1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail
19 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
21 def check_hlr_auc_gw_support():
22 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
25 def check_eap_capa(dev, method):
26 res = dev.get_capability("eap")
28 raise HwsimSkip("EAP method %s not supported in the build" % method)
30 def check_subject_match_support(dev):
31 tls = dev.request("GET tls_library")
32 if not tls.startswith("OpenSSL"):
33 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
35 def check_altsubject_match_support(dev):
36 tls = dev.request("GET tls_library")
37 if not tls.startswith("OpenSSL"):
38 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
40 def check_domain_match_full(dev):
41 tls = dev.request("GET tls_library")
42 if not tls.startswith("OpenSSL"):
43 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
45 def check_cert_probe_support(dev):
46 tls = dev.request("GET tls_library")
47 if not tls.startswith("OpenSSL"):
48 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
51 with open(fname, "r") as f:
62 return base64.b64decode(cert)
64 def eap_connect(dev, ap, method, identity,
65 sha256=False, expect_failure=False, local_error_report=False,
67 hapd = hostapd.Hostapd(ap['ifname'])
68 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
69 eap=method, identity=identity,
70 wait_connect=False, scan_freq="2412", ieee80211w="1",
72 eap_check_auth(dev, method, True, sha256=sha256,
73 expect_failure=expect_failure,
74 local_error_report=local_error_report)
77 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
79 raise Exception("No connection event received from hostapd")
82 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
83 expect_failure=False, local_error_report=False):
84 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
86 raise Exception("Association and EAP start timed out")
87 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
89 raise Exception("EAP method selection timed out")
91 raise Exception("Unexpected EAP method")
93 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
95 raise Exception("EAP failure timed out")
96 ev = dev.wait_disconnected(timeout=10)
97 if not local_error_report:
98 if "reason=23" not in ev:
99 raise Exception("Proper reason code for disconnection not reported")
101 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
103 raise Exception("EAP success timed out")
106 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
108 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
110 raise Exception("Association with the AP timed out")
111 status = dev.get_status()
112 if status["wpa_state"] != "COMPLETED":
113 raise Exception("Connection not completed")
115 if status["suppPortStatus"] != "Authorized":
116 raise Exception("Port not authorized")
117 if method not in status["selectedMethod"]:
118 raise Exception("Incorrect EAP method status")
120 e = "WPA2-EAP-SHA256"
122 e = "WPA2/IEEE 802.1X/EAP"
124 e = "WPA/IEEE 802.1X/EAP"
125 if status["key_mgmt"] != e:
126 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
129 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
130 dev.request("REAUTHENTICATE")
131 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
132 expect_failure=expect_failure)
134 def test_ap_wpa2_eap_sim(dev, apdev):
135 """WPA2-Enterprise connection using EAP-SIM"""
136 check_hlr_auc_gw_support()
137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
138 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
139 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
140 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
141 hwsim_utils.test_connectivity(dev[0], hapd)
142 eap_reauth(dev[0], "SIM")
144 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
147 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
150 logger.info("Negative test with incorrect key")
151 dev[0].request("REMOVE_NETWORK all")
152 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
153 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
156 logger.info("Invalid GSM-Milenage key")
157 dev[0].request("REMOVE_NETWORK all")
158 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
159 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
162 logger.info("Invalid GSM-Milenage key(2)")
163 dev[0].request("REMOVE_NETWORK all")
164 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
165 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
168 logger.info("Invalid GSM-Milenage key(3)")
169 dev[0].request("REMOVE_NETWORK all")
170 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
171 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
174 logger.info("Invalid GSM-Milenage key(4)")
175 dev[0].request("REMOVE_NETWORK all")
176 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
177 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
180 logger.info("Missing key configuration")
181 dev[0].request("REMOVE_NETWORK all")
182 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
185 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
186 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
187 check_hlr_auc_gw_support()
191 raise HwsimSkip("No sqlite3 module available")
192 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
193 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
194 params['auth_server_port'] = "1814"
195 hostapd.add_ap(apdev[0]['ifname'], params)
196 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
199 logger.info("SIM fast re-authentication")
200 eap_reauth(dev[0], "SIM")
202 logger.info("SIM full auth with pseudonym")
205 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
206 eap_reauth(dev[0], "SIM")
208 logger.info("SIM full auth with permanent identity")
211 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
212 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
213 eap_reauth(dev[0], "SIM")
215 logger.info("SIM reauth with mismatching MK")
218 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
219 eap_reauth(dev[0], "SIM", expect_failure=True)
220 dev[0].request("REMOVE_NETWORK all")
222 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
226 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
227 eap_reauth(dev[0], "SIM")
230 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
231 logger.info("SIM reauth with mismatching counter")
232 eap_reauth(dev[0], "SIM")
233 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
239 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
240 logger.info("SIM reauth with max reauth count reached")
241 eap_reauth(dev[0], "SIM")
243 def test_ap_wpa2_eap_sim_config(dev, apdev):
244 """EAP-SIM configuration options"""
245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
246 hostapd.add_ap(apdev[0]['ifname'], params)
247 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
248 identity="1232010000000000",
249 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
250 phase1="sim_min_num_chal=1",
251 wait_connect=False, scan_freq="2412")
252 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
254 raise Exception("No EAP error message seen")
255 dev[0].request("REMOVE_NETWORK all")
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=4",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
264 raise Exception("No EAP error message seen (2)")
265 dev[0].request("REMOVE_NETWORK all")
267 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
268 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1="sim_min_num_chal=2")
270 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
271 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
272 anonymous_identity="345678")
274 def test_ap_wpa2_eap_sim_ext(dev, apdev):
275 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
277 _test_ap_wpa2_eap_sim_ext(dev, apdev)
279 dev[0].request("SET external_sim 0")
281 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
282 check_hlr_auc_gw_support()
283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
284 hostapd.add_ap(apdev[0]['ifname'], params)
285 dev[0].request("SET external_sim 1")
286 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
287 identity="1232010000000000",
288 wait_connect=False, scan_freq="2412")
289 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
291 raise Exception("Network connected timed out")
293 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
295 raise Exception("Wait for external SIM processing request timed out")
297 if p[1] != "GSM-AUTH":
298 raise Exception("Unexpected CTRL-REQ-SIM type")
299 rid = p[0].split('-')[3]
302 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
303 # This will fail during processing, but the ctrl_iface command succeeds
304 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
307 raise Exception("EAP failure not reported")
308 dev[0].request("DISCONNECT")
309 dev[0].wait_disconnected()
312 dev[0].select_network(id, freq="2412")
