENT-EAP-FAILURE",
1657 "CTRL-EVENT-CONNECTED",
1658 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1660 raise Exception("EAP result(2) timed out")
1661 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1662 raise Exception("EAP failure not reported")
1664 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1665 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1667 raise Exception("EAP result(3) timed out")
1668 if "CTRL-EVENT-DISCONNECTED" not in ev:
1669 raise Exception("Disconnection not reported")
1671 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1673 raise Exception("Network block disabling not reported")
1675 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1676 """WPA2-Enterprise negative test - altsubject mismatch"""
1677 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1678 hostapd.add_ap(apdev[0]['ifname'], params)
1680 tests = [ "incorrect.example.com",
1681 "DNS:incorrect.example.com",
1685 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1687 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1688 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1689 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1690 password="password", phase2="auth=MSCHAPV2",
1691 ca_cert="auth_serv/ca.pem",
1692 altsubject_match=match,
1693 wait_connect=False, scan_freq="2412")
1695 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1697 raise Exception("Association and EAP start timed out")
1699 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1700 "EAP: Failed to initialize EAP method"], timeout=10)
1702 raise Exception("EAP method selection timed out")
1703 if "EAP: Failed to initialize EAP method" in ev:
1704 tls = dev[0].request("GET tls_library")
1705 if tls.startswith("OpenSSL"):
1706 raise Exception("Failed to select EAP method")
1707 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1709 if "TTLS" not in ev:
1710 raise Exception("Unexpected EAP method")
1712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1713 "CTRL-EVENT-EAP-SUCCESS",
1714 "CTRL-EVENT-EAP-FAILURE",
1715 "CTRL-EVENT-CONNECTED",
1716 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1718 raise Exception("EAP result timed out")
1719 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1720 raise Exception("TLS certificate error not reported")
1721 if "AltSubject mismatch" not in ev:
1722 raise Exception("altsubject mismatch not reported")
1724 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1725 "CTRL-EVENT-EAP-FAILURE",
1726 "CTRL-EVENT-CONNECTED",
1727 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1729 raise Exception("EAP result(2) timed out")
1730 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1731 raise Exception("EAP failure not reported")
1733 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1734 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1736 raise Exception("EAP result(3) timed out")
1737 if "CTRL-EVENT-DISCONNECTED" not in ev:
1738 raise Exception("Disconnection not reported")
1740 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1742 raise Exception("Network block disabling not reported")
1744 dev[0].request("REMOVE_NETWORK all")
1746 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1747 """WPA2-Enterprise connection using UNAUTH-TLS"""
1748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1749 hostapd.add_ap(apdev[0]['ifname'], params)
1750 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1751 ca_cert="auth_serv/ca.pem")
1752 eap_reauth(dev[0], "UNAUTH-TLS")
1754 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1755 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1756 check_cert_probe_support(dev[0])
1757 skip_with_fips(dev[0])
1758 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1760 hostapd.add_ap(apdev[0]['ifname'], params)
1761 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1762 identity="probe", ca_cert="probe://",
1763 wait_connect=False, scan_freq="2412")
1764 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1766 raise Exception("Association and EAP start timed out")
1767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1769 raise Exception("No peer server certificate event seen")
1770 if "hash=" + srv_cert_hash not in ev:
1771 raise Exception("Expected server certificate hash not reported")
1772 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1774 raise Exception("EAP result timed out")
1775 if "Server certificate chain probe" not in ev:
1776 raise Exception("Server certificate probe not reported")
1777 dev[0].wait_disconnected(timeout=10)
1778 dev[0].request("REMOVE_NETWORK all")
1780 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1781 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1782 password="password", phase2="auth=MSCHAPV2",
1783 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1784 wait_connect=False, scan_freq="2412")
1785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1787 raise Exception("Association and EAP start timed out")
1788 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1790 raise Exception("EAP result timed out")
1791 if "Server certificate mismatch" not in ev:
1792 raise Exception("Server certificate mismatch not reported")
1793 dev[0].wait_disconnected(timeout=10)
1794 dev[0].request("REMOVE_NETWORK all")
1796 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1797 anonymous_identity="ttls", password="password",
1798 ca_cert="hash://server/sha256/" + srv_cert_hash,
1799 phase2="auth=MSCHAPV2")
1801 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1802 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1804 hostapd.add_ap(apdev[0]['ifname'], params)
1805 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1806 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1807 password="password", phase2="auth=MSCHAPV2",
1808 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1809 wait_connect=False, scan_freq="2412")
1810 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1811 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1812 password="password", phase2="auth=MSCHAPV2",
1813 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1814 wait_connect=False, scan_freq="2412")
1815 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1816 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1817 password="password", phase2="auth=MSCHAPV2",
1818 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1819 wait_connect=False, scan_freq="2412")
1820 for i in range(0, 3):
1821 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1823 raise Exception("Association and EAP start timed out")
1824 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1826 raise Exception("Did not report EAP method initialization failure")
1828 def test_ap_wpa2_eap_pwd(dev, apdev):
1829 """WPA2-Enterprise connection using EAP-pwd"""
1830 check_eap_capa(dev[0], "PWD")
1831 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1832 hostapd.add_ap(apdev[0]['ifname'], params)
1833 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1834 eap_reauth(dev[0], "PWD")
1835 dev[0].request("REMOVE_NETWORK all")
1837 eap_connect(dev[1], apdev[0], "PWD",
1838 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1839 password="secret password",
1842 logger.info("Negative test with incorrect password")
1843 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1844 expect_failure=True, local_error_report=True)
1846 eap_connect(dev[0], apdev[0], "PWD",
1847 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1848 password="secret password",
