1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
91 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
93 raise Exception("EAP method selection timed out")
94 if "CTRL-EVENT-EAP-FAILURE" in ev:
97 raise Exception("Could not select EAP method")
99 raise Exception("Unexpected EAP method")
101 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
103 raise Exception("EAP failure timed out")
104 ev = dev.wait_disconnected(timeout=10)
105 if maybe_local_error and "locally_generated=1" in ev:
107 if not local_error_report:
108 if "reason=23" not in ev:
109 raise Exception("Proper reason code for disconnection not reported")
111 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
113 raise Exception("EAP success timed out")
116 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
118 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
120 raise Exception("Association with the AP timed out")
121 status = dev.get_status()
122 if status["wpa_state"] != "COMPLETED":
123 raise Exception("Connection not completed")
125 if status["suppPortStatus"] != "Authorized":
126 raise Exception("Port not authorized")
127 if method not in status["selectedMethod"]:
128 raise Exception("Incorrect EAP method status")
130 e = "WPA2-EAP-SHA256"
132 e = "WPA2/IEEE 802.1X/EAP"
134 e = "WPA/IEEE 802.1X/EAP"
135 if status["key_mgmt"] != e:
136 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
139 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
140 dev.request("REAUTHENTICATE")
141 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
142 expect_failure=expect_failure)
144 def test_ap_wpa2_eap_sim(dev, apdev):
145 """WPA2-Enterprise connection using EAP-SIM"""
146 check_hlr_auc_gw_support()
147 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
149 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 hwsim_utils.test_connectivity(dev[0], hapd)
152 eap_reauth(dev[0], "SIM")
154 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
155 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
160 logger.info("Negative test with incorrect key")
161 dev[0].request("REMOVE_NETWORK all")
162 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
163 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
166 logger.info("Invalid GSM-Milenage key")
167 dev[0].request("REMOVE_NETWORK all")
168 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
169 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
172 logger.info("Invalid GSM-Milenage key(2)")
173 dev[0].request("REMOVE_NETWORK all")
174 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
175 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
178 logger.info("Invalid GSM-Milenage key(3)")
179 dev[0].request("REMOVE_NETWORK all")
180 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
181 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
184 logger.info("Invalid GSM-Milenage key(4)")
185 dev[0].request("REMOVE_NETWORK all")
186 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
187 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
190 logger.info("Missing key configuration")
191 dev[0].request("REMOVE_NETWORK all")
192 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
195 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
196 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
197 check_hlr_auc_gw_support()
201 raise HwsimSkip("No sqlite3 module available")
202 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
204 params['auth_server_port'] = "1814"
205 hostapd.add_ap(apdev[0]['ifname'], params)
206 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
207 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
209 logger.info("SIM fast re-authentication")
210 eap_reauth(dev[0], "SIM")
212 logger.info("SIM full auth with pseudonym")
215 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
216 eap_reauth(dev[0], "SIM")
218 logger.info("SIM full auth with permanent identity")
221 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
222 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
223 eap_reauth(dev[0], "SIM")
225 logger.info("SIM reauth with mismatching MK")
228 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
229 eap_reauth(dev[0], "SIM", expect_failure=True)
230 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
233 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
236 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
237 eap_reauth(dev[0], "SIM")
240 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with mismatching counter")
242 eap_reauth(dev[0], "SIM")
243 dev[0].request("REMOVE_NETWORK all")
245 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
246 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
250 logger.info("SIM reauth with max reauth count reached")
251 eap_reauth(dev[0], "SIM")
253 def test_ap_wpa2_eap_sim_config(dev, apdev):
254 """EAP-SIM configuration options"""
255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
256 hostapd.add_ap(apdev[0]['ifname'], params)
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=1",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
264 raise Exception("No EAP error message seen")
265 dev[0].request("REMOVE_NETWORK all")
267 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
268 identity="1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=4",
271 wait_connect=False, scan_freq="2412")
272 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
274 raise Exception("No EAP error message seen (2)")
275 dev[0].request("REMOVE_NETWORK all")
277 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
278 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
279 phase1="sim_min_num_chal=2")
280 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
281 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
282 anonymous_identity="345678")
284 def test_ap_wpa2_eap_sim_ext(dev, apdev):
285 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
287 _test_ap_wpa2_eap_sim_ext(dev, apdev)
289 dev[0].request("SET external_sim 0")
291 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
292 check_hlr_auc_gw_support()
293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
294 hostapd.add_ap(apdev[0]['ifname'], params)
295 dev[0].request("SET external_sim 1")
296 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
297 identity="1232010000000000",
298 wait_connect=False, scan_freq="2412")
299 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
301 raise Exception("Network connected timed out")
303 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
305 raise Exception("Wait for external SIM processing request timed out")
307 if p[1] != "GSM-AUTH":
308 raise Exception("Unexpected CTRL-REQ-SIM type")
309 rid = p[0].split('-')[3]
312 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
313 # This will fail during processing, but the ctrl_iface command succeeds
314 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
317 raise Exception("EAP failure not reported")
318 dev[0].request("DISCONNECT")
319 dev[0].wait_disconnected()
322 dev[0].select_network(id, freq="2412")
323 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
325 raise Exception("Wait for external SIM processing request timed out")
327 if p[1] != "GSM-AUTH":
328 raise Exception("Unexpected CTRL-REQ-SIM type")
329 rid = p[0].split('-')[3]
330 # This will fail during GSM auth validation
331 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
332 raise Exception("CTRL-RSP-SIM failed")
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
337 dev[0].wait_disconnected()
340 dev[0].select_network(id, freq="2412")
341 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
343 raise Exception("Wait for external SIM processing request timed out")
345 if p[1] != "GSM-AUTH":
346 raise Exception("Unexpected CTRL-REQ-SIM type")
347 rid = p[0].split('-')[3]
348 # This will fail during GSM auth validation
349 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
350 raise Exception("CTRL-RSP-SIM failed")
351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
353 raise Exception("EAP failure not reported")
354 dev[0].request("DISCONNECT")
355 dev[0].wait_disconnected()
358 dev[0].select_network(id, freq="2412")
359 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
361 raise Exception("Wait for external SIM processing request timed out")
363 if p[1] != "GSM-AUTH":
364 raise Exception("Unexpected CTRL-REQ-SIM type")
365 rid = p[0].split('-')[3]
366 # This will fail during GSM auth validation
367 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
368 raise Exception("CTRL-RSP-SIM failed")
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
371 raise Exception("EAP failure not reported")
372 dev[0].request("DISCONNECT")
373 dev[0].wait_disconnected()
376 dev[0].select_network(id, freq="2412")
377 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
379 raise Exception("Wait for external SIM processing request timed out")
381 if p[1] != "GSM-AUTH":
382 raise Exception("Unexpected CTRL-REQ-SIM type")
383 rid = p[0].split('-')[3]
384 # This will fail during GSM auth validation
385 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
386 raise Exception("CTRL-RSP-SIM failed")
387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
389 raise Exception("EAP failure not reported")
390 dev[0].request("DISCONNECT")
391 dev[0].wait_disconnected()
394 dev[0].select_network(id, freq="2412")
395 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
397 raise Exception("Wait for external SIM processing request timed out")
399 if p[1] != "GSM-AUTH":
400 raise Exception("Unexpected CTRL-REQ-SIM type")
401 rid = p[0].split('-')[3]
402 # This will fail during GSM auth validation
403 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
404 raise Exception("CTRL-RSP-SIM failed")
405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
407 raise Exception("EAP failure not reported")
408 dev[0].request("DISCONNECT")
409 dev[0].wait_disconnected()
412 dev[0].select_network(id, freq="2412")
413 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
415 raise Exception("Wait for external SIM processing request timed out")
417 if p[1] != "GSM-AUTH":
418 raise Exception("Unexpected CTRL-REQ-SIM type")
419 rid = p[0].split('-')[3]
420 # This will fail during GSM auth validation
421 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
422 raise Exception("CTRL-RSP-SIM failed")
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
425 raise Exception("EAP failure not reported")
427 def test_ap_wpa2_eap_sim_oom(dev, apdev):
428 """EAP-SIM and OOM"""
429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
430 hostapd.add_ap(apdev[0]['ifname'], params)
431 tests = [ (1, "milenage_f2345"),
432 (2, "milenage_f2345"),
433 (3, "milenage_f2345"),
434 (4, "milenage_f2345"),
435 (5, "milenage_f2345"),
436 (6, "milenage_f2345"),
437 (7, "milenage_f2345"),
438 (8, "milenage_f2345"),
439 (9, "milenage_f2345"),
440 (10, "milenage_f2345"),
441 (11, "milenage_f2345"),
442 (12, "milenage_f2345") ]
443 for count, func in tests:
444 with alloc_fail(dev[0], count, func):
445 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
446 identity="1232010000000000",
447 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
448 wait_connect=False, scan_freq="2412")
449 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
451 raise Exception("EAP method not selected")
452 dev[0].wait_disconnected()
453 dev[0].request("REMOVE_NETWORK all")
455 def test_ap_wpa2_eap_aka(dev, apdev):
456 """WPA2-Enterprise connection using EAP-AKA"""
457 check_hlr_auc_gw_support()
458 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
459 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
460 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
461 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
462 hwsim_utils.test_connectivity(dev[0], hapd)
463 eap_reauth(dev[0], "AKA")
465 logger.info("Negative test with incorrect key")
466 dev[0].request("REMOVE_NETWORK all")
467 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
468 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
471 logger.info("Invalid Milenage key")
472 dev[0].request("REMOVE_NETWORK all")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
477 logger.info("Invalid Milenage key(2)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
482 logger.info("Invalid Milenage key(3)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
487 logger.info("Invalid Milenage key(4)")
488 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
492 logger.info("Invalid Milenage key(5)")
493 dev[0].request("REMOVE_NETWORK all")
494 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
495 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
498 logger.info("Invalid Milenage key(6)")
499 dev[0].request("REMOVE_NETWORK all")
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
504 logger.info("Missing key configuration")
505 dev[0].request("REMOVE_NETWORK all")
506 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
509 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
510 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
511 check_hlr_auc_gw_support()
515 raise HwsimSkip("No sqlite3 module available")
516 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
517 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
518 params['auth_server_port'] = "1814"
519 hostapd.add_ap(apdev[0]['ifname'], params)
520 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
521 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
523 logger.info("AKA fast re-authentication")
524 eap_reauth(dev[0], "AKA")
526 logger.info("AKA full auth with pseudonym")
529 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
530 eap_reauth(dev[0], "AKA")
532 logger.info("AKA full auth with permanent identity")
535 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
536 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
537 eap_reauth(dev[0], "AKA")
539 logger.info("AKA reauth with mismatching MK")
542 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
543 eap_reauth(dev[0], "AKA", expect_failure=True)
544 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
547 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
550 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
551 eap_reauth(dev[0], "AKA")
554 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with mismatching counter")
556 eap_reauth(dev[0], "AKA")
557 dev[0].request("REMOVE_NETWORK all")
559 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
560 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
564 logger.info("AKA reauth with max reauth count reached")
565 eap_reauth(dev[0], "AKA")
567 def test_ap_wpa2_eap_aka_config(dev, apdev):
568 """EAP-AKA configuration options"""
569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
570 hostapd.add_ap(apdev[0]['ifname'], params)
571 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
572 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
573 anonymous_identity="2345678")
575 def test_ap_wpa2_eap_aka_ext(dev, apdev):
576 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
578 _test_ap_wpa2_eap_aka_ext(dev, apdev)
580 dev[0].request("SET external_sim 0")
582 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
583 check_hlr_auc_gw_support()
584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
585 hostapd.add_ap(apdev[0]['ifname'], params)
586 dev[0].request("SET external_sim 1")
587 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
588 identity="0232010000000000",
589 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
590 wait_connect=False, scan_freq="2412")
591 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
593 raise Exception("Network connected timed out")
595 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p[1] != "UMTS-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid = p[0].split('-')[3]
604 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
605 # This will fail during processing, but the ctrl_iface command succeeds
606 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
607 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
609 raise Exception("EAP failure not reported")
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
614 dev[0].select_network(id, freq="2412")
615 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
617 raise Exception("Wait for external SIM processing request timed out")
619 if p[1] != "UMTS-AUTH":
620 raise Exception("Unexpected CTRL-REQ-SIM type")
621 rid = p[0].split('-')[3]
622 # This will fail during UMTS auth validation
623 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
624 raise Exception("CTRL-RSP-SIM failed")
625 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
627 raise Exception("Wait for external SIM processing request timed out")
629 if p[1] != "UMTS-AUTH":
630 raise Exception("Unexpected CTRL-REQ-SIM type")
631 rid = p[0].split('-')[3]
632 # This will fail during UMTS auth validation
633 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
634 raise Exception("CTRL-RSP-SIM failed")
635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
637 raise Exception("EAP failure not reported")
638 dev[0].request("DISCONNECT")