313 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
315 raise Exception("Wait for external SIM processing request timed out")
317 if p[1] != "GSM-AUTH":
318 raise Exception("Unexpected CTRL-REQ-SIM type")
319 rid = p[0].split('-')[3]
320 # This will fail during GSM auth validation
321 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
322 raise Exception("CTRL-RSP-SIM failed")
323 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
325 raise Exception("EAP failure not reported")
326 dev[0].request("DISCONNECT")
327 dev[0].wait_disconnected()
330 dev[0].select_network(id, freq="2412")
331 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
333 raise Exception("Wait for external SIM processing request timed out")
335 if p[1] != "GSM-AUTH":
336 raise Exception("Unexpected CTRL-REQ-SIM type")
337 rid = p[0].split('-')[3]
338 # This will fail during GSM auth validation
339 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
340 raise Exception("CTRL-RSP-SIM failed")
341 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
343 raise Exception("EAP failure not reported")
344 dev[0].request("DISCONNECT")
345 dev[0].wait_disconnected()
348 dev[0].select_network(id, freq="2412")
349 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
351 raise Exception("Wait for external SIM processing request timed out")
353 if p[1] != "GSM-AUTH":
354 raise Exception("Unexpected CTRL-REQ-SIM type")
355 rid = p[0].split('-')[3]
356 # This will fail during GSM auth validation
357 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
358 raise Exception("CTRL-RSP-SIM failed")
359 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
361 raise Exception("EAP failure not reported")
362 dev[0].request("DISCONNECT")
363 dev[0].wait_disconnected()
366 dev[0].select_network(id, freq="2412")
367 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
369 raise Exception("Wait for external SIM processing request timed out")
371 if p[1] != "GSM-AUTH":
372 raise Exception("Unexpected CTRL-REQ-SIM type")
373 rid = p[0].split('-')[3]
374 # This will fail during GSM auth validation
375 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
376 raise Exception("CTRL-RSP-SIM failed")
377 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
379 raise Exception("EAP failure not reported")
380 dev[0].request("DISCONNECT")
381 dev[0].wait_disconnected()
384 dev[0].select_network(id, freq="2412")
385 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
387 raise Exception("Wait for external SIM processing request timed out")
389 if p[1] != "GSM-AUTH":
390 raise Exception("Unexpected CTRL-REQ-SIM type")
391 rid = p[0].split('-')[3]
392 # This will fail during GSM auth validation
393 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
394 raise Exception("CTRL-RSP-SIM failed")
395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
397 raise Exception("EAP failure not reported")
398 dev[0].request("DISCONNECT")
399 dev[0].wait_disconnected()
402 dev[0].select_network(id, freq="2412")
403 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
405 raise Exception("Wait for external SIM processing request timed out")
407 if p[1] != "GSM-AUTH":
408 raise Exception("Unexpected CTRL-REQ-SIM type")
409 rid = p[0].split('-')[3]
410 # This will fail during GSM auth validation
411 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
412 raise Exception("CTRL-RSP-SIM failed")
413 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
415 raise Exception("EAP failure not reported")
417 def test_ap_wpa2_eap_aka(dev, apdev):
418 """WPA2-Enterprise connection using EAP-AKA"""
419 check_hlr_auc_gw_support()
420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
421 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
422 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
423 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
424 hwsim_utils.test_connectivity(dev[0], hapd)
425 eap_reauth(dev[0], "AKA")
427 logger.info("Negative test with incorrect key")
428 dev[0].request("REMOVE_NETWORK all")
429 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
430 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
433 logger.info("Invalid Milenage key")
434 dev[0].request("REMOVE_NETWORK all")
435 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
436 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
439 logger.info("Invalid Milenage key(2)")
440 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
441 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
444 logger.info("Invalid Milenage key(3)")
445 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
446 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
449 logger.info("Invalid Milenage key(4)")
450 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
451 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
454 logger.info("Invalid Milenage key(5)")
455 dev[0].request("REMOVE_NETWORK all")
456 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
457 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
460 logger.info("Invalid Milenage key(6)")
461 dev[0].request("REMOVE_NETWORK all")
462 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
463 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
466 logger.info("Missing key configuration")
467 dev[0].request("REMOVE_NETWORK all")
468 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
471 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
472 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
473 check_hlr_auc_gw_support()
477 raise HwsimSkip("No sqlite3 module available")
478 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
479 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
480 params['auth_server_port'] = "1814"
481 hostapd.add_ap(apdev[0]['ifname'], params)
482 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
483 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
485 logger.info("AKA fast re-authentication")
486 eap_reauth(dev[0], "AKA")
488 logger.info("AKA full auth with pseudonym")
491 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
492 eap_reauth(dev[0], "AKA")
494 logger.info("AKA full auth with permanent identity")
497 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
498 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
499 eap_reauth(dev[0], "AKA")
501 logger.info("AKA reauth with mismatching MK")
504 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
505 eap_reauth(dev[0], "AKA", expect_failure=True)
506 dev[0].request("REMOVE_NETWORK all")
508 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
509 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
512 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
513 eap_reauth(dev[0], "AKA")
516 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
517 logger.info("AKA reauth with mismatching counter")
518 eap_reauth(dev[0], "AKA")
519 dev[0].request("REMOVE_NETWORK all")
521 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
522 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
525 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
526 logger.info("AKA reauth with max reauth count reached")
527 eap_reauth(dev[0], "AKA")
529 def test_ap_wpa2_eap_aka_config(dev, apdev):
530 """EAP-AKA configuration options"""
531 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
532 hostapd.add_ap(apdev[0]['ifname'], params)
533 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
534 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
535 anonymous_identity="2345678")
537 def test_ap_wpa2_eap_aka_ext(dev, apdev):
538 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
540 _test_ap_wpa2_eap_aka_ext(dev, apdev)
542 dev[0].request("SET external_sim 0")
544 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
545 check_hlr_auc_gw_support()
546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
547 hostapd.add_ap(apdev[0]['ifname'], params)
548 dev[0].request("SET external_sim 1")
549 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
550 identity="0232010000000000",
551 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
552 wait_connect=False, scan_freq="2412")
553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
555 raise Exception("Network connected timed out")
557 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
559 raise Exception("Wait for external SIM processing request timed out")
561 if p[1] != "UMTS-AUTH":
562 raise Exception("Unexpected CTRL-REQ-SIM type")
563 rid = p[0].split('-')[3]
566 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
567 # This will fail during processing, but the ctrl_iface command succeeds
568 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
571 raise Exception("EAP failure not reported")
572 dev[0].request("DISCONNECT")
573 dev[0].wait_disconnected()
576 dev[0].select_network(id, freq="2412")
577 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