1851 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1852 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1853 check_eap_capa(dev[0], "PWD")
1854 skip_with_fips(dev[0])
1855 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1856 hostapd.add_ap(apdev[0]['ifname'], params)
1857 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1858 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1859 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1860 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1861 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1862 expect_failure=True, local_error_report=True)
1864 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1865 """WPA2-Enterprise connection using various EAP-pwd groups"""
1866 check_eap_capa(dev[0], "PWD")
1867 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1868 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1869 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1870 for i in [ 19, 20, 21, 25, 26 ]:
1871 params['pwd_group'] = str(i)
1872 hostapd.add_ap(apdev[0]['ifname'], params)
1873 dev[0].request("REMOVE_NETWORK all")
1874 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1876 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1877 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1878 check_eap_capa(dev[0], "PWD")
1879 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1880 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1881 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1882 params['pwd_group'] = "0"
1883 hostapd.add_ap(apdev[0]['ifname'], params)
1884 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1885 identity="pwd user", password="secret password",
1886 scan_freq="2412", wait_connect=False)
1887 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1889 raise Exception("Timeout on EAP failure report")
1891 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1892 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1893 check_eap_capa(dev[0], "PWD")
1894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1895 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1896 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1897 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1898 "pwd_group": "19", "fragment_size": "40" }
1899 hostapd.add_ap(apdev[0]['ifname'], params)
1900 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1902 def test_ap_wpa2_eap_gpsk(dev, apdev):
1903 """WPA2-Enterprise connection using EAP-GPSK"""
1904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1905 hostapd.add_ap(apdev[0]['ifname'], params)
1906 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1907 password="abcdefghijklmnop0123456789abcdef")
1908 eap_reauth(dev[0], "GPSK")
1910 logger.info("Test forced algorithm selection")
1911 for phase1 in [ "cipher=1", "cipher=2" ]:
1912 dev[0].set_network_quoted(id, "phase1", phase1)
1913 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1915 raise Exception("EAP success timed out")
1916 dev[0].wait_connected(timeout=10)
1918 logger.info("Test failed algorithm negotiation")
1919 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1920 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1922 raise Exception("EAP failure timed out")
1924 logger.info("Negative test with incorrect password")
1925 dev[0].request("REMOVE_NETWORK all")
1926 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1927 password="ffcdefghijklmnop0123456789abcdef",
1928 expect_failure=True)
1930 def test_ap_wpa2_eap_sake(dev, apdev):
1931 """WPA2-Enterprise connection using EAP-SAKE"""
1932 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1933 hostapd.add_ap(apdev[0]['ifname'], params)
1934 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1935 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1936 eap_reauth(dev[0], "SAKE")
1938 logger.info("Negative test with incorrect password")
1939 dev[0].request("REMOVE_NETWORK all")
1940 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1941 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1942 expect_failure=True)
1944 def test_ap_wpa2_eap_eke(dev, apdev):
1945 """WPA2-Enterprise connection using EAP-EKE"""
1946 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1947 hostapd.add_ap(apdev[0]['ifname'], params)
1948 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1949 eap_reauth(dev[0], "EKE")
1951 logger.info("Test forced algorithm selection")
1952 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1953 "dhgroup=4 encr=1 prf=2 mac=2",
1954 "dhgroup=3 encr=1 prf=2 mac=2",
1955 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1956 dev[0].set_network_quoted(id, "phase1", phase1)
1957 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1959 raise Exception("EAP success timed out")
1960 dev[0].wait_connected(timeout=10)
1962 logger.info("Test failed algorithm negotiation")
1963 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1964 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1966 raise Exception("EAP failure timed out")
1968 logger.info("Negative test with incorrect password")
1969 dev[0].request("REMOVE_NETWORK all")
1970 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1971 expect_failure=True)
1973 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1974 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1975 params = int_eap_server_params()
1976 params['server_id'] = 'example.server@w1.fi'
1977 hostapd.add_ap(apdev[0]['ifname'], params)
1978 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1980 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1981 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1982 params = int_eap_server_params()
1983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1984 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1986 for count,func in [ (1, "eap_eke_build_commit"),
1987 (2, "eap_eke_build_commit"),
1988 (3, "eap_eke_build_commit"),
1989 (1, "eap_eke_build_confirm"),
1990 (2, "eap_eke_build_confirm"),
1991 (1, "eap_eke_process_commit"),
1992 (2, "eap_eke_process_commit"),
1993 (1, "eap_eke_process_confirm"),
1994 (1, "eap_eke_process_identity"),
1995 (2, "eap_eke_process_identity"),
1996 (3, "eap_eke_process_identity"),
1997 (4, "eap_eke_process_identity") ]:
1998 with alloc_fail(hapd, count, func):
1999 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2000 expect_failure=True)
2001 dev[0].request("REMOVE_NETWORK all")
2003 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2004 (1, "eap_eke_get_session_id", "hello"),
2005 (1, "eap_eke_getKey", "hello"),
2006 (1, "eap_eke_build_msg", "hello"),
2007 (1, "eap_eke_build_failure", "wrong"),
2008 (1, "eap_eke_build_identity", "hello"),
2009 (2, "eap_eke_build_identity", "hello") ]:
2010 with alloc_fail(hapd, count, func):
2011 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2012 eap="EKE", identity="eke user", password=pw,
2013 wait_connect=False, scan_freq="2412")
2014 # This would eventually time out, but we can stop after having
2015 # reached the allocation failure.
2018 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2020 dev[0].request("REMOVE_NETWORK all")
2022 for count in range(1, 1000):
2024 with alloc_fail(hapd, count, "eap_server_sm_step"):
2025 dev[0].connect("test-wpa2-eap",
2026 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2027 eap="EKE", identity="eke user", password=pw,
2028 wait_connect=False, scan_freq="2412")
2029 # This would eventually time out, but we can stop after having
2030 # reached the allocation failure.