639 dev[0].wait_disconnected()
642 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
644 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
645 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
646 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
647 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
648 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
650 dev[0].select_network(id, freq="2412")
651 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
653 raise Exception("Wait for external SIM processing request timed out")
655 if p[1] != "UMTS-AUTH":
656 raise Exception("Unexpected CTRL-REQ-SIM type")
657 rid = p[0].split('-')[3]
658 # This will fail during UMTS auth validation
659 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
660 raise Exception("CTRL-RSP-SIM failed")
661 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
663 raise Exception("EAP failure not reported")
664 dev[0].request("DISCONNECT")
665 dev[0].wait_disconnected()
668 def test_ap_wpa2_eap_aka_prime(dev, apdev):
669 """WPA2-Enterprise connection using EAP-AKA'"""
670 check_hlr_auc_gw_support()
671 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
672 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
673 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
674 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
675 hwsim_utils.test_connectivity(dev[0], hapd)
676 eap_reauth(dev[0], "AKA'")
678 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
679 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
680 identity="6555444333222111@both",
681 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 wait_connect=False, scan_freq="2412")
683 dev[1].wait_connected(timeout=15)
685 logger.info("Negative test with incorrect key")
686 dev[0].request("REMOVE_NETWORK all")
687 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
688 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
691 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
692 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
693 check_hlr_auc_gw_support()
697 raise HwsimSkip("No sqlite3 module available")
698 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
699 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
700 params['auth_server_port'] = "1814"
701 hostapd.add_ap(apdev[0]['ifname'], params)
702 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
703 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
705 logger.info("AKA' fast re-authentication")
706 eap_reauth(dev[0], "AKA'")
708 logger.info("AKA' full auth with pseudonym")
711 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
712 eap_reauth(dev[0], "AKA'")
714 logger.info("AKA' full auth with permanent identity")
717 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
718 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
719 eap_reauth(dev[0], "AKA'")
721 logger.info("AKA' reauth with mismatching k_aut")
724 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
725 eap_reauth(dev[0], "AKA'", expect_failure=True)
726 dev[0].request("REMOVE_NETWORK all")
728 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
729 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
732 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
733 eap_reauth(dev[0], "AKA'")
736 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with mismatching counter")
738 eap_reauth(dev[0], "AKA'")
739 dev[0].request("REMOVE_NETWORK all")
741 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
742 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
745 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
746 logger.info("AKA' reauth with max reauth count reached")
747 eap_reauth(dev[0], "AKA'")
749 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
750 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
751 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
752 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
753 key_mgmt = hapd.get_config()['key_mgmt']
754 if key_mgmt.split(' ')[0] != "WPA-EAP":
755 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
756 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
757 anonymous_identity="ttls", password="password",
758 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
759 hwsim_utils.test_connectivity(dev[0], hapd)
760 eap_reauth(dev[0], "TTLS")
761 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
762 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
764 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
765 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
766 check_subject_match_support(dev[0])
767 check_altsubject_match_support(dev[0])
768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
769 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
770 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
771 anonymous_identity="ttls", password="password",
772 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
773 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
774 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
775 eap_reauth(dev[0], "TTLS")
777 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
778 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
781 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
782 anonymous_identity="ttls", password="wrong",
783 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 eap_connect(dev[1], apdev[0], "TTLS", "user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
791 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
792 skip_with_fips(dev[0])
793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
794 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
795 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
796 anonymous_identity="ttls", password="password",
797 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
798 hwsim_utils.test_connectivity(dev[0], hapd)
799 eap_reauth(dev[0], "TTLS")
801 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
802 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
803 skip_with_fips(dev[0])
804 check_altsubject_match_support(dev[0])
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
808 anonymous_identity="ttls", password="password",
809 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
810 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
811 eap_reauth(dev[0], "TTLS")
813 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
814 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
815 skip_with_fips(dev[0])
816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
817 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
818 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
819 anonymous_identity="ttls", password="wrong",
820 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 eap_connect(dev[1], apdev[0], "TTLS", "user",
823 anonymous_identity="ttls", password="password",
824 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
827 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
828 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
829 skip_with_fips(dev[0])
830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
831 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
832 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
833 anonymous_identity="ttls", password="password",
834 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
835 domain_suffix_match="server.w1.fi")
836 hwsim_utils.test_connectivity(dev[0], hapd)
837 eap_reauth(dev[0], "TTLS")
838 dev[0].request("REMOVE_NETWORK all")
839 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
844 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
846 skip_with_fips(dev[0])
847 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
848 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
849 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
850 anonymous_identity="ttls", password="wrong",
851 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
853 eap_connect(dev[1], apdev[0], "TTLS", "user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
858 anonymous_identity="ttls", password="password",
859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
862 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
864 check_eap_capa(dev[0], "MSCHAPV2")
865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
866 hostapd.add_ap(apdev[0]['ifname'], params)
867 hapd = hostapd.Hostapd(apdev[0]['ifname'])
868 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
869 anonymous_identity="ttls", password="password",
870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
871 domain_suffix_match="server.w1.fi")
872 hwsim_utils.test_connectivity(dev[0], hapd)
873 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
874 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
875 eap_reauth(dev[0], "TTLS")
876 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
877 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
878 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
879 raise Exception("dot1xAuthEapolFramesRx did not increase")
880 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
881 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
882 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
883 raise Exception("backendAuthSuccesses did not increase")
885 logger.info("Password as hash value")
886 dev[0].request("REMOVE_NETWORK all")
887 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
888 anonymous_identity="ttls",
889 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
892 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
893 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
894 check_domain_match_full(dev[0])
895 skip_with_fips(dev[0])
896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
897 hostapd.add_ap(apdev[0]['ifname'], params)
898 hapd = hostapd.Hostapd(apdev[0]['ifname'])
899 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
900 anonymous_identity="ttls", password="password",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
902 domain_suffix_match="w1.fi")
903 hwsim_utils.test_connectivity(dev[0], hapd)
904 eap_reauth(dev[0], "TTLS")
906 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
908 skip_with_fips(dev[0])
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 hostapd.add_ap(apdev[0]['ifname'], params)
911 hapd = hostapd.Hostapd(apdev[0]['ifname'])
912 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
913 anonymous_identity="ttls", password="password",
914 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 domain_match="Server.w1.fi")
916 hwsim_utils.test_connectivity(dev[0], hapd)
917 eap_reauth(dev[0], "TTLS")
919 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
921 skip_with_fips(dev[0])
922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
923 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
924 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
925 anonymous_identity="ttls", password="password1",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 eap_connect(dev[1], apdev[0], "TTLS", "user",
929 anonymous_identity="ttls", password="password",
930 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
933 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
934 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
935 skip_with_fips(dev[0])
936 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
937 hostapd.add_ap(apdev[0]['ifname'], params)
938 hapd = hostapd.Hostapd(apdev[0]['ifname'])
939 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
940 anonymous_identity="ttls", password="secret-åäö-€-password",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
943 anonymous_identity="ttls",
944 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
945 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
954 hwsim_utils.test_connectivity(dev[0], hapd)
955 eap_reauth(dev[0], "TTLS")
957 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
958 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
959 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
960 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="wrong",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
966 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
967 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
968 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
970 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
971 anonymous_identity="ttls", password="password",
972 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
975 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
976 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
977 params = int_eap_server_params()
978 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
979 with alloc_fail(hapd, 1, "eap_gtc_init"):
980 eap_connect(dev[0], apdev[0], "TTLS", "user",
981 anonymous_identity="ttls", password="password",
982 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
984 dev[0].request("REMOVE_NETWORK all")
986 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
988 eap="TTLS", identity="user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
991 wait_connect=False, scan_freq="2412")
992 # This would eventually time out, but we can stop after having reached
993 # the allocation failure.
996 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
999 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1001 check_eap_capa(dev[0], "MD5")
1002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1003 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1004 eap_connect(dev[0], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1007 hwsim_utils.test_connectivity(dev[0], hapd)
1008 eap_reauth(dev[0], "TTLS")
1010 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1011 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1012 check_eap_capa(dev[0], "MD5")
1013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1014 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1015 eap_connect(dev[0], apdev[0], "TTLS", "user",
1016 anonymous_identity="ttls", password="wrong",
1017 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1018 expect_failure=True)
1020 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1021 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1022 check_eap_capa(dev[0], "MD5")
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1028 expect_failure=True)
1030 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1032 check_eap_capa(dev[0], "MD5")
1033 params = int_eap_server_params()
1034 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1035 with alloc_fail(hapd, 1, "eap_md5_init"):
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1039 expect_failure=True)
1040 dev[0].request("REMOVE_NETWORK all")
1042 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1043 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1044 eap="TTLS", identity="user",
1045 anonymous_identity="ttls", password="password",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1047 wait_connect=False, scan_freq="2412")
1048 # This would eventually time out, but we can stop after having reached
1049 # the allocation failure.
1052 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1055 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1057 check_eap_capa(dev[0], "MSCHAPV2")
1058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1059 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="password",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1063 hwsim_utils.test_connectivity(dev[0], hapd)
1064 eap_reauth(dev[0], "TTLS")
1066 logger.info("Negative test with incorrect password")
1067 dev[0].request("REMOVE_NETWORK all")
1068 eap_connect(dev[0], apdev[0], "TTLS", "user",
1069 anonymous_identity="ttls", password="password1",
1070 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1071 expect_failure=True)
1073 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1074 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1075 check_eap_capa(dev[0], "MSCHAPV2")
1076 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1077 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1078 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1079 anonymous_identity="ttls", password="password",
1080 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1081 expect_failure=True)
1083 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1085 check_eap_capa(dev[0], "MSCHAPV2")
1086 params = int_eap_server_params()
1087 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1088 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1089 eap_connect(dev[0], apdev[0], "TTLS", "user",
1090 anonymous_identity="ttls", password="password",
1091 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1092 expect_failure=True)
1093 dev[0].request("REMOVE_NETWORK all")
1095 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1096 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1097 eap="TTLS", identity="user",
1098 anonymous_identity="ttls", password="password",
1099 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1100 wait_connect=False, scan_freq="2412")
1101 # This would eventually time out, but we can stop after having reached
1102 # the allocation failure.