579 raise Exception("Wait for external SIM processing request timed out")
581 if p[1] != "UMTS-AUTH":
582 raise Exception("Unexpected CTRL-REQ-SIM type")
583 rid = p[0].split('-')[3]
584 # This will fail during UMTS auth validation
585 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
586 raise Exception("CTRL-RSP-SIM failed")
587 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
589 raise Exception("Wait for external SIM processing request timed out")
591 if p[1] != "UMTS-AUTH":
592 raise Exception("Unexpected CTRL-REQ-SIM type")
593 rid = p[0].split('-')[3]
594 # This will fail during UMTS auth validation
595 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
596 raise Exception("CTRL-RSP-SIM failed")
597 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
599 raise Exception("EAP failure not reported")
600 dev[0].request("DISCONNECT")
601 dev[0].wait_disconnected()
604 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
606 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
612 dev[0].select_network(id, freq="2412")
613 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
615 raise Exception("Wait for external SIM processing request timed out")
617 if p[1] != "UMTS-AUTH":
618 raise Exception("Unexpected CTRL-REQ-SIM type")
619 rid = p[0].split('-')[3]
620 # This will fail during UMTS auth validation
621 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
622 raise Exception("CTRL-RSP-SIM failed")
623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
625 raise Exception("EAP failure not reported")
626 dev[0].request("DISCONNECT")
627 dev[0].wait_disconnected()
630 def test_ap_wpa2_eap_aka_prime(dev, apdev):
631 """WPA2-Enterprise connection using EAP-AKA'"""
632 check_hlr_auc_gw_support()
633 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
634 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
635 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
636 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
637 hwsim_utils.test_connectivity(dev[0], hapd)
638 eap_reauth(dev[0], "AKA'")
640 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
641 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
642 identity="6555444333222111@both",
643 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
644 wait_connect=False, scan_freq="2412")
645 dev[1].wait_connected(timeout=15)
647 logger.info("Negative test with incorrect key")
648 dev[0].request("REMOVE_NETWORK all")
649 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
650 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
653 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
654 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
655 check_hlr_auc_gw_support()
659 raise HwsimSkip("No sqlite3 module available")
660 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
661 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
662 params['auth_server_port'] = "1814"
663 hostapd.add_ap(apdev[0]['ifname'], params)
664 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
665 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
667 logger.info("AKA' fast re-authentication")
668 eap_reauth(dev[0], "AKA'")
670 logger.info("AKA' full auth with pseudonym")
673 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
674 eap_reauth(dev[0], "AKA'")
676 logger.info("AKA' full auth with permanent identity")
679 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
680 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
681 eap_reauth(dev[0], "AKA'")
683 logger.info("AKA' reauth with mismatching k_aut")
686 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
687 eap_reauth(dev[0], "AKA'", expect_failure=True)
688 dev[0].request("REMOVE_NETWORK all")
690 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
691 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
694 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
695 eap_reauth(dev[0], "AKA'")
698 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
699 logger.info("AKA' reauth with mismatching counter")
700 eap_reauth(dev[0], "AKA'")
701 dev[0].request("REMOVE_NETWORK all")
703 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
704 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
707 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
708 logger.info("AKA' reauth with max reauth count reached")
709 eap_reauth(dev[0], "AKA'")
711 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
712 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
713 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
714 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
715 key_mgmt = hapd.get_config()['key_mgmt']
716 if key_mgmt.split(' ')[0] != "WPA-EAP":
717 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
718 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
719 anonymous_identity="ttls", password="password",
720 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
721 hwsim_utils.test_connectivity(dev[0], hapd)
722 eap_reauth(dev[0], "TTLS")
723 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
724 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
726 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
727 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
728 check_subject_match_support(dev[0])
729 check_altsubject_match_support(dev[0])
730 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
731 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
732 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
733 anonymous_identity="ttls", password="password",
734 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
735 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
736 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
737 eap_reauth(dev[0], "TTLS")
739 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
740 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
742 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
743 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
744 anonymous_identity="ttls", password="wrong",
745 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
747 eap_connect(dev[1], apdev[0], "TTLS", "user",
748 anonymous_identity="ttls", password="password",
749 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
752 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
753 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
754 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
755 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
756 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
757 anonymous_identity="ttls", password="password",
758 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
759 hwsim_utils.test_connectivity(dev[0], hapd)
760 eap_reauth(dev[0], "TTLS")
762 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
763 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
764 check_altsubject_match_support(dev[0])
765 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
766 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
767 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
768 anonymous_identity="ttls", password="password",
769 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
770 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
771 eap_reauth(dev[0], "TTLS")
773 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
774 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
776 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
777 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
778 anonymous_identity="ttls", password="wrong",
779 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
781 eap_connect(dev[1], apdev[0], "TTLS", "user",
782 anonymous_identity="ttls", password="password",
783 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
786 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
787 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
790 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
793 domain_suffix_match="server.w1.fi")
794 hwsim_utils.test_connectivity(dev[0], hapd)
795 eap_reauth(dev[0], "TTLS")
796 dev[0].request("REMOVE_NETWORK all")
797 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
798 anonymous_identity="ttls", password="password",
799 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
802 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
806 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
807 anonymous_identity="ttls", password="wrong",
808 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
810 eap_connect(dev[1], apdev[0], "TTLS", "user",
811 anonymous_identity="ttls", password="password",
812 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
814 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
815 anonymous_identity="ttls", password="password",
816 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
819 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