2033 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2035 dev[0].request("REMOVE_NETWORK all")
2036 except Exception, e:
2037 if str(e) == "Allocation failure did not trigger":
2039 raise Exception("Too few allocation failures")
2040 logger.info("%d allocation failures tested" % (count - 1))
2044 def test_ap_wpa2_eap_ikev2(dev, apdev):
2045 """WPA2-Enterprise connection using EAP-IKEv2"""
2046 check_eap_capa(dev[0], "IKEV2")
2047 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2048 hostapd.add_ap(apdev[0]['ifname'], params)
2049 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2050 password="ike password")
2051 eap_reauth(dev[0], "IKEV2")
2052 dev[0].request("REMOVE_NETWORK all")
2053 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2054 password="ike password", fragment_size="50")
2056 logger.info("Negative test with incorrect password")
2057 dev[0].request("REMOVE_NETWORK all")
2058 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2059 password="ike-password", expect_failure=True)
2061 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2062 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2063 check_eap_capa(dev[0], "IKEV2")
2064 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2065 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2066 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2067 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2068 "fragment_size": "50" }
2069 hostapd.add_ap(apdev[0]['ifname'], params)
2070 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2071 password="ike password")
2072 eap_reauth(dev[0], "IKEV2")
2074 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2075 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2076 check_eap_capa(dev[0], "IKEV2")
2077 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2078 hostapd.add_ap(apdev[0]['ifname'], params)
2080 tests = [ (1, "dh_init"),
2082 (1, "dh_derive_shared") ]
2083 for count, func in tests:
2084 with alloc_fail(dev[0], count, func):
2085 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2086 identity="ikev2 user", password="ike password",
2087 wait_connect=False, scan_freq="2412")
2088 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2090 raise Exception("EAP method not selected")
2092 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2095 dev[0].request("REMOVE_NETWORK all")
2097 tests = [ (1, "os_get_random;dh_init") ]
2098 for count, func in tests:
2099 with fail_test(dev[0], count, func):
2100 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2101 identity="ikev2 user", password="ike password",
2102 wait_connect=False, scan_freq="2412")
2103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2105 raise Exception("EAP method not selected")
2107 if "0:" in dev[0].request("GET_FAIL"):
2110 dev[0].request("REMOVE_NETWORK all")
2112 def test_ap_wpa2_eap_pax(dev, apdev):
2113 """WPA2-Enterprise connection using EAP-PAX"""
2114 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2115 hostapd.add_ap(apdev[0]['ifname'], params)
2116 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2117 password_hex="0123456789abcdef0123456789abcdef")
2118 eap_reauth(dev[0], "PAX")
2120 logger.info("Negative test with incorrect password")
2121 dev[0].request("REMOVE_NETWORK all")
2122 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2123 password_hex="ff23456789abcdef0123456789abcdef",
2124 expect_failure=True)
2126 def test_ap_wpa2_eap_psk(dev, apdev):
2127 """WPA2-Enterprise connection using EAP-PSK"""
2128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2129 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2130 params["ieee80211w"] = "2"
2131 hostapd.add_ap(apdev[0]['ifname'], params)
2132 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2133 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2134 eap_reauth(dev[0], "PSK", sha256=True)
2135 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2136 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2138 bss = dev[0].get_bss(apdev[0]['bssid'])
2139 if 'flags' not in bss:
2140 raise Exception("Could not get BSS flags from BSS table")
2141 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2142 raise Exception("Unexpected BSS flags: " + bss['flags'])
2144 logger.info("Negative test with incorrect password")
2145 dev[0].request("REMOVE_NETWORK all")
2146 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2147 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2148 expect_failure=True)
2150 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2151 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2152 skip_with_fips(dev[0])
2153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2154 hostapd.add_ap(apdev[0]['ifname'], params)
2155 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2156 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2157 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2158 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2159 (1, "=aes_128_eax_encrypt"),
2160 (1, "omac1_aes_vector"),
2161 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2162 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2163 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2164 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2165 (1, "=aes_128_eax_decrypt") ]
2166 for count, func in tests:
2167 with alloc_fail(dev[0], count, func):
2168 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2169 identity="psk.user@example.com",
2170 password_hex="0123456789abcdef0123456789abcdef",
2171 wait_connect=False, scan_freq="2412")
2172 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2174 raise Exception("EAP method not selected")
2176 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2179 dev[0].request("REMOVE_NETWORK all")
2181 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2182 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2183 identity="psk.user@example.com",
2184 password_hex="0123456789abcdef0123456789abcdef",
2185 wait_connect=False, scan_freq="2412")
2186 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2188 raise Exception("EAP method failure not reported")
2189 dev[0].request("REMOVE_NETWORK all")
2191 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2192 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2193 check_eap_capa(dev[0], "MSCHAPV2")
2194 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2195 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2196 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2197 identity="user", password="password", phase2="auth=MSCHAPV2",
2198 ca_cert="auth_serv/ca.pem", wait_connect=False,
2200 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2201 hwsim_utils.test_connectivity(dev[0], hapd)
2202 eap_reauth(dev[0], "PEAP", rsn=False)
2203 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2204 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2205 status = dev[0].get_status(extra="VERBOSE")
2206 if 'portControl' not in status:
2207 raise Exception("portControl missing from STATUS-VERBOSE")
2208 if status['portControl'] != 'Auto':
2209 raise Exception("Unexpected portControl value: " + status['portControl'])
2210 if 'eap_session_id' not in status:
2211 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2212 if not status['eap_session_id'].startswith("19"):
2213 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2215 def test_ap_wpa2_eap_interactive(dev, apdev):
2216 """WPA2-Enterprise connection using interactive identity/password entry"""
2217 check_eap_capa(dev[0], "MSCHAPV2")
2218 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2219 hostapd.add_ap(apdev[0]['ifname'], params)
2220 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2222 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2223 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2225 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2226 "TTLS", "ttls", None, "auth=MSCHAPV2",
2227 "DOMAIN\mschapv2 user", "password"),
2228 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2229 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2230 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2231 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2232 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2233 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2234 ("Connection with dynamic PEAP/EAP-GTC password entry",
2235 "PEAP", None, "user", "auth=GTC", None, "password") ]
2236 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2239 anonymous_identity=anon, identity=identity,
2240 ca_cert="auth_serv/ca.pem", phase2=phase2,
2241 wait_connect=False, scan_freq="2412")
2243 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2245 raise Exception("Request for identity timed out")
2246 id = ev.split(':')[0].split('-')[-1]
2247 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2248 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2250 raise Exception("Request for password timed out")
2251 id = ev.split(':')[0].split('-')[-1]
2252 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2253 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2254 dev[0].wait_connected(timeout=10)
2255 dev[0].request("REMOVE_NETWORK all")
2257 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2258 """WPA2-Enterprise connection using EAP vendor test"""