1105 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1107 dev[0].request("REMOVE_NETWORK all")
1109 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1111 eap="TTLS", identity="user",
1112 anonymous_identity="ttls", password="password",
1113 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1114 wait_connect=False, scan_freq="2412")
1115 # This would eventually time out, but we can stop after having reached
1116 # the allocation failure.
1119 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1121 dev[0].request("REMOVE_NETWORK all")
1123 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1125 eap="TTLS", identity="user",
1126 anonymous_identity="ttls", password="wrong",
1127 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1128 wait_connect=False, scan_freq="2412")
1129 # This would eventually time out, but we can stop after having reached
1130 # the allocation failure.
1133 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1135 dev[0].request("REMOVE_NETWORK all")
1137 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1138 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1140 hostapd.add_ap(apdev[0]['ifname'], params)
1141 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1142 anonymous_identity="0232010000000000@ttls",
1143 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1144 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1146 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1147 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1148 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1149 hostapd.add_ap(apdev[0]['ifname'], params)
1150 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1151 anonymous_identity="0232010000000000@peap",
1152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1155 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1156 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1157 check_eap_capa(dev[0], "FAST")
1158 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1159 hostapd.add_ap(apdev[0]['ifname'], params)
1160 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1161 anonymous_identity="0232010000000000@fast",
1162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1163 phase1="fast_provisioning=2",
1164 pac_file="blob://fast_pac_auth_aka",
1165 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1167 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1168 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1169 check_eap_capa(dev[0], "MSCHAPV2")
1170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1171 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1172 eap_connect(dev[0], apdev[0], "PEAP", "user",
1173 anonymous_identity="peap", password="password",
1174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1175 hwsim_utils.test_connectivity(dev[0], hapd)
1176 eap_reauth(dev[0], "PEAP")
1177 dev[0].request("REMOVE_NETWORK all")
1178 eap_connect(dev[0], apdev[0], "PEAP", "user",
1179 anonymous_identity="peap", password="password",
1180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1181 fragment_size="200")
1183 logger.info("Password as hash value")
1184 dev[0].request("REMOVE_NETWORK all")
1185 eap_connect(dev[0], apdev[0], "PEAP", "user",
1186 anonymous_identity="peap",
1187 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1190 logger.info("Negative test with incorrect password")
1191 dev[0].request("REMOVE_NETWORK all")
1192 eap_connect(dev[0], apdev[0], "PEAP", "user",
1193 anonymous_identity="peap", password="password1",
1194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1195 expect_failure=True)
1197 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1198 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1199 check_eap_capa(dev[0], "MSCHAPV2")
1200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1201 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1202 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1203 anonymous_identity="peap", password="password",
1204 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1205 hwsim_utils.test_connectivity(dev[0], hapd)
1206 eap_reauth(dev[0], "PEAP")
1208 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1209 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1210 check_eap_capa(dev[0], "MSCHAPV2")
1211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 eap_connect(dev[0], apdev[0], "PEAP", "user",
1214 anonymous_identity="peap", password="wrong",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1220 check_eap_capa(dev[0], "MSCHAPV2")
1221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1223 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1224 ca_cert="auth_serv/ca.pem",
1225 phase1="peapver=0 crypto_binding=2",
1226 phase2="auth=MSCHAPV2")
1227 hwsim_utils.test_connectivity(dev[0], hapd)
1228 eap_reauth(dev[0], "PEAP")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peapver=0 crypto_binding=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peapver=0 crypto_binding=0",
1237 phase2="auth=MSCHAPV2")
1239 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1240 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1241 check_eap_capa(dev[0], "MSCHAPV2")
1242 params = int_eap_server_params()
1243 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1244 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1245 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1246 ca_cert="auth_serv/ca.pem",
1247 phase1="peapver=0 crypto_binding=2",
1248 phase2="auth=MSCHAPV2",
1249 expect_failure=True, local_error_report=True)
1251 def test_ap_wpa2_eap_peap_params(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1253 check_eap_capa(dev[0], "MSCHAPV2")
1254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1255 hostapd.add_ap(apdev[0]['ifname'], params)
1256 eap_connect(dev[0], apdev[0], "PEAP", "user",
1257 anonymous_identity="peap", password="password",
1258 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1259 phase1="peapver=0 peaplabel=1",
1260 expect_failure=True)
1261 dev[0].request("REMOVE_NETWORK all")
1262 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1263 ca_cert="auth_serv/ca.pem",
1264 phase1="peap_outer_success=1",
1265 phase2="auth=MSCHAPV2")
1266 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1267 ca_cert="auth_serv/ca.pem",
1268 phase1="peap_outer_success=2",
1269 phase2="auth=MSCHAPV2")
1270 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1272 anonymous_identity="peap", password="password",
1273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1274 phase1="peapver=1 peaplabel=1",
1275 wait_connect=False, scan_freq="2412")
1276 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1278 raise Exception("No EAP success seen")
1279 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1281 raise Exception("Unexpected connection")
1283 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1284 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1286 hostapd.add_ap(apdev[0]['ifname'], params)
1287 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1288 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1289 ca_cert2="auth_serv/ca.pem",
1290 client_cert2="auth_serv/user.pem",
1291 private_key2="auth_serv/user.key")
1292 eap_reauth(dev[0], "PEAP")
1294 def test_ap_wpa2_eap_tls(dev, apdev):
1295 """WPA2-Enterprise connection using EAP-TLS"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1299 client_cert="auth_serv/user.pem",
1300 private_key="auth_serv/user.key")
1301 eap_reauth(dev[0], "TLS")
1303 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1304 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1305 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1306 hostapd.add_ap(apdev[0]['ifname'], params)
1307 cert = read_pem("auth_serv/ca.pem")
1308 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1309 raise Exception("Could not set cacert blob")
1310 cert = read_pem("auth_serv/user.pem")
1311 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1312 raise Exception("Could not set usercert blob")
1313 key = read_pem("auth_serv/user.rsa-key")
1314 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1315 raise Exception("Could not set cacert blob")
1316 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1317 client_cert="blob://usercert",
1318 private_key="blob://userkey")
1320 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1321 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1322 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1323 hostapd.add_ap(apdev[0]['ifname'], params)
1324 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1325 private_key="auth_serv/user.pkcs12",
1326 private_key_passwd="whatever")
1327 dev[0].request("REMOVE_NETWORK all")
1328 dev[0].wait_disconnected()
1330 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1331 identity="tls user",
1332 ca_cert="auth_serv/ca.pem",
1333 private_key="auth_serv/user.pkcs12",
1334 wait_connect=False, scan_freq="2412")
1335 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1337 raise Exception("Request for private key passphrase timed out")
1338 id = ev.split(':')[0].split('-')[-1]
1339 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1340 dev[0].wait_connected(timeout=10)
1341 dev[0].request("REMOVE_NETWORK all")
1342 dev[0].wait_disconnected()
1344 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1345 # different files to cover both cases of the extra certificate being the
1346 # one that signed the client certificate and it being unrelated to the
1347 # client certificate.
1348 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1350 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1351 ca_cert="auth_serv/ca.pem",
1353 private_key_passwd="whatever")
1354 dev[0].request("REMOVE_NETWORK all")
1355 dev[0].wait_disconnected()
1357 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1358 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1360 hostapd.add_ap(apdev[0]['ifname'], params)
1361 cert = read_pem("auth_serv/ca.pem")
1362 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1363 raise Exception("Could not set cacert blob")
1364 with open("auth_serv/user.pkcs12", "rb") as f:
1365 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1366 raise Exception("Could not set pkcs12 blob")
1367 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1368 private_key="blob://pkcs12",
1369 private_key_passwd="whatever")
1371 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1372 """WPA2-Enterprise negative test - incorrect trust root"""
1373 check_eap_capa(dev[0], "MSCHAPV2")
1374 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1375 hostapd.add_ap(apdev[0]['ifname'], params)
1376 cert = read_pem("auth_serv/ca-incorrect.pem")
1377 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1378 raise Exception("Could not set cacert blob")
1379 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1380 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1381 password="password", phase2="auth=MSCHAPV2",
1382 ca_cert="blob://cacert",
1383 wait_connect=False, scan_freq="2412")
1384 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1386 password="password", phase2="auth=MSCHAPV2",
1387 ca_cert="auth_serv/ca-incorrect.pem",
1388 wait_connect=False, scan_freq="2412")
1390 for dev in (dev[0], dev[1]):
1391 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1393 raise Exception("Association and EAP start timed out")
1395 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1397 raise Exception("EAP method selection timed out")
1398 if "TTLS" not in ev:
1399 raise Exception("Unexpected EAP method")
1401 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1402 "CTRL-EVENT-EAP-SUCCESS",
1403 "CTRL-EVENT-EAP-FAILURE",
1404 "CTRL-EVENT-CONNECTED",
1405 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1407 raise Exception("EAP result timed out")
1408 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1409 raise Exception("TLS certificate error not reported")
1411 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1412 "CTRL-EVENT-EAP-FAILURE",
1413 "CTRL-EVENT-CONNECTED",
1414 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1416 raise Exception("EAP result(2) timed out")
1417 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1418 raise Exception("EAP failure not reported")
1420 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1421 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1423 raise Exception("EAP result(3) timed out")
1424 if "CTRL-EVENT-DISCONNECTED" not in ev:
1425 raise Exception("Disconnection not reported")
1427 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1429 raise Exception("Network block disabling not reported")
1431 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1432 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1436 identity="pap user", anonymous_identity="ttls",
1437 password="password", phase2="auth=PAP",
1438 ca_cert="auth_serv/ca.pem",
1439 wait_connect=True, scan_freq="2412")
1440 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441 identity="pap user", anonymous_identity="ttls",
1442 password="password", phase2="auth=PAP",
1443 ca_cert="auth_serv/ca-incorrect.pem",
1444 only_add_network=True, scan_freq="2412")
1446 dev[0].request("DISCONNECT")
1447 dev[0].wait_disconnected()
1448 dev[0].dump_monitor()
1449 dev[0].select_network(id, freq="2412")
1451 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1453 raise Exception("EAP-TTLS not re-started")
1455 ev = dev[0].wait_disconnected(timeout=15)
1456 if "reason=23" not in ev:
1457 raise Exception("Proper reason code for disconnection not reported")
1459 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1460 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1461 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1462 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1463 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1464 identity="pap user", anonymous_identity="ttls",
1465 password="password", phase2="auth=PAP",
1466 wait_connect=True, scan_freq="2412")
1467 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1468 identity="pap user", anonymous_identity="ttls",
1469 password="password", phase2="auth=PAP",
1470 ca_cert="auth_serv/ca-incorrect.pem",
1471 only_add_network=True, scan_freq="2412")
1473 dev[0].request("DISCONNECT")
1474 dev[0].wait_disconnected()
1475 dev[0].dump_monitor()
1476 dev[0].select_network(id, freq="2412")
1478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1480 raise Exception("EAP-TTLS not re-started")
1482 ev = dev[0].wait_disconnected(timeout=15)
1483 if "reason=23" not in ev:
1484 raise Exception("Proper reason code for disconnection not reported")
1486 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1487 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1488 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1489 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1490 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1491 identity="pap user", anonymous_identity="ttls",
1492 password="password", phase2="auth=PAP",
1493 ca_cert="auth_serv/ca.pem",
1494 wait_connect=True, scan_freq="2412")
1495 dev[0].request("DISCONNECT")
1496 dev[0].wait_disconnected()
1497 dev[0].dump_monitor()
1498 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1499 dev[0].select_network(id, freq="2412")