820 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822 hostapd.add_ap(apdev[0]['ifname'], params)
823 hapd = hostapd.Hostapd(apdev[0]['ifname'])
824 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
825 anonymous_identity="ttls", password="password",
826 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
827 domain_suffix_match="server.w1.fi")
828 hwsim_utils.test_connectivity(dev[0], hapd)
829 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
830 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
831 eap_reauth(dev[0], "TTLS")
832 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
833 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
834 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
835 raise Exception("dot1xAuthEapolFramesRx did not increase")
836 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
837 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
838 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
839 raise Exception("backendAuthSuccesses did not increase")
841 logger.info("Password as hash value")
842 dev[0].request("REMOVE_NETWORK all")
843 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
844 anonymous_identity="ttls",
845 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
848 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 check_domain_match_full(dev[0])
851 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
852 hostapd.add_ap(apdev[0]['ifname'], params)
853 hapd = hostapd.Hostapd(apdev[0]['ifname'])
854 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
855 anonymous_identity="ttls", password="password",
856 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
857 domain_suffix_match="w1.fi")
858 hwsim_utils.test_connectivity(dev[0], hapd)
859 eap_reauth(dev[0], "TTLS")
861 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
862 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
863 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
864 hostapd.add_ap(apdev[0]['ifname'], params)
865 hapd = hostapd.Hostapd(apdev[0]['ifname'])
866 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
867 anonymous_identity="ttls", password="password",
868 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
869 domain_match="Server.w1.fi")
870 hwsim_utils.test_connectivity(dev[0], hapd)
871 eap_reauth(dev[0], "TTLS")
873 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
874 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
876 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
877 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
878 anonymous_identity="ttls", password="password1",
879 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
881 eap_connect(dev[1], apdev[0], "TTLS", "user",
882 anonymous_identity="ttls", password="password",
883 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
886 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
887 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
888 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
889 hostapd.add_ap(apdev[0]['ifname'], params)
890 hapd = hostapd.Hostapd(apdev[0]['ifname'])
891 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
892 anonymous_identity="ttls", password="secret-åäö-€-password",
893 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
894 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
895 anonymous_identity="ttls",
896 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
899 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
900 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
902 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
903 eap_connect(dev[0], apdev[0], "TTLS", "user",
904 anonymous_identity="ttls", password="password",
905 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
906 hwsim_utils.test_connectivity(dev[0], hapd)
907 eap_reauth(dev[0], "TTLS")
909 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
910 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
911 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
912 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
913 eap_connect(dev[0], apdev[0], "TTLS", "user",
914 anonymous_identity="ttls", password="password",
915 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
916 hwsim_utils.test_connectivity(dev[0], hapd)
917 eap_reauth(dev[0], "TTLS")
919 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
921 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
922 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
923 eap_connect(dev[0], apdev[0], "TTLS", "user",
924 anonymous_identity="ttls", password="wrong",
925 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
928 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
930 params = int_eap_server_params()
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 with alloc_fail(hapd, 1, "eap_md5_init"):
933 eap_connect(dev[0], apdev[0], "TTLS", "user",
934 anonymous_identity="ttls", password="password",
935 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
937 dev[0].request("REMOVE_NETWORK all")
939 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
940 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
941 eap="TTLS", identity="user",
942 anonymous_identity="ttls", password="password",
943 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
944 wait_connect=False, scan_freq="2412")
945 # This would eventually time out, but we can stop after having reached
946 # the allocation failure.
949 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
952 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="password",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
959 hwsim_utils.test_connectivity(dev[0], hapd)
960 eap_reauth(dev[0], "TTLS")
962 logger.info("Negative test with incorrect password")
963 dev[0].request("REMOVE_NETWORK all")
964 eap_connect(dev[0], apdev[0], "TTLS", "user",
965 anonymous_identity="ttls", password="password1",
966 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
969 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
970 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
971 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
972 hostapd.add_ap(apdev[0]['ifname'], params)
973 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
974 anonymous_identity="0232010000000000@ttls",
975 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
976 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
978 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
979 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
980 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
981 hostapd.add_ap(apdev[0]['ifname'], params)
982 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
983 anonymous_identity="0232010000000000@peap",
984 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
985 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
987 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
988 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
989 check_eap_capa(dev[0], "FAST")
990 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
991 hostapd.add_ap(apdev[0]['ifname'], params)
992 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
993 anonymous_identity="0232010000000000@fast",
994 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
995 phase1="fast_provisioning=2",
996 pac_file="blob://fast_pac_auth_aka",
997 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
999 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1001 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1002 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1003 eap_connect(dev[0], apdev[0], "PEAP", "user",
1004 anonymous_identity="peap", password="password",
1005 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1006 hwsim_utils.test_connectivity(dev[0], hapd)
1007 eap_reauth(dev[0], "PEAP")
1008 dev[0].request("REMOVE_NETWORK all")
1009 eap_connect(dev[0], apdev[0], "PEAP", "user",
1010 anonymous_identity="peap", password="password",
1011 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1012 fragment_size="200")
1014 logger.info("Password as hash value")
1015 dev[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev[0], apdev[0], "PEAP", "user",
1017 anonymous_identity="peap",
1018 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1019 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1021 logger.info("Negative test with incorrect password")
1022 dev[0].request("REMOVE_NETWORK all")
1023 eap_connect(dev[0], apdev[0], "PEAP", "user",
1024 anonymous_identity="peap", password="password1",
1025 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1026 expect_failure=True)
1028 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1029 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1030 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1031 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1032 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1033 ca_cert="auth_serv/ca.pem",