2259 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2260 hostapd.add_ap(apdev[0]['ifname'], params)
2261 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2262 eap_reauth(dev[0], "VENDOR-TEST")
2263 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2266 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2267 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2268 check_eap_capa(dev[0], "FAST")
2269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2270 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2271 eap_connect(dev[0], apdev[0], "FAST", "user",
2272 anonymous_identity="FAST", password="password",
2273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2274 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2275 hwsim_utils.test_connectivity(dev[0], hapd)
2276 res = eap_reauth(dev[0], "FAST")
2277 if res['tls_session_reused'] != '1':
2278 raise Exception("EAP-FAST could not use PAC session ticket")
2280 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2281 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2282 check_eap_capa(dev[0], "FAST")
2283 pac_file = os.path.join(params['logdir'], "fast.pac")
2284 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2286 hostapd.add_ap(apdev[0]['ifname'], params)
2289 eap_connect(dev[0], apdev[0], "FAST", "user",
2290 anonymous_identity="FAST", password="password",
2291 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2292 phase1="fast_provisioning=1", pac_file=pac_file)
2293 with open(pac_file, "r") as f:
2295 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2296 raise Exception("PAC file header missing")
2297 if "PAC-Key=" not in data:
2298 raise Exception("PAC-Key missing from PAC file")
2299 dev[0].request("REMOVE_NETWORK all")
2300 eap_connect(dev[0], apdev[0], "FAST", "user",
2301 anonymous_identity="FAST", password="password",
2302 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2305 eap_connect(dev[1], apdev[0], "FAST", "user",
2306 anonymous_identity="FAST", password="password",
2307 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2308 phase1="fast_provisioning=1 fast_pac_format=binary",
2310 dev[1].request("REMOVE_NETWORK all")
2311 eap_connect(dev[1], apdev[0], "FAST", "user",
2312 anonymous_identity="FAST", password="password",
2313 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2314 phase1="fast_pac_format=binary",
2322 os.remove(pac_file2)
2326 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2327 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2328 check_eap_capa(dev[0], "FAST")
2329 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2330 hostapd.add_ap(apdev[0]['ifname'], params)
2331 eap_connect(dev[0], apdev[0], "FAST", "user",
2332 anonymous_identity="FAST", password="password",
2333 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2334 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2335 pac_file="blob://fast_pac_bin")
2336 res = eap_reauth(dev[0], "FAST")
2337 if res['tls_session_reused'] != '1':
2338 raise Exception("EAP-FAST could not use PAC session ticket")
2340 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2341 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2342 check_eap_capa(dev[0], "FAST")
2343 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2344 hostapd.add_ap(apdev[0]['ifname'], params)
2346 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2347 identity="user", anonymous_identity="FAST",
2348 password="password",
2349 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2350 pac_file="blob://fast_pac_not_in_use",
2351 wait_connect=False, scan_freq="2412")
2352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2354 raise Exception("Timeout on EAP failure report")
2355 dev[0].request("REMOVE_NETWORK all")
2357 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2358 identity="user", anonymous_identity="FAST",
2359 password="password",
2360 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2361 wait_connect=False, scan_freq="2412")
2362 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2364 raise Exception("Timeout on EAP failure report")
2366 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2367 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2368 check_eap_capa(dev[0], "FAST")
2369 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2370 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2371 eap_connect(dev[0], apdev[0], "FAST", "user",
2372 anonymous_identity="FAST", password="password",
2373 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2374 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2375 hwsim_utils.test_connectivity(dev[0], hapd)
2376 res = eap_reauth(dev[0], "FAST")
2377 if res['tls_session_reused'] != '1':
2378 raise Exception("EAP-FAST could not use PAC session ticket")
2380 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2381 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2382 check_eap_capa(dev[0], "FAST")
2383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2385 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2386 anonymous_identity="FAST", password="password",
2387 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2388 phase1="fast_provisioning=2",
2389 pac_file="blob://fast_pac_auth")
2390 dev[0].set_network_quoted(id, "identity", "user2")
2391 dev[0].wait_disconnected()
2392 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2394 raise Exception("EAP-FAST not started")
2395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2397 raise Exception("EAP failure not reported")
2398 dev[0].wait_disconnected()
2400 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2401 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2402 check_eap_capa(dev[0], "FAST")
2403 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2404 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2405 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2407 identity="user", anonymous_identity="FAST",
2408 password="password", ca_cert="auth_serv/ca.pem",
2410 phase1="fast_provisioning=2",
2411 pac_file="blob://fast_pac_auth",
2412 wait_connect=False, scan_freq="2412")
2413 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2415 raise Exception("EAP failure not reported")
2416 dev[0].request("DISCONNECT")
2418 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2419 """EAP-FAST/MSCHAPv2 and server OOM"""
2420 check_eap_capa(dev[0], "FAST")
2422 params = int_eap_server_params()
2423 params['dh_file'] = 'auth_serv/dh.conf'
2424 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2425 params['eap_fast_a_id'] = '1011'
2426 params['eap_fast_a_id_info'] = 'another test server'
2427 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2429 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2430 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2431 anonymous_identity="FAST", password="password",
2432 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2433 phase1="fast_provisioning=1",
2434 pac_file="blob://fast_pac",
2435 expect_failure=True)
2436 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2438 raise Exception("No EAP failure reported")
2439 dev[0].wait_disconnected()
2440 dev[0].request("DISCONNECT")
2442 dev[0].select_network(id, freq="2412")
2444 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2445 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2446 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2447 hostapd.add_ap(apdev[0]['ifname'], params)
2448 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2449 private_key="auth_serv/user.pkcs12",
2450 private_key_passwd="whatever", ocsp=2)
2452 def int_eap_server_params():
2453 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2454 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2455 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2456 "ca_cert": "auth_serv/ca.pem",
2457 "server_cert": "auth_serv/server.pem",
2458 "private_key": "auth_serv/server.key" }
2461 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2462 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2463 params = int_eap_server_params()
2464 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2465 hostapd.add_ap(apdev[0]['ifname'], params)
2466 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2467 identity="tls user", ca_cert="auth_serv/ca.pem",
2468 private_key="auth_serv/user.pkcs12",
2469 private_key_passwd="whatever", ocsp=2,
2470 wait_connect=False, scan_freq="2412")
2473 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2475 raise Exception("Timeout on EAP status")
2476 if 'bad certificate status response' in ev:
2480 raise Exception("Unexpected number of EAP status messages")
2482 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2484 raise Exception("Timeout on EAP failure report")
2486 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2487 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2488 params = int_eap_server_params()
2489 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2490 hostapd.add_ap(apdev[0]['ifname'], params)
2491 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2492 identity="tls user", ca_cert="auth_serv/ca.pem",
2493 private_key="auth_serv/user.pkcs12",
2494 private_key_passwd="whatever", ocsp=2,