1501 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1503 raise Exception("EAP-TTLS not re-started")
1505 ev = dev[0].wait_disconnected(timeout=15)
1506 if "reason=23" not in ev:
1507 raise Exception("Proper reason code for disconnection not reported")
1509 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1510 """WPA2-Enterprise negative test - domain suffix mismatch"""
1511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1512 hostapd.add_ap(apdev[0]['ifname'], params)
1513 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1514 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1515 password="password", phase2="auth=MSCHAPV2",
1516 ca_cert="auth_serv/ca.pem",
1517 domain_suffix_match="incorrect.example.com",
1518 wait_connect=False, scan_freq="2412")
1520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1522 raise Exception("Association and EAP start timed out")
1524 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1526 raise Exception("EAP method selection timed out")
1527 if "TTLS" not in ev:
1528 raise Exception("Unexpected EAP method")
1530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1531 "CTRL-EVENT-EAP-SUCCESS",
1532 "CTRL-EVENT-EAP-FAILURE",
1533 "CTRL-EVENT-CONNECTED",
1534 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1536 raise Exception("EAP result timed out")
1537 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1538 raise Exception("TLS certificate error not reported")
1539 if "Domain suffix mismatch" not in ev:
1540 raise Exception("Domain suffix mismatch not reported")
1542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1543 "CTRL-EVENT-EAP-FAILURE",
1544 "CTRL-EVENT-CONNECTED",
1545 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1547 raise Exception("EAP result(2) timed out")
1548 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1549 raise Exception("EAP failure not reported")
1551 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1552 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1554 raise Exception("EAP result(3) timed out")
1555 if "CTRL-EVENT-DISCONNECTED" not in ev:
1556 raise Exception("Disconnection not reported")
1558 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1560 raise Exception("Network block disabling not reported")
1562 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1563 """WPA2-Enterprise negative test - domain mismatch"""
1564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1565 hostapd.add_ap(apdev[0]['ifname'], params)
1566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1567 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1568 password="password", phase2="auth=MSCHAPV2",
1569 ca_cert="auth_serv/ca.pem",
1570 domain_match="w1.fi",
1571 wait_connect=False, scan_freq="2412")
1573 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1575 raise Exception("Association and EAP start timed out")
1577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1579 raise Exception("EAP method selection timed out")
1580 if "TTLS" not in ev:
1581 raise Exception("Unexpected EAP method")
1583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1584 "CTRL-EVENT-EAP-SUCCESS",
1585 "CTRL-EVENT-EAP-FAILURE",
1586 "CTRL-EVENT-CONNECTED",
1587 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1589 raise Exception("EAP result timed out")
1590 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1591 raise Exception("TLS certificate error not reported")
1592 if "Domain mismatch" not in ev:
1593 raise Exception("Domain mismatch not reported")
1595 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1596 "CTRL-EVENT-EAP-FAILURE",
1597 "CTRL-EVENT-CONNECTED",
1598 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1600 raise Exception("EAP result(2) timed out")
1601 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1602 raise Exception("EAP failure not reported")
1604 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1605 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1607 raise Exception("EAP result(3) timed out")
1608 if "CTRL-EVENT-DISCONNECTED" not in ev:
1609 raise Exception("Disconnection not reported")
1611 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1613 raise Exception("Network block disabling not reported")
1615 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1616 """WPA2-Enterprise negative test - subject mismatch"""
1617 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1618 hostapd.add_ap(apdev[0]['ifname'], params)
1619 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1620 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1621 password="password", phase2="auth=MSCHAPV2",
1622 ca_cert="auth_serv/ca.pem",
1623 subject_match="/C=FI/O=w1.fi/CN=example.com",
1624 wait_connect=False, scan_freq="2412")
1626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1628 raise Exception("Association and EAP start timed out")
1630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1631 "EAP: Failed to initialize EAP method"], timeout=10)
1633 raise Exception("EAP method selection timed out")
1634 if "EAP: Failed to initialize EAP method" in ev:
1635 tls = dev[0].request("GET tls_library")
1636 if tls.startswith("OpenSSL"):
1637 raise Exception("Failed to select EAP method")
1638 logger.info("subject_match not supported - connection failed, so test succeeded")
1640 if "TTLS" not in ev:
1641 raise Exception("Unexpected EAP method")
1643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1644 "CTRL-EVENT-EAP-SUCCESS",
1645 "CTRL-EVENT-EAP-FAILURE",
1646 "CTRL-EVENT-CONNECTED",
1647 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1649 raise Exception("EAP result timed out")
1650 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1651 raise Exception("TLS certificate error not reported")
1652 if "Subject mismatch" not in ev:
1653 raise Exception("Subject mismatch not reported")
1655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1656 "CTRL-EVENT-EAP-FAILURE",
1657 "CTRL-EVENT-CONNECTED",
1658 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1660 raise Exception("EAP result(2) timed out")
1661 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1662 raise Exception("EAP failure not reported")
1664 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1665 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1667 raise Exception("EAP result(3) timed out")
1668 if "CTRL-EVENT-DISCONNECTED" not in ev:
1669 raise Exception("Disconnection not reported")
1671 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1673 raise Exception("Network block disabling not reported")
1675 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1676 """WPA2-Enterprise negative test - altsubject mismatch"""
1677 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1678 hostapd.add_ap(apdev[0]['ifname'], params)
1680 tests = [ "incorrect.example.com",
1681 "DNS:incorrect.example.com",
1685 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1687 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1688 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1689 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1690 password="password", phase2="auth=MSCHAPV2",
1691 ca_cert="auth_serv/ca.pem",
1692 altsubject_match=match,
1693 wait_connect=False, scan_freq="2412")
1695 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1697 raise Exception("Association and EAP start timed out")
1699 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1700 "EAP: Failed to initialize EAP method"], timeout=10)
1702 raise Exception("EAP method selection timed out")
1703 if "EAP: Failed to initialize EAP method" in ev:
1704 tls = dev[0].request("GET tls_library")
1705 if tls.startswith("OpenSSL"):
1706 raise Exception("Failed to select EAP method")
1707 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1709 if "TTLS" not in ev:
1710 raise Exception("Unexpected EAP method")
1712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1713 "CTRL-EVENT-EAP-SUCCESS",
1714 "CTRL-EVENT-EAP-FAILURE",
1715 "CTRL-EVENT-CONNECTED",
1716 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1718 raise Exception("EAP result timed out")
1719 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1720 raise Exception("TLS certificate error not reported")
1721 if "AltSubject mismatch" not in ev:
1722 raise Exception("altsubject mismatch not reported")
1724 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1725 "CTRL-EVENT-EAP-FAILURE",
1726 "CTRL-EVENT-CONNECTED",
1727 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1729 raise Exception("EAP result(2) timed out")
1730 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1731 raise Exception("EAP failure not reported")
1733 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1734 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1736 raise Exception("EAP result(3) timed out")
1737 if "CTRL-EVENT-DISCONNECTED" not in ev:
1738 raise Exception("Disconnection not reported")
1740 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1742 raise Exception("Network block disabling not reported")
1744 dev[0].request("REMOVE_NETWORK all")
1746 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1747 """WPA2-Enterprise connection using UNAUTH-TLS"""
1748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1749 hostapd.add_ap(apdev[0]['ifname'], params)
1750 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1751 ca_cert="auth_serv/ca.pem")
1752 eap_reauth(dev[0], "UNAUTH-TLS")
1754 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1755 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1756 check_cert_probe_support(dev[0])
1757 skip_with_fips(dev[0])
1758 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1760 hostapd.add_ap(apdev[0]['ifname'], params)
1761 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1762 identity="probe", ca_cert="probe://",
1763 wait_connect=False, scan_freq="2412")
1764 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1766 raise Exception("Association and EAP start timed out")
1767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1769 raise Exception("No peer server certificate event seen")
1770 if "hash=" + srv_cert_hash not in ev:
1771 raise Exception("Expected server certificate hash not reported")
1772 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1774 raise Exception("EAP result timed out")
1775 if "Server certificate chain probe" not in ev:
1776 raise Exception("Server certificate probe not reported")
1777 dev[0].wait_disconnected(timeout=10)
1778 dev[0].request("REMOVE_NETWORK all")
1780 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1781 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1782 password="password", phase2="auth=MSCHAPV2",
1783 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1784 wait_connect=False, scan_freq="2412")
1785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1787 raise Exception("Association and EAP start timed out")
1788 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1790 raise Exception("EAP result timed out")
1791 if "Server certificate mismatch" not in ev:
1792 raise Exception("Server certificate mismatch not reported")
1793 dev[0].wait_disconnected(timeout=10)
1794 dev[0].request("REMOVE_NETWORK all")
1796 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1797 anonymous_identity="ttls", password="password",
1798 ca_cert="hash://server/sha256/" + srv_cert_hash,
1799 phase2="auth=MSCHAPV2")
1801 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1802 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1804 hostapd.add_ap(apdev[0]['ifname'], params)
1805 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1806 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1807 password="password", phase2="auth=MSCHAPV2",
1808 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1809 wait_connect=False, scan_freq="2412")
1810 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1811 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1812 password="password", phase2="auth=MSCHAPV2",
1813 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1814 wait_connect=False, scan_freq="2412")
1815 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1816 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1817 password="password", phase2="auth=MSCHAPV2",
1818 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1819 wait_connect=False, scan_freq="2412")
1820 for i in range(0, 3):
1821 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1823 raise Exception("Association and EAP start timed out")
1824 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1826 raise Exception("Did not report EAP method initialization failure")
1828 def test_ap_wpa2_eap_pwd(dev, apdev):
1829 """WPA2-Enterprise connection using EAP-pwd"""
1830 check_eap_capa(dev[0], "PWD")
1831 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1832 hostapd.add_ap(apdev[0]['ifname'], params)
1833 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1834 eap_reauth(dev[0], "PWD")
1835 dev[0].request("REMOVE_NETWORK all")
1837 eap_connect(dev[1], apdev[0], "PWD",
1838 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1839 password="secret password",
1842 logger.info("Negative test with incorrect password")
1843 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1844 expect_failure=True, local_error_report=True)
1846 eap_connect(dev[0], apdev[0], "PWD",
1847 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1848 password="secret password",
1851 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1852 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1853 check_eap_capa(dev[0], "PWD")
1854 skip_with_fips(dev[0])
1855 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1856 hostapd.add_ap(apdev[0]['ifname'], params)
1857 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1858 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1859 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1860 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1861 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1862 expect_failure=True, local_error_report=True)
1864 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1865 """WPA2-Enterprise connection using various EAP-pwd groups"""
1866 check_eap_capa(dev[0], "PWD")
1867 tls = dev[0].request("GET tls_library")
1868 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1869 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1870 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1871 for i in [ 19, 20, 21, 25, 26 ]:
1872 params['pwd_group'] = str(i)
1873 hostapd.add_ap(apdev[0]['ifname'], params)
1874 dev[0].request("REMOVE_NETWORK all")
1876 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1877 password="secret password")
1879 if "BoringSSL" in tls and i in [ 25 ]:
1880 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1881 dev[0].request("DISCONNECT")
1886 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1887 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1888 check_eap_capa(dev[0], "PWD")
1889 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1890 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1891 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1892 params['pwd_group'] = "0"
1893 hostapd.add_ap(apdev[0]['ifname'], params)
1894 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1895 identity="pwd user", password="secret password",
1896 scan_freq="2412", wait_connect=False)