1034 phase1="peapver=0 crypto_binding=2",
1035 phase2="auth=MSCHAPV2")
1036 hwsim_utils.test_connectivity(dev[0], hapd)
1037 eap_reauth(dev[0], "PEAP")
1039 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1040 ca_cert="auth_serv/ca.pem",
1041 phase1="peapver=0 crypto_binding=1",
1042 phase2="auth=MSCHAPV2")
1043 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1044 ca_cert="auth_serv/ca.pem",
1045 phase1="peapver=0 crypto_binding=0",
1046 phase2="auth=MSCHAPV2")
1048 def test_ap_wpa2_eap_peap_params(dev, apdev):
1049 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1050 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1051 hostapd.add_ap(apdev[0]['ifname'], params)
1052 eap_connect(dev[0], apdev[0], "PEAP", "user",
1053 anonymous_identity="peap", password="password",
1054 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1055 phase1="peapver=0 peaplabel=1",
1056 expect_failure=True)
1057 dev[0].request("REMOVE_NETWORK all")
1058 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1059 ca_cert="auth_serv/ca.pem",
1060 phase1="peap_outer_success=1",
1061 phase2="auth=MSCHAPV2")
1062 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1063 ca_cert="auth_serv/ca.pem",
1064 phase1="peap_outer_success=2",
1065 phase2="auth=MSCHAPV2")
1066 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1068 anonymous_identity="peap", password="password",
1069 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1070 phase1="peapver=1 peaplabel=1",
1071 wait_connect=False, scan_freq="2412")
1072 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1074 raise Exception("No EAP success seen")
1075 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1077 raise Exception("Unexpected connection")
1079 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1080 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1081 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1082 hostapd.add_ap(apdev[0]['ifname'], params)
1083 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1084 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1085 ca_cert2="auth_serv/ca.pem",
1086 client_cert2="auth_serv/user.pem",
1087 private_key2="auth_serv/user.key")
1088 eap_reauth(dev[0], "PEAP")
1090 def test_ap_wpa2_eap_tls(dev, apdev):
1091 """WPA2-Enterprise connection using EAP-TLS"""
1092 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1093 hostapd.add_ap(apdev[0]['ifname'], params)
1094 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1095 client_cert="auth_serv/user.pem",
1096 private_key="auth_serv/user.key")
1097 eap_reauth(dev[0], "TLS")
1099 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1100 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1102 hostapd.add_ap(apdev[0]['ifname'], params)
1103 cert = read_pem("auth_serv/ca.pem")
1104 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1105 raise Exception("Could not set cacert blob")
1106 cert = read_pem("auth_serv/user.pem")
1107 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1108 raise Exception("Could not set usercert blob")
1109 key = read_pem("auth_serv/user.rsa-key")
1110 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1111 raise Exception("Could not set cacert blob")
1112 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1113 client_cert="blob://usercert",
1114 private_key="blob://userkey")
1116 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1117 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1118 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1119 hostapd.add_ap(apdev[0]['ifname'], params)
1120 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1121 private_key="auth_serv/user.pkcs12",
1122 private_key_passwd="whatever")
1123 dev[0].request("REMOVE_NETWORK all")
1124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1125 identity="tls user",
1126 ca_cert="auth_serv/ca.pem",
1127 private_key="auth_serv/user.pkcs12",
1128 wait_connect=False, scan_freq="2412")
1129 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1131 raise Exception("Request for private key passphrase timed out")
1132 id = ev.split(':')[0].split('-')[-1]
1133 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1134 dev[0].wait_connected(timeout=10)
1136 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1137 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1139 hostapd.add_ap(apdev[0]['ifname'], params)
1140 cert = read_pem("auth_serv/ca.pem")
1141 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1142 raise Exception("Could not set cacert blob")
1143 with open("auth_serv/user.pkcs12", "rb") as f:
1144 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1145 raise Exception("Could not set pkcs12 blob")
1146 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1147 private_key="blob://pkcs12",
1148 private_key_passwd="whatever")
1150 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1151 """WPA2-Enterprise negative test - incorrect trust root"""
1152 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1153 hostapd.add_ap(apdev[0]['ifname'], params)
1154 cert = read_pem("auth_serv/ca-incorrect.pem")
1155 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1156 raise Exception("Could not set cacert blob")
1157 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1158 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1159 password="password", phase2="auth=MSCHAPV2",
1160 ca_cert="blob://cacert",
1161 wait_connect=False, scan_freq="2412")
1162 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1163 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1164 password="password", phase2="auth=MSCHAPV2",
1165 ca_cert="auth_serv/ca-incorrect.pem",
1166 wait_connect=False, scan_freq="2412")
1168 for dev in (dev[0], dev[1]):
1169 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1171 raise Exception("Association and EAP start timed out")
1173 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1175 raise Exception("EAP method selection timed out")
1176 if "TTLS" not in ev:
1177 raise Exception("Unexpected EAP method")
1179 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1180 "CTRL-EVENT-EAP-SUCCESS",
1181 "CTRL-EVENT-EAP-FAILURE",
1182 "CTRL-EVENT-CONNECTED",
1183 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1185 raise Exception("EAP result timed out")
1186 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1187 raise Exception("TLS certificate error not reported")
1189 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1190 "CTRL-EVENT-EAP-FAILURE",
1191 "CTRL-EVENT-CONNECTED",
1192 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1194 raise Exception("EAP result(2) timed out")
1195 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1196 raise Exception("EAP failure not reported")
1198 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1199 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1201 raise Exception("EAP result(3) timed out")
1202 if "CTRL-EVENT-DISCONNECTED" not in ev:
1203 raise Exception("Disconnection not reported")
1205 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1207 raise Exception("Network block disabling not reported")
1209 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1210 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1214 identity="pap user", anonymous_identity="ttls",
1215 password="password", phase2="auth=PAP",
1216 ca_cert="auth_serv/ca.pem",
1217 wait_connect=True, scan_freq="2412")
1218 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1219 identity="pap user", anonymous_identity="ttls",
1220 password="password", phase2="auth=PAP",
1221 ca_cert="auth_serv/ca-incorrect.pem",
1222 only_add_network=True, scan_freq="2412")
1224 dev[0].request("DISCONNECT")
1225 dev[0].wait_disconnected()
1226 dev[0].dump_monitor()
1227 dev[0].select_network(id, freq="2412")
1229 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1231 raise Exception("EAP-TTLS not re-started")
1233 ev = dev[0].wait_disconnected(timeout=15)
1234 if "reason=23" not in ev:
1235 raise Exception("Proper reason code for disconnection not reported")
1237 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1238 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1240 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1241 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1242 identity="pap user", anonymous_identity="ttls",
1243 password="password", phase2="auth=PAP",
1244 wait_connect=True, scan_freq="2412")
1245 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1246 identity="pap user", anonymous_identity="ttls",
1247 password="password", phase2="auth=PAP",
1248 ca_cert="auth_serv/ca-incorrect.pem",
1249 only_add_network=True, scan_freq="2412")
1251 dev[0].request("DISCONNECT")
1252 dev[0].wait_disconnected()
1253 dev[0].dump_monitor()
1254 dev[0].select_network(id, freq="2412")