2495 wait_connect=False, scan_freq="2412")
2498 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2500 raise Exception("Timeout on EAP status")
2501 if 'bad certificate status response' in ev:
2505 raise Exception("Unexpected number of EAP status messages")
2507 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2509 raise Exception("Timeout on EAP failure report")
2511 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2512 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2513 params = int_eap_server_params()
2514 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2515 hostapd.add_ap(apdev[0]['ifname'], params)
2516 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2517 identity="tls user", ca_cert="auth_serv/ca.pem",
2518 private_key="auth_serv/user.pkcs12",
2519 private_key_passwd="whatever", ocsp=2,
2520 wait_connect=False, scan_freq="2412")
2523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2525 raise Exception("Timeout on EAP status")
2526 if 'bad certificate status response' in ev:
2530 raise Exception("Unexpected number of EAP status messages")
2532 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2534 raise Exception("Timeout on EAP failure report")
2536 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2537 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2538 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2539 if not os.path.exists(ocsp):
2540 raise HwsimSkip("No OCSP response available")
2541 params = int_eap_server_params()
2542 params["ocsp_stapling_response"] = ocsp
2543 hostapd.add_ap(apdev[0]['ifname'], params)
2544 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2545 identity="pap user", ca_cert="auth_serv/ca.pem",
2546 anonymous_identity="ttls", password="password",
2547 phase2="auth=PAP", ocsp=2,
2548 wait_connect=False, scan_freq="2412")
2551 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2553 raise Exception("Timeout on EAP status")
2554 if 'bad certificate status response' in ev:
2556 if 'certificate revoked' in ev:
2560 raise Exception("Unexpected number of EAP status messages")
2562 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2564 raise Exception("Timeout on EAP failure report")
2566 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2567 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2568 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2569 if not os.path.exists(ocsp):
2570 raise HwsimSkip("No OCSP response available")
2571 params = int_eap_server_params()
2572 params["ocsp_stapling_response"] = ocsp
2573 hostapd.add_ap(apdev[0]['ifname'], params)
2574 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2575 identity="pap user", ca_cert="auth_serv/ca.pem",
2576 anonymous_identity="ttls", password="password",
2577 phase2="auth=PAP", ocsp=2,
2578 wait_connect=False, scan_freq="2412")
2581 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2583 raise Exception("Timeout on EAP status")
2584 if 'bad certificate status response' in ev:
2588 raise Exception("Unexpected number of EAP status messages")
2590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2592 raise Exception("Timeout on EAP failure report")
2594 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2595 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2596 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2597 if not os.path.exists(ocsp):
2598 raise HwsimSkip("No OCSP response available")
2599 params = int_eap_server_params()
2600 params["ocsp_stapling_response"] = ocsp
2601 hostapd.add_ap(apdev[0]['ifname'], params)
2602 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2603 identity="pap user", ca_cert="auth_serv/ca.pem",
2604 anonymous_identity="ttls", password="password",
2605 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2607 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2608 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2609 params = int_eap_server_params()
2610 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2611 params["private_key"] = "auth_serv/server-no-dnsname.key"
2612 hostapd.add_ap(apdev[0]['ifname'], params)
2613 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2614 identity="tls user", ca_cert="auth_serv/ca.pem",
2615 private_key="auth_serv/user.pkcs12",
2616 private_key_passwd="whatever",
2617 domain_suffix_match="server3.w1.fi",
2620 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2621 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2622 params = int_eap_server_params()
2623 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2624 params["private_key"] = "auth_serv/server-no-dnsname.key"
2625 hostapd.add_ap(apdev[0]['ifname'], params)
2626 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2627 identity="tls user", ca_cert="auth_serv/ca.pem",
2628 private_key="auth_serv/user.pkcs12",
2629 private_key_passwd="whatever",
2630 domain_match="server3.w1.fi",
2633 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2634 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2635 check_domain_match_full(dev[0])
2636 params = int_eap_server_params()
2637 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2638 params["private_key"] = "auth_serv/server-no-dnsname.key"
2639 hostapd.add_ap(apdev[0]['ifname'], params)
2640 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2641 identity="tls user", ca_cert="auth_serv/ca.pem",
2642 private_key="auth_serv/user.pkcs12",
2643 private_key_passwd="whatever",
2644 domain_suffix_match="w1.fi",
2647 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2648 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2649 params = int_eap_server_params()
2650 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2651 params["private_key"] = "auth_serv/server-no-dnsname.key"
2652 hostapd.add_ap(apdev[0]['ifname'], params)
2653 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2654 identity="tls user", ca_cert="auth_serv/ca.pem",
2655 private_key="auth_serv/user.pkcs12",
2656 private_key_passwd="whatever",
2657 domain_suffix_match="example.com",
2660 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2661 identity="tls user", ca_cert="auth_serv/ca.pem",
2662 private_key="auth_serv/user.pkcs12",
2663 private_key_passwd="whatever",
2664 domain_suffix_match="erver3.w1.fi",
2667 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2669 raise Exception("Timeout on EAP failure report")
2670 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2672 raise Exception("Timeout on EAP failure report (2)")
2674 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2675 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2676 params = int_eap_server_params()
2677 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2678 params["private_key"] = "auth_serv/server-no-dnsname.key"
2679 hostapd.add_ap(apdev[0]['ifname'], params)
2680 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2681 identity="tls user", ca_cert="auth_serv/ca.pem",
2682 private_key="auth_serv/user.pkcs12",
2683 private_key_passwd="whatever",
2684 domain_match="example.com",
2687 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2688 identity="tls user", ca_cert="auth_serv/ca.pem",
2689 private_key="auth_serv/user.pkcs12",
2690 private_key_passwd="whatever",
2691 domain_match="w1.fi",
2694 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2696 raise Exception("Timeout on EAP failure report")
2697 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2699 raise Exception("Timeout on EAP failure report (2)")
2701 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2702 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2703 skip_with_fips(dev[0])
2704 params = int_eap_server_params()
2705 params["server_cert"] = "auth_serv/server-expired.pem"
2706 params["private_key"] = "auth_serv/server-expired.key"
2707 hostapd.add_ap(apdev[0]['ifname'], params)
2708 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2709 identity="mschap user", password="password",
2710 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2713 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2715 raise Exception("Timeout on EAP certificate error report")
2716 if "reason=4" not in ev or "certificate has expired" not in ev:
2717 raise Exception("Unexpected failure reason: " + ev)
2718 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2720 raise Exception("Timeout on EAP failure report")
2722 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2723 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2724 skip_with_fips(dev[0])
2725 params = int_eap_server_params()
2726 params["server_cert"] = "auth_serv/server-expired.pem"
2727 params["private_key"] = "auth_serv/server-expired.key"
2728 hostapd.add_ap(apdev[0]['ifname'], params)
2729 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2730 identity="mschap user", password="password",
2731 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2732 phase1="tls_disable_time_checks=1",
2735 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2736 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2737 skip_with_fips(dev[0])
2738 params = int_eap_server_params()
2739 params["server_cert"] = "auth_serv/server-long-duration.pem"
2740 params["private_key"] = "auth_serv/server-long-duration.key"
2741 hostapd.add_ap(apdev[0]['ifname'], params)