1897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1899 raise Exception("Timeout on EAP failure report")
1901 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1902 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1903 check_eap_capa(dev[0], "PWD")
1904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1905 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1906 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1907 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1908 "pwd_group": "19", "fragment_size": "40" }
1909 hostapd.add_ap(apdev[0]['ifname'], params)
1910 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1912 def test_ap_wpa2_eap_gpsk(dev, apdev):
1913 """WPA2-Enterprise connection using EAP-GPSK"""
1914 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1915 hostapd.add_ap(apdev[0]['ifname'], params)
1916 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1917 password="abcdefghijklmnop0123456789abcdef")
1918 eap_reauth(dev[0], "GPSK")
1920 logger.info("Test forced algorithm selection")
1921 for phase1 in [ "cipher=1", "cipher=2" ]:
1922 dev[0].set_network_quoted(id, "phase1", phase1)
1923 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1925 raise Exception("EAP success timed out")
1926 dev[0].wait_connected(timeout=10)
1928 logger.info("Test failed algorithm negotiation")
1929 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1930 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1932 raise Exception("EAP failure timed out")
1934 logger.info("Negative test with incorrect password")
1935 dev[0].request("REMOVE_NETWORK all")
1936 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1937 password="ffcdefghijklmnop0123456789abcdef",
1938 expect_failure=True)
1940 def test_ap_wpa2_eap_sake(dev, apdev):
1941 """WPA2-Enterprise connection using EAP-SAKE"""
1942 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1943 hostapd.add_ap(apdev[0]['ifname'], params)
1944 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1945 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1946 eap_reauth(dev[0], "SAKE")
1948 logger.info("Negative test with incorrect password")
1949 dev[0].request("REMOVE_NETWORK all")
1950 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1951 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1952 expect_failure=True)
1954 def test_ap_wpa2_eap_eke(dev, apdev):
1955 """WPA2-Enterprise connection using EAP-EKE"""
1956 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1957 hostapd.add_ap(apdev[0]['ifname'], params)
1958 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1959 eap_reauth(dev[0], "EKE")
1961 logger.info("Test forced algorithm selection")
1962 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1963 "dhgroup=4 encr=1 prf=2 mac=2",
1964 "dhgroup=3 encr=1 prf=2 mac=2",
1965 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1966 dev[0].set_network_quoted(id, "phase1", phase1)
1967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1969 raise Exception("EAP success timed out")
1970 dev[0].wait_connected(timeout=10)
1972 logger.info("Test failed algorithm negotiation")
1973 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1974 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1976 raise Exception("EAP failure timed out")
1978 logger.info("Negative test with incorrect password")
1979 dev[0].request("REMOVE_NETWORK all")
1980 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1981 expect_failure=True)
1983 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1984 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1985 params = int_eap_server_params()
1986 params['server_id'] = 'example.server@w1.fi'
1987 hostapd.add_ap(apdev[0]['ifname'], params)
1988 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1990 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1991 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1992 params = int_eap_server_params()
1993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1994 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1996 for count,func in [ (1, "eap_eke_build_commit"),
1997 (2, "eap_eke_build_commit"),
1998 (3, "eap_eke_build_commit"),
1999 (1, "eap_eke_build_confirm"),
2000 (2, "eap_eke_build_confirm"),
2001 (1, "eap_eke_process_commit"),
2002 (2, "eap_eke_process_commit"),
2003 (1, "eap_eke_process_confirm"),
2004 (1, "eap_eke_process_identity"),
2005 (2, "eap_eke_process_identity"),
2006 (3, "eap_eke_process_identity"),
2007 (4, "eap_eke_process_identity") ]:
2008 with alloc_fail(hapd, count, func):
2009 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2010 expect_failure=True)
2011 dev[0].request("REMOVE_NETWORK all")
2013 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2014 (1, "eap_eke_get_session_id", "hello"),
2015 (1, "eap_eke_getKey", "hello"),
2016 (1, "eap_eke_build_msg", "hello"),
2017 (1, "eap_eke_build_failure", "wrong"),
2018 (1, "eap_eke_build_identity", "hello"),
2019 (2, "eap_eke_build_identity", "hello") ]:
2020 with alloc_fail(hapd, count, func):
2021 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2022 eap="EKE", identity="eke user", password=pw,
2023 wait_connect=False, scan_freq="2412")
2024 # This would eventually time out, but we can stop after having
2025 # reached the allocation failure.
2028 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2030 dev[0].request("REMOVE_NETWORK all")
2032 for count in range(1, 1000):
2034 with alloc_fail(hapd, count, "eap_server_sm_step"):
2035 dev[0].connect("test-wpa2-eap",
2036 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2037 eap="EKE", identity="eke user", password=pw,
2038 wait_connect=False, scan_freq="2412")
2039 # This would eventually time out, but we can stop after having
2040 # reached the allocation failure.
2043 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2045 dev[0].request("REMOVE_NETWORK all")
2046 except Exception, e:
2047 if str(e) == "Allocation failure did not trigger":
2049 raise Exception("Too few allocation failures")
2050 logger.info("%d allocation failures tested" % (count - 1))
2054 def test_ap_wpa2_eap_ikev2(dev, apdev):
2055 """WPA2-Enterprise connection using EAP-IKEv2"""
2056 check_eap_capa(dev[0], "IKEV2")
2057 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2058 hostapd.add_ap(apdev[0]['ifname'], params)
2059 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2060 password="ike password")
2061 eap_reauth(dev[0], "IKEV2")
2062 dev[0].request("REMOVE_NETWORK all")
2063 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2064 password="ike password", fragment_size="50")
2066 logger.info("Negative test with incorrect password")
2067 dev[0].request("REMOVE_NETWORK all")
2068 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2069 password="ike-password", expect_failure=True)
2071 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2072 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2073 check_eap_capa(dev[0], "IKEV2")
2074 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2075 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2076 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2077 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2078 "fragment_size": "50" }
2079 hostapd.add_ap(apdev[0]['ifname'], params)
2080 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2081 password="ike password")
2082 eap_reauth(dev[0], "IKEV2")
2084 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2085 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2086 check_eap_capa(dev[0], "IKEV2")
2087 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2088 hostapd.add_ap(apdev[0]['ifname'], params)
2090 tests = [ (1, "dh_init"),
2092 (1, "dh_derive_shared") ]
2093 for count, func in tests:
2094 with alloc_fail(dev[0], count, func):
2095 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2096 identity="ikev2 user", password="ike password",
2097 wait_connect=False, scan_freq="2412")
2098 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2100 raise Exception("EAP method not selected")
2102 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2105 dev[0].request("REMOVE_NETWORK all")
2107 tests = [ (1, "os_get_random;dh_init") ]
2108 for count, func in tests:
2109 with fail_test(dev[0], count, func):
2110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2111 identity="ikev2 user", password="ike password",
2112 wait_connect=False, scan_freq="2412")
2113 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2115 raise Exception("EAP method not selected")
2117 if "0:" in dev[0].request("GET_FAIL"):
2120 dev[0].request("REMOVE_NETWORK all")
2122 def test_ap_wpa2_eap_pax(dev, apdev):
2123 """WPA2-Enterprise connection using EAP-PAX"""
2124 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2125 hostapd.add_ap(apdev[0]['ifname'], params)
2126 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2127 password_hex="0123456789abcdef0123456789abcdef")
2128 eap_reauth(dev[0], "PAX")
2130 logger.info("Negative test with incorrect password")
2131 dev[0].request("REMOVE_NETWORK all")
2132 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2133 password_hex="ff23456789abcdef0123456789abcdef",
2134 expect_failure=True)
2136 def test_ap_wpa2_eap_psk(dev, apdev):
2137 """WPA2-Enterprise connection using EAP-PSK"""
2138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2139 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2140 params["ieee80211w"] = "2"
2141 hostapd.add_ap(apdev[0]['ifname'], params)
2142 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2143 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2144 eap_reauth(dev[0], "PSK", sha256=True)
2145 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2146 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2148 bss = dev[0].get_bss(apdev[0]['bssid'])
2149 if 'flags' not in bss:
2150 raise Exception("Could not get BSS flags from BSS table")
2151 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2152 raise Exception("Unexpected BSS flags: " + bss['flags'])
2154 logger.info("Negative test with incorrect password")
2155 dev[0].request("REMOVE_NETWORK all")
2156 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2157 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2158 expect_failure=True)
2160 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2161 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2162 skip_with_fips(dev[0])
2163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2164 hostapd.add_ap(apdev[0]['ifname'], params)
2165 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2166 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2167 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2168 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2169 (1, "=aes_128_eax_encrypt"),
2170 (1, "omac1_aes_vector"),
2171 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2172 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2173 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2174 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2175 (1, "=aes_128_eax_decrypt") ]
2176 for count, func in tests:
2177 with alloc_fail(dev[0], count, func):
2178 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2179 identity="psk.user@example.com",
2180 password_hex="0123456789abcdef0123456789abcdef",
2181 wait_connect=False, scan_freq="2412")
2182 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2184 raise Exception("EAP method not selected")
2186 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2189 dev[0].request("REMOVE_NETWORK all")
2191 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2192 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2193 identity="psk.user@example.com",
2194 password_hex="0123456789abcdef0123456789abcdef",
2195 wait_connect=False, scan_freq="2412")
2196 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2198 raise Exception("EAP method failure not reported")
2199 dev[0].request("REMOVE_NETWORK all")
2201 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2202 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2203 check_eap_capa(dev[0], "MSCHAPV2")
2204 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2205 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2206 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2207 identity="user", password="password", phase2="auth=MSCHAPV2",
2208 ca_cert="auth_serv/ca.pem", wait_connect=False,
2210 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2211 hwsim_utils.test_connectivity(dev[0], hapd)
2212 eap_reauth(dev[0], "PEAP", rsn=False)
2213 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2214 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2215 status = dev[0].get_status(extra="VERBOSE")
2216 if 'portControl' not in status:
2217 raise Exception("portControl missing from STATUS-VERBOSE")
2218 if status['portControl'] != 'Auto':
2219 raise Exception("Unexpected portControl value: " + status['portControl'])
2220 if 'eap_session_id' not in status:
2221 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2222 if not status['eap_session_id'].startswith("19"):
2223 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2225 def test_ap_wpa2_eap_interactive(dev, apdev):
2226 """WPA2-Enterprise connection using interactive identity/password entry"""
2227 check_eap_capa(dev[0], "MSCHAPV2")
2228 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2229 hostapd.add_ap(apdev[0]['ifname'], params)
2230 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2232 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2233 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2235 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2236 "TTLS", "ttls", None, "auth=MSCHAPV2",
2237 "DOMAIN\mschapv2 user", "password"),
2238 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2239 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2240 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2241 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2242 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2243 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2244 ("Connection with dynamic PEAP/EAP-GTC password entry",
2245 "PEAP", None, "user", "auth=GTC", None, "password") ]
2246 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2249 anonymous_identity=anon, identity=identity,
2250 ca_cert="auth_serv/ca.pem", phase2=phase2,
2251 wait_connect=False, scan_freq="2412")
2253 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2255 raise Exception("Request for identity timed out")
2256 id = ev.split(':')[0].split('-')[-1]
2257 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2258 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2260 raise Exception("Request for password timed out")
2261 id = ev.split(':')[0].split('-')[-1]
2262 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2263 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2264 dev[0].wait_connected(timeout=10)
2265 dev[0].request("REMOVE_NETWORK all")
2267 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2268 """WPA2-Enterprise connection using EAP vendor test"""
2269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2270 hostapd.add_ap(apdev[0]['ifname'], params)
2271 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2272 eap_reauth(dev[0], "VENDOR-TEST")