1256 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1258 raise Exception("EAP-TTLS not re-started")
1260 ev = dev[0].wait_disconnected(timeout=15)
1261 if "reason=23" not in ev:
1262 raise Exception("Proper reason code for disconnection not reported")
1264 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1265 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1267 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1268 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1269 identity="pap user", anonymous_identity="ttls",
1270 password="password", phase2="auth=PAP",
1271 ca_cert="auth_serv/ca.pem",
1272 wait_connect=True, scan_freq="2412")
1273 dev[0].request("DISCONNECT")
1274 dev[0].wait_disconnected()
1275 dev[0].dump_monitor()
1276 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1277 dev[0].select_network(id, freq="2412")
1279 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1281 raise Exception("EAP-TTLS not re-started")
1283 ev = dev[0].wait_disconnected(timeout=15)
1284 if "reason=23" not in ev:
1285 raise Exception("Proper reason code for disconnection not reported")
1287 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1288 """WPA2-Enterprise negative test - domain suffix mismatch"""
1289 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1290 hostapd.add_ap(apdev[0]['ifname'], params)
1291 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1292 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1293 password="password", phase2="auth=MSCHAPV2",
1294 ca_cert="auth_serv/ca.pem",
1295 domain_suffix_match="incorrect.example.com",
1296 wait_connect=False, scan_freq="2412")
1298 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1300 raise Exception("Association and EAP start timed out")
1302 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1304 raise Exception("EAP method selection timed out")
1305 if "TTLS" not in ev:
1306 raise Exception("Unexpected EAP method")
1308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1309 "CTRL-EVENT-EAP-SUCCESS",
1310 "CTRL-EVENT-EAP-FAILURE",
1311 "CTRL-EVENT-CONNECTED",
1312 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1314 raise Exception("EAP result timed out")
1315 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1316 raise Exception("TLS certificate error not reported")
1317 if "Domain suffix mismatch" not in ev:
1318 raise Exception("Domain suffix mismatch not reported")
1320 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1321 "CTRL-EVENT-EAP-FAILURE",
1322 "CTRL-EVENT-CONNECTED",
1323 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1325 raise Exception("EAP result(2) timed out")
1326 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1327 raise Exception("EAP failure not reported")
1329 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1330 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1332 raise Exception("EAP result(3) timed out")
1333 if "CTRL-EVENT-DISCONNECTED" not in ev:
1334 raise Exception("Disconnection not reported")
1336 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1338 raise Exception("Network block disabling not reported")
1340 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1341 """WPA2-Enterprise negative test - domain mismatch"""
1342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1343 hostapd.add_ap(apdev[0]['ifname'], params)
1344 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1345 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1346 password="password", phase2="auth=MSCHAPV2",
1347 ca_cert="auth_serv/ca.pem",
1348 domain_match="w1.fi",
1349 wait_connect=False, scan_freq="2412")
1351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1353 raise Exception("Association and EAP start timed out")
1355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1357 raise Exception("EAP method selection timed out")
1358 if "TTLS" not in ev:
1359 raise Exception("Unexpected EAP method")
1361 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1362 "CTRL-EVENT-EAP-SUCCESS",
1363 "CTRL-EVENT-EAP-FAILURE",
1364 "CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1367 raise Exception("EAP result timed out")
1368 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1369 raise Exception("TLS certificate error not reported")
1370 if "Domain mismatch" not in ev:
1371 raise Exception("Domain mismatch not reported")
1373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1374 "CTRL-EVENT-EAP-FAILURE",
1375 "CTRL-EVENT-CONNECTED",
1376 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1378 raise Exception("EAP result(2) timed out")
1379 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1380 raise Exception("EAP failure not reported")
1382 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1383 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1385 raise Exception("EAP result(3) timed out")
1386 if "CTRL-EVENT-DISCONNECTED" not in ev:
1387 raise Exception("Disconnection not reported")
1389 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1391 raise Exception("Network block disabling not reported")
1393 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1394 """WPA2-Enterprise negative test - subject mismatch"""
1395 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1396 hostapd.add_ap(apdev[0]['ifname'], params)
1397 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1398 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1399 password="password", phase2="auth=MSCHAPV2",
1400 ca_cert="auth_serv/ca.pem",
1401 subject_match="/C=FI/O=w1.fi/CN=example.com",
1402 wait_connect=False, scan_freq="2412")
1404 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1406 raise Exception("Association and EAP start timed out")
1408 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1409 "EAP: Failed to initialize EAP method"], timeout=10)
1411 raise Exception("EAP method selection timed out")
1412 if "EAP: Failed to initialize EAP method" in ev:
1413 tls = dev[0].request("GET tls_library")
1414 if tls.startswith("OpenSSL"):
1415 raise Exception("Failed to select EAP method")
1416 logger.info("subject_match not supported - connection failed, so test succeeded")
1418 if "TTLS" not in ev:
1419 raise Exception("Unexpected EAP method")
1421 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1422 "CTRL-EVENT-EAP-SUCCESS",
1423 "CTRL-EVENT-EAP-FAILURE",
1424 "CTRL-EVENT-CONNECTED",
1425 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1427 raise Exception("EAP result timed out")
1428 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1429 raise Exception("TLS certificate error not reported")
1430 if "Subject mismatch" not in ev:
1431 raise Exception("Subject mismatch not reported")
1433 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1434 "CTRL-EVENT-EAP-FAILURE",
1435 "CTRL-EVENT-CONNECTED",
1436 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1438 raise Exception("EAP result(2) timed out")
1439 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1440 raise Exception("EAP failure not reported")
1442 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1443 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1445 raise Exception("EAP result(3) timed out")
1446 if "CTRL-EVENT-DISCONNECTED" not in ev:
1447 raise Exception("Disconnection not reported")
1449 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1451 raise Exception("Network block disabling not reported")
1453 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1454 """WPA2-Enterprise negative test - altsubject mismatch"""
1455 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1456 hostapd.add_ap(apdev[0]['ifname'], params)
1458 tests = [ "incorrect.example.com",
1459 "DNS:incorrect.example.com",
1463 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1465 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1466 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1467 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1468 password="password", phase2="auth=MSCHAPV2",
1469 ca_cert="auth_serv/ca.pem",
1470 altsubject_match=match,
1471 wait_connect=False, scan_freq="2412")
1473 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1475 raise Exception("Association and EAP start timed out")
1477 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1478 "EAP: Failed to initialize EAP method"], timeout=10)
1480 raise Exception("EAP method selection timed out")
1481 if "EAP: Failed to initialize EAP method" in ev:
1482 tls = dev[0].request("GET tls_library")
1483 if tls.startswith("OpenSSL"):
1484 raise Exception("Failed to select EAP method")
1485 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1487 if "TTLS" not in ev:
1488 raise Exception("Unexpected EAP method")
1490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1491 "CTRL-EVENT-EAP-SUCCESS",
1492 "CTRL-EVENT-EAP-FAILURE",
1493 "CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1496 raise Exception("EAP result timed out")