2742 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2743 identity="mschap user", password="password",
2744 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2747 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2748 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2749 skip_with_fips(dev[0])
2750 params = int_eap_server_params()
2751 params["server_cert"] = "auth_serv/server-eku-client.pem"
2752 params["private_key"] = "auth_serv/server-eku-client.key"
2753 hostapd.add_ap(apdev[0]['ifname'], params)
2754 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2755 identity="mschap user", password="password",
2756 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2759 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2761 raise Exception("Timeout on EAP failure report")
2763 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2764 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2765 skip_with_fips(dev[0])
2766 params = int_eap_server_params()
2767 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2768 params["private_key"] = "auth_serv/server-eku-client-server.key"
2769 hostapd.add_ap(apdev[0]['ifname'], params)
2770 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2771 identity="mschap user", password="password",
2772 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2775 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2776 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2777 skip_with_fips(dev[0])
2778 params = int_eap_server_params()
2779 del params["server_cert"]
2780 params["private_key"] = "auth_serv/server.pkcs12"
2781 hostapd.add_ap(apdev[0]['ifname'], params)
2782 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2783 identity="mschap user", password="password",
2784 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2787 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2788 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2790 hostapd.add_ap(apdev[0]['ifname'], params)
2791 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2792 anonymous_identity="ttls", password="password",
2793 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2794 dh_file="auth_serv/dh.conf")
2796 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2797 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2798 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2799 hostapd.add_ap(apdev[0]['ifname'], params)
2800 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2801 anonymous_identity="ttls", password="password",
2802 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2803 dh_file="auth_serv/dsaparam.pem")
2805 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2806 """EAP-TTLS and DH params file not found"""
2807 skip_with_fips(dev[0])
2808 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2809 hostapd.add_ap(apdev[0]['ifname'], params)
2810 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2811 identity="mschap user", password="password",
2812 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2813 dh_file="auth_serv/dh-no-such-file.conf",
2814 scan_freq="2412", wait_connect=False)
2815 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2817 raise Exception("EAP failure timed out")
2818 dev[0].request("REMOVE_NETWORK all")
2819 dev[0].wait_disconnected()
2821 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2822 """EAP-TTLS and invalid DH params file"""
2823 skip_with_fips(dev[0])
2824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2825 hostapd.add_ap(apdev[0]['ifname'], params)
2826 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2827 identity="mschap user", password="password",
2828 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2829 dh_file="auth_serv/ca.pem",
2830 scan_freq="2412", wait_connect=False)
2831 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2833 raise Exception("EAP failure timed out")
2834 dev[0].request("REMOVE_NETWORK all")
2835 dev[0].wait_disconnected()
2837 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2838 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2839 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2840 hostapd.add_ap(apdev[0]['ifname'], params)
2841 dh = read_pem("auth_serv/dh2.conf")
2842 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2843 raise Exception("Could not set dhparams blob")
2844 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2845 anonymous_identity="ttls", password="password",
2846 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2847 dh_file="blob://dhparams")
2849 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2850 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2851 params = int_eap_server_params()
2852 params["dh_file"] = "auth_serv/dh2.conf"
2853 hostapd.add_ap(apdev[0]['ifname'], params)
2854 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2855 anonymous_identity="ttls", password="password",
2856 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2858 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2859 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2860 params = int_eap_server_params()
2861 params["dh_file"] = "auth_serv/dsaparam.pem"
2862 hostapd.add_ap(apdev[0]['ifname'], params)
2863 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2864 anonymous_identity="ttls", password="password",
2865 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2867 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2868 """EAP-TLS server and dhparams file not found"""
2869 params = int_eap_server_params()
2870 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2871 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2872 if "FAIL" not in hapd.request("ENABLE"):
2873 raise Exception("Invalid configuration accepted")
2875 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2876 """EAP-TLS server and invalid dhparams file"""
2877 params = int_eap_server_params()
2878 params["dh_file"] = "auth_serv/ca.pem"
2879 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2880 if "FAIL" not in hapd.request("ENABLE"):
2881 raise Exception("Invalid configuration accepted")
2883 def test_ap_wpa2_eap_reauth(dev, apdev):
2884 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2885 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2886 params['eap_reauth_period'] = '2'
2887 hostapd.add_ap(apdev[0]['ifname'], params)
2888 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2889 password_hex="0123456789abcdef0123456789abcdef")
2890 logger.info("Wait for reauthentication")
2891 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2893 raise Exception("Timeout on reauthentication")
2894 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2896 raise Exception("Timeout on reauthentication")
2897 for i in range(0, 20):
2898 state = dev[0].get_status_field("wpa_state")
2899 if state == "COMPLETED":
2902 if state != "COMPLETED":
2903 raise Exception("Reauthentication did not complete")
2905 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2906 """Optional displayable message in EAP Request-Identity"""
2907 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2908 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2909 hostapd.add_ap(apdev[0]['ifname'], params)
2910 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2911 password_hex="0123456789abcdef0123456789abcdef")
2913 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2914 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2915 check_hlr_auc_gw_support()
2916 params = int_eap_server_params()
2917 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2918 params['eap_sim_aka_result_ind'] = "1"
2919 hostapd.add_ap(apdev[0]['ifname'], params)
2921 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2922 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2923 phase1="result_ind=1")
2924 eap_reauth(dev[0], "SIM")
2925 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2926 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2928 dev[0].request("REMOVE_NETWORK all")
2929 dev[1].request("REMOVE_NETWORK all")
2931 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2932 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2933 phase1="result_ind=1")
2934 eap_reauth(dev[0], "AKA")
2935 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2936 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2938 dev[0].request("REMOVE_NETWORK all")
2939 dev[1].request("REMOVE_NETWORK all")
2941 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2942 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2943 phase1="result_ind=1")
2944 eap_reauth(dev[0], "AKA'")
2945 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2946 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2948 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2949 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2950 skip_with_fips(dev[0])
2951 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2952 hostapd.add_ap(apdev[0]['ifname'], params)
2953 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2954 eap="TTLS", identity="mschap user",
2955 wait_connect=False, scan_freq="2412", ieee80211w="1",
2956 anonymous_identity="ttls", password="password",
2957 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2959 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2961 raise Exception("EAP roundtrip limit not reached")