2273 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2276 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2277 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2278 check_eap_capa(dev[0], "FAST")
2279 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2280 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2281 eap_connect(dev[0], apdev[0], "FAST", "user",
2282 anonymous_identity="FAST", password="password",
2283 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2284 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2285 hwsim_utils.test_connectivity(dev[0], hapd)
2286 res = eap_reauth(dev[0], "FAST")
2287 if res['tls_session_reused'] != '1':
2288 raise Exception("EAP-FAST could not use PAC session ticket")
2290 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2291 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2292 check_eap_capa(dev[0], "FAST")
2293 pac_file = os.path.join(params['logdir'], "fast.pac")
2294 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2296 hostapd.add_ap(apdev[0]['ifname'], params)
2299 eap_connect(dev[0], apdev[0], "FAST", "user",
2300 anonymous_identity="FAST", password="password",
2301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2302 phase1="fast_provisioning=1", pac_file=pac_file)
2303 with open(pac_file, "r") as f:
2305 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2306 raise Exception("PAC file header missing")
2307 if "PAC-Key=" not in data:
2308 raise Exception("PAC-Key missing from PAC file")
2309 dev[0].request("REMOVE_NETWORK all")
2310 eap_connect(dev[0], apdev[0], "FAST", "user",
2311 anonymous_identity="FAST", password="password",
2312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2315 eap_connect(dev[1], apdev[0], "FAST", "user",
2316 anonymous_identity="FAST", password="password",
2317 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2318 phase1="fast_provisioning=1 fast_pac_format=binary",
2320 dev[1].request("REMOVE_NETWORK all")
2321 eap_connect(dev[1], apdev[0], "FAST", "user",
2322 anonymous_identity="FAST", password="password",
2323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2324 phase1="fast_pac_format=binary",
2332 os.remove(pac_file2)
2336 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2337 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2338 check_eap_capa(dev[0], "FAST")
2339 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2340 hostapd.add_ap(apdev[0]['ifname'], params)
2341 eap_connect(dev[0], apdev[0], "FAST", "user",
2342 anonymous_identity="FAST", password="password",
2343 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2344 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2345 pac_file="blob://fast_pac_bin")
2346 res = eap_reauth(dev[0], "FAST")
2347 if res['tls_session_reused'] != '1':
2348 raise Exception("EAP-FAST could not use PAC session ticket")
2350 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2351 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2352 check_eap_capa(dev[0], "FAST")
2353 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2354 hostapd.add_ap(apdev[0]['ifname'], params)
2356 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2357 identity="user", anonymous_identity="FAST",
2358 password="password",
2359 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2360 pac_file="blob://fast_pac_not_in_use",
2361 wait_connect=False, scan_freq="2412")
2362 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2364 raise Exception("Timeout on EAP failure report")
2365 dev[0].request("REMOVE_NETWORK all")
2367 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2368 identity="user", anonymous_identity="FAST",
2369 password="password",
2370 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2371 wait_connect=False, scan_freq="2412")
2372 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2374 raise Exception("Timeout on EAP failure report")
2376 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2377 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2378 check_eap_capa(dev[0], "FAST")
2379 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2380 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2381 eap_connect(dev[0], apdev[0], "FAST", "user",
2382 anonymous_identity="FAST", password="password",
2383 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2384 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2385 hwsim_utils.test_connectivity(dev[0], hapd)
2386 res = eap_reauth(dev[0], "FAST")
2387 if res['tls_session_reused'] != '1':
2388 raise Exception("EAP-FAST could not use PAC session ticket")
2390 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2391 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2392 check_eap_capa(dev[0], "FAST")
2393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2395 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2396 anonymous_identity="FAST", password="password",
2397 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2398 phase1="fast_provisioning=2",
2399 pac_file="blob://fast_pac_auth")
2400 dev[0].set_network_quoted(id, "identity", "user2")
2401 dev[0].wait_disconnected()
2402 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2404 raise Exception("EAP-FAST not started")
2405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2407 raise Exception("EAP failure not reported")
2408 dev[0].wait_disconnected()
2410 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2411 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2412 check_eap_capa(dev[0], "FAST")
2413 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2414 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2415 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2416 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2417 identity="user", anonymous_identity="FAST",
2418 password="password", ca_cert="auth_serv/ca.pem",
2420 phase1="fast_provisioning=2",
2421 pac_file="blob://fast_pac_auth",
2422 wait_connect=False, scan_freq="2412")
2423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2425 raise Exception("EAP failure not reported")
2426 dev[0].request("DISCONNECT")
2428 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2429 """EAP-FAST/MSCHAPv2 and server OOM"""
2430 check_eap_capa(dev[0], "FAST")
2432 params = int_eap_server_params()
2433 params['dh_file'] = 'auth_serv/dh.conf'
2434 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2435 params['eap_fast_a_id'] = '1011'
2436 params['eap_fast_a_id_info'] = 'another test server'
2437 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2439 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2440 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2441 anonymous_identity="FAST", password="password",
2442 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2443 phase1="fast_provisioning=1",
2444 pac_file="blob://fast_pac",
2445 expect_failure=True)
2446 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2448 raise Exception("No EAP failure reported")
2449 dev[0].wait_disconnected()
2450 dev[0].request("DISCONNECT")
2452 dev[0].select_network(id, freq="2412")
2454 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2455 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2456 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2457 hostapd.add_ap(apdev[0]['ifname'], params)
2458 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2459 private_key="auth_serv/user.pkcs12",
2460 private_key_passwd="whatever", ocsp=2)
2462 def int_eap_server_params():
2463 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2464 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2465 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2466 "ca_cert": "auth_serv/ca.pem",
2467 "server_cert": "auth_serv/server.pem",
2468 "private_key": "auth_serv/server.key" }
2471 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2472 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2473 params = int_eap_server_params()
2474 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2475 hostapd.add_ap(apdev[0]['ifname'], params)
2476 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2477 identity="tls user", ca_cert="auth_serv/ca.pem",
2478 private_key="auth_serv/user.pkcs12",
2479 private_key_passwd="whatever", ocsp=2,
2480 wait_connect=False, scan_freq="2412")
2483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2485 raise Exception("Timeout on EAP status")
2486 if 'bad certificate status response' in ev:
2490 raise Exception("Unexpected number of EAP status messages")
2492 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2494 raise Exception("Timeout on EAP failure report")
2496 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2497 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2498 params = int_eap_server_params()
2499 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2500 hostapd.add_ap(apdev[0]['ifname'], params)
2501 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2502 identity="tls user", ca_cert="auth_serv/ca.pem",
2503 private_key="auth_serv/user.pkcs12",
2504 private_key_passwd="whatever", ocsp=2,
2505 wait_connect=False, scan_freq="2412")
2508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2510 raise Exception("Timeout on EAP status")
2511 if 'bad certificate status response' in ev:
2515 raise Exception("Unexpected number of EAP status messages")
2517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2519 raise Exception("Timeout on EAP failure report")
2521 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2522 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2523 params = int_eap_server_params()
2524 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2525 hostapd.add_ap(apdev[0]['ifname'], params)
2526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2527 identity="tls user", ca_cert="auth_serv/ca.pem",
2528 private_key="auth_serv/user.pkcs12",
2529 private_key_passwd="whatever", ocsp=2,
2530 wait_connect=False, scan_freq="2412")
2533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2535 raise Exception("Timeout on EAP status")
2536 if 'bad certificate status response' in ev:
2540 raise Exception("Unexpected number of EAP status messages")
2542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2544 raise Exception("Timeout on EAP failure report")
2546 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2547 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2548 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2549 if not os.path.exists(ocsp):
2550 raise HwsimSkip("No OCSP response available")
2551 params = int_eap_server_params()
2552 params["ocsp_stapling_response"] = ocsp
2553 hostapd.add_ap(apdev[0]['ifname'], params)
2554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2555 identity="pap user", ca_cert="auth_serv/ca.pem",
2556 anonymous_identity="ttls", password="password",
2557 phase2="auth=PAP", ocsp=2,
2558 wait_connect=False, scan_freq="2412")
2561 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2563 raise Exception("Timeout on EAP status")
2564 if 'bad certificate status response' in ev:
2566 if 'certificate revoked' in ev:
2570 raise Exception("Unexpected number of EAP status messages")
2572 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2574 raise Exception("Timeout on EAP failure report")
2576 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2577 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2578 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2579 if not os.path.exists(ocsp):
2580 raise HwsimSkip("No OCSP response available")
2581 params = int_eap_server_params()
2582 params["ocsp_stapling_response"] = ocsp
2583 hostapd.add_ap(apdev[0]['ifname'], params)
2584 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2585 identity="pap user", ca_cert="auth_serv/ca.pem",
2586 anonymous_identity="ttls", password="password",
2587 phase2="auth=PAP", ocsp=2,
2588 wait_connect=False, scan_freq="2412")
2591 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2593 raise Exception("Timeout on EAP status")
2594 if 'bad certificate status response' in ev:
2598 raise Exception("Unexpected number of EAP status messages")
2600 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2602 raise Exception("Timeout on EAP failure report")
2604 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2605 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2606 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2607 if not os.path.exists(ocsp):
2608 raise HwsimSkip("No OCSP response available")
2609 params = int_eap_server_params()
2610 params["ocsp_stapling_response"] = ocsp
2611 hostapd.add_ap(apdev[0]['ifname'], params)
2612 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2613 identity="pap user", ca_cert="auth_serv/ca.pem",
2614 anonymous_identity="ttls", password="password",
2615 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2617 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2618 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2619 params = int_eap_server_params()
2620 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2621 params["private_key"] = "auth_serv/server-no-dnsname.key"
2622 hostapd.add_ap(apdev[0]['ifname'], params)
2623 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2624 identity="tls user", ca_cert="auth_serv/ca.pem",
2625 private_key="auth_serv/user.pkcs12",
2626 private_key_passwd="whatever",
2627 domain_suffix_match="server3.w1.fi",
2630 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2631 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2632 params = int_eap_server_params()
2633 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2634 params["private_key"] = "auth_serv/server-no-dnsname.key"
2635 hostapd.add_ap(apdev[0]['ifname'], params)
2636 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2637 identity="tls user", ca_cert="auth_serv/ca.pem",
2638 private_key="auth_serv/user.pkcs12",
2639 private_key_passwd="whatever",
2640 domain_match="server3.w1.fi",
2643 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2644 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2645 check_domain_match_full(dev[0])
2646 params = int_eap_server_params()
2647 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2648 params["private_key"] = "auth_serv/server-no-dnsname.key"
2649 hostapd.add_ap(apdev[0]['ifname'], params)
2650 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2651 identity="tls user", ca_cert="auth_serv/ca.pem",
2652 private_key="auth_serv/user.pkcs12",
2653 private_key_passwd="whatever",
2654 domain_suffix_match="w1.fi",
2657 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2658 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2659 params = int_eap_server_params()
2660 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2661 params["private_key"] = "auth_serv/server-no-dnsname.key"
2662 hostapd.add_ap(apdev[0]['ifname'], params)
2663 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2664 identity="tls user", ca_cert="auth_serv/ca.pem",
2665 private_key="auth_serv/user.pkcs12",
2666 private_key_passwd="whatever",
2667 domain_suffix_match="example.com",
2670 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2671 identity="tls user", ca_cert="auth_serv/ca.pem",
2672 private_key="auth_serv/user.pkcs12",
2673 private_key_passwd="whatever",
2674 domain_suffix_match="erver3.w1.fi",
2677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2679 raise Exception("Timeout on EAP failure report")