1497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1498 raise Exception("TLS certificate error not reported")
1499 if "AltSubject mismatch" not in ev:
1500 raise Exception("altsubject mismatch not reported")
1502 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1503 "CTRL-EVENT-EAP-FAILURE",
1504 "CTRL-EVENT-CONNECTED",
1505 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1507 raise Exception("EAP result(2) timed out")
1508 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1509 raise Exception("EAP failure not reported")
1511 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1512 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1514 raise Exception("EAP result(3) timed out")
1515 if "CTRL-EVENT-DISCONNECTED" not in ev:
1516 raise Exception("Disconnection not reported")
1518 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1520 raise Exception("Network block disabling not reported")
1522 dev[0].request("REMOVE_NETWORK all")
1524 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1525 """WPA2-Enterprise connection using UNAUTH-TLS"""
1526 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1527 hostapd.add_ap(apdev[0]['ifname'], params)
1528 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1529 ca_cert="auth_serv/ca.pem")
1530 eap_reauth(dev[0], "UNAUTH-TLS")
1532 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1533 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1534 check_cert_probe_support(dev[0])
1535 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1536 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1537 hostapd.add_ap(apdev[0]['ifname'], params)
1538 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1539 identity="probe", ca_cert="probe://",
1540 wait_connect=False, scan_freq="2412")
1541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1543 raise Exception("Association and EAP start timed out")
1544 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1546 raise Exception("No peer server certificate event seen")
1547 if "hash=" + srv_cert_hash not in ev:
1548 raise Exception("Expected server certificate hash not reported")
1549 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1551 raise Exception("EAP result timed out")
1552 if "Server certificate chain probe" not in ev:
1553 raise Exception("Server certificate probe not reported")
1554 dev[0].wait_disconnected(timeout=10)
1555 dev[0].request("REMOVE_NETWORK all")
1557 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1558 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1559 password="password", phase2="auth=MSCHAPV2",
1560 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1561 wait_connect=False, scan_freq="2412")
1562 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1564 raise Exception("Association and EAP start timed out")
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1567 raise Exception("EAP result timed out")
1568 if "Server certificate mismatch" not in ev:
1569 raise Exception("Server certificate mismatch not reported")
1570 dev[0].wait_disconnected(timeout=10)
1571 dev[0].request("REMOVE_NETWORK all")
1573 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1574 anonymous_identity="ttls", password="password",
1575 ca_cert="hash://server/sha256/" + srv_cert_hash,
1576 phase2="auth=MSCHAPV2")
1578 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1579 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1580 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1581 hostapd.add_ap(apdev[0]['ifname'], params)
1582 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1583 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1584 password="password", phase2="auth=MSCHAPV2",
1585 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1586 wait_connect=False, scan_freq="2412")
1587 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1588 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1589 password="password", phase2="auth=MSCHAPV2",
1590 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1591 wait_connect=False, scan_freq="2412")
1592 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1593 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1594 password="password", phase2="auth=MSCHAPV2",
1595 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1596 wait_connect=False, scan_freq="2412")
1597 for i in range(0, 3):
1598 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1600 raise Exception("Association and EAP start timed out")
1601 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1603 raise Exception("Did not report EAP method initialization failure")
1605 def test_ap_wpa2_eap_pwd(dev, apdev):
1606 """WPA2-Enterprise connection using EAP-pwd"""
1607 check_eap_capa(dev[0], "PWD")
1608 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1609 hostapd.add_ap(apdev[0]['ifname'], params)
1610 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1611 eap_reauth(dev[0], "PWD")
1612 dev[0].request("REMOVE_NETWORK all")
1614 eap_connect(dev[1], apdev[0], "PWD",
1615 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1616 password="secret password",
1619 logger.info("Negative test with incorrect password")
1620 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1621 expect_failure=True, local_error_report=True)
1623 eap_connect(dev[0], apdev[0], "PWD",
1624 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1625 password="secret password",
1628 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1629 """WPA2-Enterprise connection using various EAP-pwd groups"""
1630 check_eap_capa(dev[0], "PWD")
1631 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1632 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1633 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1634 for i in [ 19, 20, 21, 25, 26 ]:
1635 params['pwd_group'] = str(i)
1636 hostapd.add_ap(apdev[0]['ifname'], params)
1637 dev[0].request("REMOVE_NETWORK all")
1638 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1640 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1641 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1642 check_eap_capa(dev[0], "PWD")
1643 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1644 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1645 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1646 params['pwd_group'] = "0"
1647 hostapd.add_ap(apdev[0]['ifname'], params)
1648 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1649 identity="pwd user", password="secret password",
1650 scan_freq="2412", wait_connect=False)
1651 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1653 raise Exception("Timeout on EAP failure report")
1655 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1656 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1657 check_eap_capa(dev[0], "PWD")
1658 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1659 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1660 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1661 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1662 "pwd_group": "19", "fragment_size": "40" }
1663 hostapd.add_ap(apdev[0]['ifname'], params)
1664 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1666 def test_ap_wpa2_eap_gpsk(dev, apdev):
1667 """WPA2-Enterprise connection using EAP-GPSK"""
1668 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1669 hostapd.add_ap(apdev[0]['ifname'], params)
1670 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1671 password="abcdefghijklmnop0123456789abcdef")
1672 eap_reauth(dev[0], "GPSK")
1674 logger.info("Test forced algorithm selection")
1675 for phase1 in [ "cipher=1", "cipher=2" ]:
1676 dev[0].set_network_quoted(id, "phase1", phase1)
1677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1679 raise Exception("EAP success timed out")
1680 dev[0].wait_connected(timeout=10)
1682 logger.info("Test failed algorithm negotiation")
1683 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1684 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1686 raise Exception("EAP failure timed out")
1688 logger.info("Negative test with incorrect password")
1689 dev[0].request("REMOVE_NETWORK all")
1690 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1691 password="ffcdefghijklmnop0123456789abcdef",
1692 expect_failure=True)
1694 def test_ap_wpa2_eap_sake(dev, apdev):
1695 """WPA2-Enterprise connection using EAP-SAKE"""
1696 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1697 hostapd.add_ap(apdev[0]['ifname'], params)
1698 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1699 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1700 eap_reauth(dev[0], "SAKE")
1702 logger.info("Negative test with incorrect password")
1703 dev[0].request("REMOVE_NETWORK all")
1704 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1705 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1706 expect_failure=True)