2963 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2964 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2965 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2966 hostapd.add_ap(apdev[0]['ifname'], params)
2967 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2968 eap="PSK", identity="vendor-test",
2969 password_hex="ff23456789abcdef0123456789abcdef",
2973 for i in range(0, 5):
2974 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2976 raise Exception("Association and EAP start timed out")
2977 if "refuse proposed method" in ev:
2981 raise Exception("Unexpected EAP status: " + ev)
2983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2985 raise Exception("EAP failure timed out")
2987 def test_ap_wpa2_eap_sql(dev, apdev, params):
2988 """WPA2-Enterprise connection using SQLite for user DB"""
2989 skip_with_fips(dev[0])
2993 raise HwsimSkip("No sqlite3 module available")
2994 dbfile = os.path.join(params['logdir'], "eap-user.db")
2999 con = sqlite3.connect(dbfile)
3002 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3003 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3004 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3005 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3006 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3007 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3008 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3009 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3012 params = int_eap_server_params()
3013 params["eap_user_file"] = "sqlite:" + dbfile
3014 hostapd.add_ap(apdev[0]['ifname'], params)
3015 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3016 anonymous_identity="ttls", password="password",
3017 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3018 dev[0].request("REMOVE_NETWORK all")
3019 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3020 anonymous_identity="ttls", password="password",
3021 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3022 dev[1].request("REMOVE_NETWORK all")
3023 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3024 anonymous_identity="ttls", password="password",
3025 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3026 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3027 anonymous_identity="ttls", password="password",
3028 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3032 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3033 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3034 params = int_eap_server_params()
3035 hostapd.add_ap(apdev[0]['ifname'], params)
3036 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3037 identity="\x80", password="password", wait_connect=False)
3038 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3039 identity="a\x80", password="password", wait_connect=False)
3040 for i in range(0, 2):
3041 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3043 raise Exception("Association and EAP start timed out")
3044 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3046 raise Exception("EAP method selection timed out")
3048 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3049 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3050 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3051 hostapd.add_ap(apdev[0]['ifname'], params)
3052 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3053 identity="\x80", password="password", wait_connect=False)
3054 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3055 identity="a\x80", password="password", wait_connect=False)
3056 for i in range(0, 2):
3057 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3059 raise Exception("Association and EAP start timed out")
3060 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3062 raise Exception("EAP method selection timed out")
3064 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3065 """OpenSSL cipher suite configuration on wpa_supplicant"""
3066 tls = dev[0].request("GET tls_library")
3067 if not tls.startswith("OpenSSL"):
3068 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3069 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3070 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3071 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3072 anonymous_identity="ttls", password="password",
3073 openssl_ciphers="AES128",
3074 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3075 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3076 anonymous_identity="ttls", password="password",
3077 openssl_ciphers="EXPORT",
3078 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3079 expect_failure=True, maybe_local_error=True)
3080 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3081 identity="pap user", anonymous_identity="ttls",
3082 password="password",
3083 openssl_ciphers="FOO",
3084 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3086 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3088 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3089 dev[2].request("DISCONNECT")
3091 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3092 """OpenSSL cipher suite configuration on hostapd"""
3093 tls = dev[0].request("GET tls_library")
3094 if not tls.startswith("OpenSSL"):
3095 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3096 params = int_eap_server_params()
3097 params['openssl_ciphers'] = "AES256"
3098 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3099 tls = hapd.request("GET tls_library")
3100 if not tls.startswith("OpenSSL"):
3101 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3102 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3103 anonymous_identity="ttls", password="password",
3104 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3105 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3106 anonymous_identity="ttls", password="password",
3107 openssl_ciphers="AES128",
3108 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3109 expect_failure=True)
3110 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3111 anonymous_identity="ttls", password="password",
3112 openssl_ciphers="HIGH:!ADH",
3113 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3115 params['openssl_ciphers'] = "FOO"
3116 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3117 if "FAIL" not in hapd2.request("ENABLE"):
3118 raise Exception("Invalid openssl_ciphers value accepted")
3120 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3121 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3122 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3123 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3124 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3125 pid = find_wpas_process(dev[0])
3126 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3127 anonymous_identity="ttls", password=password,
3128 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3130 buf = read_process_memory(pid, password)
3132 dev[0].request("DISCONNECT")
3133 dev[0].wait_disconnected()
3141 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3142 for l in f.readlines():
3143 if "EAP-TTLS: Derived key - hexdump" in l:
3144 val = l.strip().split(':')[3].replace(' ', '')
3145 msk = binascii.unhexlify(val)
3146 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3147 val = l.strip().split(':')[3].replace(' ', '')
3148 emsk = binascii.unhexlify(val)
3149 if "WPA: PMK - hexdump" in l:
3150 val = l.strip().split(':')[3].replace(' ', '')
3151 pmk = binascii.unhexlify(val)
3152 if "WPA: PTK - hexdump" in l:
3153 val = l.strip().split(':')[3].replace(' ', '')
3154 ptk = binascii.unhexlify(val)
3155 if "WPA: Group Key - hexdump" in l:
3156 val = l.strip().split(':')[3].replace(' ', '')
3157 gtk = binascii.unhexlify(val)
3158 if not msk or not emsk or not pmk or not ptk or not gtk:
3159 raise Exception("Could not find keys from debug log")
3161 raise Exception("Unexpected GTK length")
3167 fname = os.path.join(params['logdir'],
3168 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3170 logger.info("Checking keys in memory while associated")
3171 get_key_locations(buf, password, "Password")
3172 get_key_locations(buf, pmk, "PMK")
3173 get_key_locations(buf, msk, "MSK")
3174 get_key_locations(buf, emsk, "EMSK")
3175 if password not in buf:
3176 raise HwsimSkip("Password not found while associated")
3178 raise HwsimSkip("PMK not found while associated")
3180 raise Exception("KCK not found while associated")
3182 raise Exception("KEK not found while associated")
3184 raise Exception("TK found from memory")
3186 raise Exception("GTK found from memory")
3188 logger.info("Checking keys in memory after disassociation")
3189 buf = read_process_memory(pid, password)
3191 # Note: Password is still present in network configuration
3192 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3194 get_key_locations(buf, password, "Password")
3195 get_key_locations(buf, pmk, "PMK")
3196 get_key_locations(buf, msk, "MSK")
3197 get_key_locations(buf, emsk, "EMSK")
3198 verify_not_present(buf, kck, fname, "KCK")
3199 verify_not_present(buf, kek, fname, "KEK")
3200 verify_not_present(buf, tk, fname, "TK")
3201 verify_not_present(buf, gtk, fname, "GTK")
3203 dev[0].request("PMKSA_FLUSH")
3204 dev[0].set_network_quoted(id, "identity", "foo")