2680 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2682 raise Exception("Timeout on EAP failure report (2)")
2684 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2685 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2686 params = int_eap_server_params()
2687 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2688 params["private_key"] = "auth_serv/server-no-dnsname.key"
2689 hostapd.add_ap(apdev[0]['ifname'], params)
2690 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2691 identity="tls user", ca_cert="auth_serv/ca.pem",
2692 private_key="auth_serv/user.pkcs12",
2693 private_key_passwd="whatever",
2694 domain_match="example.com",
2697 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2698 identity="tls user", ca_cert="auth_serv/ca.pem",
2699 private_key="auth_serv/user.pkcs12",
2700 private_key_passwd="whatever",
2701 domain_match="w1.fi",
2704 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2706 raise Exception("Timeout on EAP failure report")
2707 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2709 raise Exception("Timeout on EAP failure report (2)")
2711 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2712 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2713 skip_with_fips(dev[0])
2714 params = int_eap_server_params()
2715 params["server_cert"] = "auth_serv/server-expired.pem"
2716 params["private_key"] = "auth_serv/server-expired.key"
2717 hostapd.add_ap(apdev[0]['ifname'], params)
2718 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2719 identity="mschap user", password="password",
2720 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2723 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2725 raise Exception("Timeout on EAP certificate error report")
2726 if "reason=4" not in ev or "certificate has expired" not in ev:
2727 raise Exception("Unexpected failure reason: " + ev)
2728 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2730 raise Exception("Timeout on EAP failure report")
2732 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2733 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2734 skip_with_fips(dev[0])
2735 params = int_eap_server_params()
2736 params["server_cert"] = "auth_serv/server-expired.pem"
2737 params["private_key"] = "auth_serv/server-expired.key"
2738 hostapd.add_ap(apdev[0]['ifname'], params)
2739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2740 identity="mschap user", password="password",
2741 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2742 phase1="tls_disable_time_checks=1",
2745 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2746 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2747 skip_with_fips(dev[0])
2748 params = int_eap_server_params()
2749 params["server_cert"] = "auth_serv/server-long-duration.pem"
2750 params["private_key"] = "auth_serv/server-long-duration.key"
2751 hostapd.add_ap(apdev[0]['ifname'], params)
2752 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2753 identity="mschap user", password="password",
2754 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2757 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2758 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2759 skip_with_fips(dev[0])
2760 params = int_eap_server_params()
2761 params["server_cert"] = "auth_serv/server-eku-client.pem"
2762 params["private_key"] = "auth_serv/server-eku-client.key"
2763 hostapd.add_ap(apdev[0]['ifname'], params)
2764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2765 identity="mschap user", password="password",
2766 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2771 raise Exception("Timeout on EAP failure report")
2773 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2774 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2775 skip_with_fips(dev[0])
2776 params = int_eap_server_params()
2777 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2778 params["private_key"] = "auth_serv/server-eku-client-server.key"
2779 hostapd.add_ap(apdev[0]['ifname'], params)
2780 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2781 identity="mschap user", password="password",
2782 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2785 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2786 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2787 skip_with_fips(dev[0])
2788 params = int_eap_server_params()
2789 del params["server_cert"]
2790 params["private_key"] = "auth_serv/server.pkcs12"
2791 hostapd.add_ap(apdev[0]['ifname'], params)
2792 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2793 identity="mschap user", password="password",
2794 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2797 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2798 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2799 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2800 hostapd.add_ap(apdev[0]['ifname'], params)
2801 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2802 anonymous_identity="ttls", password="password",
2803 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2804 dh_file="auth_serv/dh.conf")
2806 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2807 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2808 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2809 hostapd.add_ap(apdev[0]['ifname'], params)
2810 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2811 anonymous_identity="ttls", password="password",
2812 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2813 dh_file="auth_serv/dsaparam.pem")
2815 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2816 """EAP-TTLS and DH params file not found"""
2817 skip_with_fips(dev[0])
2818 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2819 hostapd.add_ap(apdev[0]['ifname'], params)
2820 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2821 identity="mschap user", password="password",
2822 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2823 dh_file="auth_serv/dh-no-such-file.conf",
2824 scan_freq="2412", wait_connect=False)
2825 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2827 raise Exception("EAP failure timed out")
2828 dev[0].request("REMOVE_NETWORK all")
2829 dev[0].wait_disconnected()
2831 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2832 """EAP-TTLS and invalid DH params file"""
2833 skip_with_fips(dev[0])
2834 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2835 hostapd.add_ap(apdev[0]['ifname'], params)
2836 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2837 identity="mschap user", password="password",
2838 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2839 dh_file="auth_serv/ca.pem",
2840 scan_freq="2412", wait_connect=False)
2841 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2843 raise Exception("EAP failure timed out")
2844 dev[0].request("REMOVE_NETWORK all")
2845 dev[0].wait_disconnected()
2847 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2848 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2849 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2850 hostapd.add_ap(apdev[0]['ifname'], params)
2851 dh = read_pem("auth_serv/dh2.conf")
2852 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2853 raise Exception("Could not set dhparams blob")
2854 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2855 anonymous_identity="ttls", password="password",
2856 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2857 dh_file="blob://dhparams")
2859 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2860 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2861 params = int_eap_server_params()
2862 params["dh_file"] = "auth_serv/dh2.conf"
2863 hostapd.add_ap(apdev[0]['ifname'], params)
2864 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2865 anonymous_identity="ttls", password="password",
2866 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2868 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2869 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2870 params = int_eap_server_params()
2871 params["dh_file"] = "auth_serv/dsaparam.pem"
2872 hostapd.add_ap(apdev[0]['ifname'], params)
2873 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2874 anonymous_identity="ttls", password="password",
2875 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2877 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2878 """EAP-TLS server and dhparams file not found"""
2879 params = int_eap_server_params()
2880 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2881 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2882 if "FAIL" not in hapd.request("ENABLE"):
2883 raise Exception("Invalid configuration accepted")
2885 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2886 """EAP-TLS server and invalid dhparams file"""
2887 params = int_eap_server_params()
2888 params["dh_file"] = "auth_serv/ca.pem"
2889 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2890 if "FAIL" not in hapd.request("ENABLE"):
2891 raise Exception("Invalid configuration accepted")
2893 def test_ap_wpa2_eap_reauth(dev, apdev):
2894 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2895 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2896 params['eap_reauth_period'] = '2'
2897 hostapd.add_ap(apdev[0]['ifname'], params)
2898 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2899 password_hex="0123456789abcdef0123456789abcdef")
2900 logger.info("Wait for reauthentication")
2901 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2903 raise Exception("Timeout on reauthentication")
2904 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2906 raise Exception("Timeout on reauthentication")
2907 for i in range(0, 20):
2908 state = dev[0].get_status_field("wpa_state")
2909 if state == "COMPLETED":
2912 if state != "COMPLETED":
2913 raise Exception("Reauthentication did not complete")
2915 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2916 """Optional displayable message in EAP Request-Identity"""
2917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2918 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2919 hostapd.add_ap(apdev[0]['ifname'], params)
2920 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2921 password_hex="0123456789abcdef0123456789abcdef")
2923 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2924 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2925 check_hlr_auc_gw_support()
2926 params = int_eap_server_params()
2927 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2928 params['eap_sim_aka_result_ind'] = "1"
2929 hostapd.add_ap(apdev[0]['ifname'], params)
2931 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2932 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2933 phase1="result_ind=1")
2934 eap_reauth(dev[0], "SIM")
2935 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2936 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2938 dev[0].request("REMOVE_NETWORK all")
2939 dev[1].request("REMOVE_NETWORK all")
2941 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2942 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2943 phase1="result_ind=1")
2944 eap_reauth(dev[0], "AKA")
2945 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2946 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2948 dev[0].request("REMOVE_NETWORK all")
2949 dev[1].request("REMOVE_NETWORK all")
2951 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2952 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2953 phase1="result_ind=1")
2954 eap_reauth(dev[0], "AKA'")
2955 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2956 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2958 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2959 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2960 skip_with_fips(dev[0])
2961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2962 hostapd.add_ap(apdev[0]['ifname'], params)
2963 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2964 eap="TTLS", identity="mschap user",
2965 wait_connect=False, scan_freq="2412", ieee80211w="1",
2966 anonymous_identity="ttls", password="password",
2967 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2969 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2971 raise Exception("EAP roundtrip limit not reached")
2973 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2974 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2975 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2976 hostapd.add_ap(apdev[0]['ifname'], params)
2977 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2978 eap="PSK", identity="vendor-test",
2979 password_hex="ff23456789abcdef0123456789abcdef",
2983 for i in range(0, 5):
2984 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2986 raise Exception("Association and EAP start timed out")
2987 if "refuse proposed method" in ev:
2991 raise Exception("Unexpected EAP status: " + ev)
2993 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2995 raise Exception("EAP failure timed out")
2997 def test_ap_wpa2_eap_sql(dev, apdev, params):
2998 """WPA2-Enterprise connection using SQLite for user DB"""
2999 skip_with_fips(dev[0])
3003 raise HwsimSkip("No sqlite3 module available")
3004 dbfile = os.path.join(params['logdir'], "eap-user.db")
3009 con = sqlite3.connect(dbfile)
3012 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3013 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3014 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3015 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3016 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3017 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3018 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3019 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3022 params = int_eap_server_params()
3023 params["eap_user_file"] = "sqlite:" + dbfile
3024 hostapd.add_ap(apdev[0]['ifname'], params)
3025 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3026 anonymous_identity="ttls", password="password",
3027 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3028 dev[0].request("REMOVE_NETWORK all")
3029 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3030 anonymous_identity="ttls", password="password",
3031 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3032 dev[1].request("REMOVE_NETWORK all")
3033 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3034 anonymous_identity="ttls", password="password",
3035 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3036 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3037 anonymous_identity="ttls", password="password",
3038 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3042 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3043 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3044 params = int_eap_server_params()
3045 hostapd.add_ap(apdev[0]['ifname'], params)
3046 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3047 identity="\x80", password="password", wait_connect=False)
3048 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3049 identity="a\x80", password="password", wait_connect=False)
3050 for i in range(0, 2):
3051 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3053 raise Exception("Association and EAP start timed out")
3054 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3056 raise Exception("EAP method selection timed out")