3205 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3206 buf = read_process_memory(pid, password)
3207 get_key_locations(buf, password, "Password")
3208 get_key_locations(buf, pmk, "PMK")
3209 get_key_locations(buf, msk, "MSK")
3210 get_key_locations(buf, emsk, "EMSK")
3211 verify_not_present(buf, pmk, fname, "PMK")
3213 dev[0].request("REMOVE_NETWORK all")
3215 logger.info("Checking keys in memory after network profile removal")
3216 buf = read_process_memory(pid, password)
3218 get_key_locations(buf, password, "Password")
3219 get_key_locations(buf, pmk, "PMK")
3220 get_key_locations(buf, msk, "MSK")
3221 get_key_locations(buf, emsk, "EMSK")
3222 verify_not_present(buf, password, fname, "password")
3223 verify_not_present(buf, pmk, fname, "PMK")
3224 verify_not_present(buf, kck, fname, "KCK")
3225 verify_not_present(buf, kek, fname, "KEK")
3226 verify_not_present(buf, tk, fname, "TK")
3227 verify_not_present(buf, gtk, fname, "GTK")
3228 verify_not_present(buf, msk, fname, "MSK")
3229 verify_not_present(buf, emsk, fname, "EMSK")
3231 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3232 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3233 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3234 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3235 bssid = apdev[0]['bssid']
3236 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3237 anonymous_identity="ttls", password="password",
3238 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3240 # Send unexpected WEP EAPOL-Key; this gets dropped
3241 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3243 raise Exception("EAPOL_RX to wpa_supplicant failed")
3245 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3246 """WPA2-EAP and wpas interface in a bridge"""
3250 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3252 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3253 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3254 subprocess.call(['brctl', 'delbr', br_ifname])
3255 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3257 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3259 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3263 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3264 subprocess.call(['brctl', 'addbr', br_ifname])
3265 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3266 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3267 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3268 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3269 wpas.interface_add(ifname, br_ifname=br_ifname)
3271 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3272 password_hex="0123456789abcdef0123456789abcdef")
3273 eap_reauth(wpas, "PAX")
3274 # Try again as a regression test for packet socket workaround
3275 eap_reauth(wpas, "PAX")
3276 wpas.request("DISCONNECT")
3277 wpas.wait_disconnected()
3278 wpas.request("RECONNECT")
3279 wpas.wait_connected()
3281 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3282 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3284 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3285 key_mgmt = hapd.get_config()['key_mgmt']
3286 if key_mgmt.split(' ')[0] != "WPA-EAP":
3287 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3288 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3289 anonymous_identity="ttls", password="password",
3290 ca_cert="auth_serv/ca.pem",
3291 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3292 eap_reauth(dev[0], "TTLS")
3294 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3295 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3297 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3298 key_mgmt = hapd.get_config()['key_mgmt']
3299 if key_mgmt.split(' ')[0] != "WPA-EAP":
3300 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3301 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3302 anonymous_identity="ttls", password="password",
3303 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3305 eap_reauth(dev[0], "TTLS")
3307 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3308 """EAP-TLS and server checking CRL"""
3309 params = int_eap_server_params()
3310 params['check_crl'] = '1'
3311 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3313 # check_crl=1 and no CRL available --> reject connection
3314 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3315 client_cert="auth_serv/user.pem",
3316 private_key="auth_serv/user.key", expect_failure=True)
3317 dev[0].request("REMOVE_NETWORK all")
3320 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3323 # check_crl=1 and valid CRL --> accept
3324 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3325 client_cert="auth_serv/user.pem",
3326 private_key="auth_serv/user.key")
3327 dev[0].request("REMOVE_NETWORK all")
3330 hapd.set("check_crl", "2")
3333 # check_crl=2 and valid CRL --> accept
3334 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3335 client_cert="auth_serv/user.pem",
3336 private_key="auth_serv/user.key")
3337 dev[0].request("REMOVE_NETWORK all")
3339 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3340 """EAP-TLS and OOM"""
3341 check_subject_match_support(dev[0])
3342 check_altsubject_match_support(dev[0])
3343 check_domain_match_full(dev[0])
3345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3346 hostapd.add_ap(apdev[0]['ifname'], params)
3348 tests = [ (1, "tls_connection_set_subject_match"),
3349 (2, "tls_connection_set_subject_match"),
3350 (3, "tls_connection_set_subject_match"),
3351 (4, "tls_connection_set_subject_match") ]
3352 for count, func in tests:
3353 with alloc_fail(dev[0], count, func):
3354 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3355 identity="tls user", ca_cert="auth_serv/ca.pem",
3356 client_cert="auth_serv/user.pem",
3357 private_key="auth_serv/user.key",
3358 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3359 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3360 domain_suffix_match="server.w1.fi",
3361 domain_match="server.w1.fi",
3362 wait_connect=False, scan_freq="2412")
3363 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3364 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3366 raise Exception("No passphrase request")
3367 dev[0].request("REMOVE_NETWORK all")
3368 dev[0].wait_disconnected()
3370 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3371 """WPA2-Enterprise connection using MAC ACL"""
3372 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3373 params["macaddr_acl"] = "2"
3374 hostapd.add_ap(apdev[0]['ifname'], params)
3375 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3376 client_cert="auth_serv/user.pem",
3377 private_key="auth_serv/user.key")
3379 def test_ap_wpa2_eap_oom(dev, apdev):
3380 """EAP server and OOM"""
3381 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3382 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3383 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3385 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3386 # The first attempt fails, but STA will send EAPOL-Start to retry and
3388 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3389 identity="tls user", ca_cert="auth_serv/ca.pem",
3390 client_cert="auth_serv/user.pem",
3391 private_key="auth_serv/user.key",
3394 def check_tls_ver(dev, ap, phase1, expected):
3395 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3396 client_cert="auth_serv/user.pem",
3397 private_key="auth_serv/user.key",
3399 ver = dev.get_status_field("eap_tls_version")
3401 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3403 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3404 """EAP-TLS and TLS version configuration"""
3405 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3406 hostapd.add_ap(apdev[0]['ifname'], params)
3408 tls = dev[0].request("GET tls_library")
3409 if tls.startswith("OpenSSL"):
3410 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3411 check_tls_ver(dev[0], apdev[0],
3412 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3414 check_tls_ver(dev[1], apdev[0],
3415 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3416 check_tls_ver(dev[2], apdev[0],
3417 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3419 def test_rsn_ie_proto_eap_sta(dev, apdev):
3420 """RSN element protocol testing for EAP cases on STA side"""
3421 bssid = apdev[0]['bssid']
3422 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3423 # This is the RSN element used normally by hostapd
3424 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3425 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3426 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3427 identity="gpsk user",
3428 password="abcdefghijklmnop0123456789abcdef",
3431 tests = [ ('No RSN Capabilities field',
3432 '30120100000fac040100000fac040100000fac01'),
3433 ('No AKM Suite fields',
3434 '300c0100000fac040100000fac04'),
3435 ('No Pairwise Cipher Suite fields',
3436 '30060100000fac04'),
3437 ('No Group Data Cipher Suite field',
3439 for txt,ie in tests:
3440 dev[0].request("DISCONNECT")
3441 dev[0].wait_disconnected()
3444 hapd.set('own_ie_override', ie)
3446 dev[0].request("BSS_FLUSH 0")
3447 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3448 dev[0].select_network(id, freq=2412)
3449 dev[0].wait_connected()