3058 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3059 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3060 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3061 hostapd.add_ap(apdev[0]['ifname'], params)
3062 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3063 identity="\x80", password="password", wait_connect=False)
3064 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3065 identity="a\x80", password="password", wait_connect=False)
3066 for i in range(0, 2):
3067 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3069 raise Exception("Association and EAP start timed out")
3070 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3072 raise Exception("EAP method selection timed out")
3074 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3075 """OpenSSL cipher suite configuration on wpa_supplicant"""
3076 tls = dev[0].request("GET tls_library")
3077 if not tls.startswith("OpenSSL"):
3078 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3080 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3081 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3082 anonymous_identity="ttls", password="password",
3083 openssl_ciphers="AES128",
3084 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3085 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3086 anonymous_identity="ttls", password="password",
3087 openssl_ciphers="EXPORT",
3088 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3089 expect_failure=True, maybe_local_error=True)
3090 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3091 identity="pap user", anonymous_identity="ttls",
3092 password="password",
3093 openssl_ciphers="FOO",
3094 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3096 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3098 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3099 dev[2].request("DISCONNECT")
3101 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3102 """OpenSSL cipher suite configuration on hostapd"""
3103 tls = dev[0].request("GET tls_library")
3104 if not tls.startswith("OpenSSL"):
3105 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3106 params = int_eap_server_params()
3107 params['openssl_ciphers'] = "AES256"
3108 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3109 tls = hapd.request("GET tls_library")
3110 if not tls.startswith("OpenSSL"):
3111 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3112 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3113 anonymous_identity="ttls", password="password",
3114 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3115 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3116 anonymous_identity="ttls", password="password",
3117 openssl_ciphers="AES128",
3118 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3119 expect_failure=True)
3120 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3121 anonymous_identity="ttls", password="password",
3122 openssl_ciphers="HIGH:!ADH",
3123 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3125 params['openssl_ciphers'] = "FOO"
3126 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3127 if "FAIL" not in hapd2.request("ENABLE"):
3128 raise Exception("Invalid openssl_ciphers value accepted")
3130 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3131 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3132 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3133 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3134 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3135 pid = find_wpas_process(dev[0])
3136 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3137 anonymous_identity="ttls", password=password,
3138 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3140 buf = read_process_memory(pid, password)
3142 dev[0].request("DISCONNECT")
3143 dev[0].wait_disconnected()
3151 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3152 for l in f.readlines():
3153 if "EAP-TTLS: Derived key - hexdump" in l:
3154 val = l.strip().split(':')[3].replace(' ', '')
3155 msk = binascii.unhexlify(val)
3156 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3157 val = l.strip().split(':')[3].replace(' ', '')
3158 emsk = binascii.unhexlify(val)
3159 if "WPA: PMK - hexdump" in l:
3160 val = l.strip().split(':')[3].replace(' ', '')
3161 pmk = binascii.unhexlify(val)
3162 if "WPA: PTK - hexdump" in l:
3163 val = l.strip().split(':')[3].replace(' ', '')
3164 ptk = binascii.unhexlify(val)
3165 if "WPA: Group Key - hexdump" in l:
3166 val = l.strip().split(':')[3].replace(' ', '')
3167 gtk = binascii.unhexlify(val)
3168 if not msk or not emsk or not pmk or not ptk or not gtk:
3169 raise Exception("Could not find keys from debug log")
3171 raise Exception("Unexpected GTK length")
3177 fname = os.path.join(params['logdir'],
3178 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3180 logger.info("Checking keys in memory while associated")
3181 get_key_locations(buf, password, "Password")
3182 get_key_locations(buf, pmk, "PMK")
3183 get_key_locations(buf, msk, "MSK")
3184 get_key_locations(buf, emsk, "EMSK")
3185 if password not in buf:
3186 raise HwsimSkip("Password not found while associated")
3188 raise HwsimSkip("PMK not found while associated")
3190 raise Exception("KCK not found while associated")
3192 raise Exception("KEK not found while associated")
3194 raise Exception("TK found from memory")
3196 raise Exception("GTK found from memory")
3198 logger.info("Checking keys in memory after disassociation")
3199 buf = read_process_memory(pid, password)
3201 # Note: Password is still present in network configuration
3202 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3204 get_key_locations(buf, password, "Password")
3205 get_key_locations(buf, pmk, "PMK")
3206 get_key_locations(buf, msk, "MSK")
3207 get_key_locations(buf, emsk, "EMSK")
3208 verify_not_present(buf, kck, fname, "KCK")
3209 verify_not_present(buf, kek, fname, "KEK")
3210 verify_not_present(buf, tk, fname, "TK")
3211 verify_not_present(buf, gtk, fname, "GTK")
3213 dev[0].request("PMKSA_FLUSH")
3214 dev[0].set_network_quoted(id, "identity", "foo")
3215 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3216 buf = read_process_memory(pid, password)
3217 get_key_locations(buf, password, "Password")
3218 get_key_locations(buf, pmk, "PMK")
3219 get_key_locations(buf, msk, "MSK")
3220 get_key_locations(buf, emsk, "EMSK")
3221 verify_not_present(buf, pmk, fname, "PMK")
3223 dev[0].request("REMOVE_NETWORK all")
3225 logger.info("Checking keys in memory after network profile removal")
3226 buf = read_process_memory(pid, password)
3228 get_key_locations(buf, password, "Password")
3229 get_key_locations(buf, pmk, "PMK")
3230 get_key_locations(buf, msk, "MSK")
3231 get_key_locations(buf, emsk, "EMSK")
3232 verify_not_present(buf, password, fname, "password")
3233 verify_not_present(buf, pmk, fname, "PMK")
3234 verify_not_present(buf, kck, fname, "KCK")
3235 verify_not_present(buf, kek, fname, "KEK")
3236 verify_not_present(buf, tk, fname, "TK")
3237 verify_not_present(buf, gtk, fname, "GTK")
3238 verify_not_present(buf, msk, fname, "MSK")
3239 verify_not_present(buf, emsk, fname, "EMSK")
3241 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3242 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3244 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3245 bssid = apdev[0]['bssid']
3246 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3247 anonymous_identity="ttls", password="password",
3248 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3250 # Send unexpected WEP EAPOL-Key; this gets dropped
3251 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3253 raise Exception("EAPOL_RX to wpa_supplicant failed")
3255 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3256 """WPA2-EAP and wpas interface in a bridge"""
3260 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3262 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3263 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3264 subprocess.call(['brctl', 'delbr', br_ifname])
3265 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3267 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3268 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3269 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3273 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3274 subprocess.call(['brctl', 'addbr', br_ifname])
3275 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3276 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3277 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3278 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3279 wpas.interface_add(ifname, br_ifname=br_ifname)
3281 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3282 password_hex="0123456789abcdef0123456789abcdef")
3283 eap_reauth(wpas, "PAX")
3284 # Try again as a regression test for packet socket workaround
3285 eap_reauth(wpas, "PAX")
3286 wpas.request("DISCONNECT")
3287 wpas.wait_disconnected()
3288 wpas.request("RECONNECT")
3289 wpas.wait_connected()
3291 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3292 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3294 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3295 key_mgmt = hapd.get_config()['key_mgmt']
3296 if key_mgmt.split(' ')[0] != "WPA-EAP":
3297 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3298 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3299 anonymous_identity="ttls", password="password",
3300 ca_cert="auth_serv/ca.pem",
3301 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3302 eap_reauth(dev[0], "TTLS")
3304 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3305 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3307 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3308 key_mgmt = hapd.get_config()['key_mgmt']
3309 if key_mgmt.split(' ')[0] != "WPA-EAP":
3310 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3311 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3312 anonymous_identity="ttls", password="password",
3313 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3315 eap_reauth(dev[0], "TTLS")
3317 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3318 """EAP-TLS and server checking CRL"""
3319 params = int_eap_server_params()
3320 params['check_crl'] = '1'
3321 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3323 # check_crl=1 and no CRL available --> reject connection
3324 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3325 client_cert="auth_serv/user.pem",
3326 private_key="auth_serv/user.key", expect_failure=True)
3327 dev[0].request("REMOVE_NETWORK all")
3330 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3333 # check_crl=1 and valid CRL --> accept
3334 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3335 client_cert="auth_serv/user.pem",
3336 private_key="auth_serv/user.key")
3337 dev[0].request("REMOVE_NETWORK all")
3340 hapd.set("check_crl", "2")
3343 # check_crl=2 and valid CRL --> accept
3344 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3345 client_cert="auth_serv/user.pem",
3346 private_key="auth_serv/user.key")
3347 dev[0].request("REMOVE_NETWORK all")
3349 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3350 """EAP-TLS and OOM"""
3351 check_subject_match_support(dev[0])
3352 check_altsubject_match_support(dev[0])
3353 check_domain_match_full(dev[0])
3355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3356 hostapd.add_ap(apdev[0]['ifname'], params)
3358 tests = [ (1, "tls_connection_set_subject_match"),
3359 (2, "tls_connection_set_subject_match"),
3360 (3, "tls_connection_set_subject_match"),
3361 (4, "tls_connection_set_subject_match") ]
3362 for count, func in tests:
3363 with alloc_fail(dev[0], count, func):
3364 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3365 identity="tls user", ca_cert="auth_serv/ca.pem",
3366 client_cert="auth_serv/user.pem",
3367 private_key="auth_serv/user.key",
3368 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3369 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3370 domain_suffix_match="server.w1.fi",
3371 domain_match="server.w1.fi",
3372 wait_connect=False, scan_freq="2412")
3373 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3374 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3376 raise Exception("No passphrase request")
3377 dev[0].request("REMOVE_NETWORK all")
3378 dev[0].wait_disconnected()
3380 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3381 """WPA2-Enterprise connection using MAC ACL"""
3382 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3383 params["macaddr_acl"] = "2"
3384 hostapd.add_ap(apdev[0]['ifname'], params)
3385 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3386 client_cert="auth_serv/user.pem",
3387 private_key="auth_serv/user.key")
3389 def test_ap_wpa2_eap_oom(dev, apdev):
3390 """EAP server and OOM"""
3391 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3392 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3393 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3395 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3396 # The first attempt fails, but STA will send EAPOL-Start to retry and
3398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3399 identity="tls user", ca_cert="auth_serv/ca.pem",
3400 client_cert="auth_serv/user.pem",
3401 private_key="auth_serv/user.key",
3404 def check_tls_ver(dev, ap, phase1, expected):
3405 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3406 client_cert="auth_serv/user.pem",
3407 private_key="auth_serv/user.key",
3409 ver = dev.get_status_field("eap_tls_version")
3411 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3413 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3414 """EAP-TLS and TLS version configuration"""
3415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3416 hostapd.add_ap(apdev[0]['ifname'], params)
3418 tls = dev[0].request("GET tls_library")
3419 if tls.startswith("OpenSSL"):
3420 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3421 check_tls_ver(dev[0], apdev[0],
3422 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3424 check_tls_ver(dev[1], apdev[0],
3425 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3426 check_tls_ver(dev[2], apdev[0],
3427 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3429 def test_rsn_ie_proto_eap_sta(dev, apdev):
3430 """RSN element protocol testing for EAP cases on STA side"""
3431 bssid = apdev[0]['bssid']
3432 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3433 # This is the RSN element used normally by hostapd
3434 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3435 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3436 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3437 identity="gpsk user",
3438 password="abcdefghijklmnop0123456789abcdef",
3441 tests = [ ('No RSN Capabilities field',
3442 '30120100000fac040100000fac040100000fac01'),
3443 ('No AKM Suite fields',
3444 '300c0100000fac040100000fac04'),
3445 ('No Pairwise Cipher Suite fields',
3446 '30060100000fac04'),
3447 ('No Group Data Cipher Suite field',
3449 for txt,ie in tests:
3450 dev[0].request("DISCONNECT")
3451 dev[0].wait_disconnected()
3454 hapd.set('own_ie_override', ie)
3456 dev[0].request("BSS_FLUSH 0")
3457 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3458 dev[0].select_network(id, freq=2412)
3459 dev[0].wait_connected()