1708 def test_ap_wpa2_eap_eke(dev, apdev):
1709 """WPA2-Enterprise connection using EAP-EKE"""
1710 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1711 hostapd.add_ap(apdev[0]['ifname'], params)
1712 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1713 eap_reauth(dev[0], "EKE")
1715 logger.info("Test forced algorithm selection")
1716 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1717 "dhgroup=4 encr=1 prf=2 mac=2",
1718 "dhgroup=3 encr=1 prf=2 mac=2",
1719 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1720 dev[0].set_network_quoted(id, "phase1", phase1)
1721 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1723 raise Exception("EAP success timed out")
1724 dev[0].wait_connected(timeout=10)
1726 logger.info("Test failed algorithm negotiation")
1727 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1728 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1730 raise Exception("EAP failure timed out")
1732 logger.info("Negative test with incorrect password")
1733 dev[0].request("REMOVE_NETWORK all")
1734 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1735 expect_failure=True)
1737 def test_ap_wpa2_eap_ikev2(dev, apdev):
1738 """WPA2-Enterprise connection using EAP-IKEv2"""
1739 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1740 hostapd.add_ap(apdev[0]['ifname'], params)
1741 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1742 password="ike password")
1743 eap_reauth(dev[0], "IKEV2")
1744 dev[0].request("REMOVE_NETWORK all")
1745 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1746 password="ike password", fragment_size="50")
1748 logger.info("Negative test with incorrect password")
1749 dev[0].request("REMOVE_NETWORK all")
1750 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1751 password="ike-password", expect_failure=True)
1753 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1754 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1755 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1756 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1757 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1758 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1759 "fragment_size": "50" }
1760 hostapd.add_ap(apdev[0]['ifname'], params)
1761 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1762 password="ike password")
1763 eap_reauth(dev[0], "IKEV2")
1765 def test_ap_wpa2_eap_pax(dev, apdev):
1766 """WPA2-Enterprise connection using EAP-PAX"""
1767 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1768 hostapd.add_ap(apdev[0]['ifname'], params)
1769 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1770 password_hex="0123456789abcdef0123456789abcdef")
1771 eap_reauth(dev[0], "PAX")
1773 logger.info("Negative test with incorrect password")
1774 dev[0].request("REMOVE_NETWORK all")
1775 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1776 password_hex="ff23456789abcdef0123456789abcdef",
1777 expect_failure=True)
1779 def test_ap_wpa2_eap_psk(dev, apdev):
1780 """WPA2-Enterprise connection using EAP-PSK"""
1781 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1782 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1783 params["ieee80211w"] = "2"
1784 hostapd.add_ap(apdev[0]['ifname'], params)
1785 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1786 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1787 eap_reauth(dev[0], "PSK", sha256=True)
1788 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1789 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1791 bss = dev[0].get_bss(apdev[0]['bssid'])
1792 if 'flags' not in bss:
1793 raise Exception("Could not get BSS flags from BSS table")
1794 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
1795 raise Exception("Unexpected BSS flags: " + bss['flags'])
1797 logger.info("Negative test with incorrect password")
1798 dev[0].request("REMOVE_NETWORK all")
1799 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1800 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1801 expect_failure=True)
1803 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1804 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1805 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1807 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1808 identity="user", password="password", phase2="auth=MSCHAPV2",
1809 ca_cert="auth_serv/ca.pem", wait_connect=False,
1811 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1812 hwsim_utils.test_connectivity(dev[0], hapd)
1813 eap_reauth(dev[0], "PEAP", rsn=False)
1814 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1815 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1816 status = dev[0].get_status(extra="VERBOSE")
1817 if 'portControl' not in status:
1818 raise Exception("portControl missing from STATUS-VERBOSE")
1819 if status['portControl'] != 'Auto':
1820 raise Exception("Unexpected portControl value: " + status['portControl'])
1821 if 'eap_session_id' not in status:
1822 raise Exception("eap_session_id missing from STATUS-VERBOSE")
1823 if not status['eap_session_id'].startswith("19"):
1824 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
1826 def test_ap_wpa2_eap_interactive(dev, apdev):
1827 """WPA2-Enterprise connection using interactive identity/password entry"""
1828 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1829 hostapd.add_ap(apdev[0]['ifname'], params)
1830 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1832 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1833 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1835 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1836 "TTLS", "ttls", None, "auth=MSCHAPV2",
1837 "DOMAIN\mschapv2 user", "password"),
1838 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1839 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1840 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1841 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1842 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1843 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1844 ("Connection with dynamic PEAP/EAP-GTC password entry",
1845 "PEAP", None, "user", "auth=GTC", None, "password") ]
1846 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1848 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1849 anonymous_identity=anon, identity=identity,
1850 ca_cert="auth_serv/ca.pem", phase2=phase2,
1851 wait_connect=False, scan_freq="2412")
1853 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1855 raise Exception("Request for identity timed out")
1856 id = ev.split(':')[0].split('-')[-1]
1857 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1858 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1860 raise Exception("Request for password timed out")
1861 id = ev.split(':')[0].split('-')[-1]
1862 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1863 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1864 dev[0].wait_connected(timeout=10)
1865 dev[0].request("REMOVE_NETWORK all")
1867 def test_ap_wpa2_eap_vendor_test(dev, apdev):
1868 """WPA2-Enterprise connection using EAP vendor test"""
1869 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1870 hostapd.add_ap(apdev[0]['ifname'], params)
1871 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1872 eap_reauth(dev[0], "VENDOR-TEST")
1874 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
1875 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1876 check_eap_capa(dev[0], "FAST")
1877 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1878 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1879 eap_connect(dev[0], apdev[0], "FAST", "user",
1880 anonymous_identity="FAST", password="password",
1881 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1882 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
1883 hwsim_utils.test_connectivity(dev[0], hapd)
1884 res = eap_reauth(dev[0], "FAST")
1885 if res['tls_session_reused'] != '1':
1886 raise Exception("EAP-FAST could not use PAC session ticket")
1888 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
1889 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1890 check_eap_capa(dev[0], "FAST")
1891 pac_file = os.path.join(params['logdir'], "fast.pac")
1892 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
1893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1894 hostapd.add_ap(apdev[0]['ifname'], params)
1897 eap_connect(dev[0], apdev[0], "FAST", "user",
1898 anonymous_identity="FAST", password="password",
1899 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1900 phase1="fast_provisioning=1", pac_file=pac_file)
1901 with open(pac_file, "r") as f:
1903 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
1904 raise Exception("PAC file header missing")
1905 if "PAC-Key=" not in data:
1906 raise Exception("PAC-Key missing from PAC file")
1907 dev[0].request("REMOVE_NETWORK all")
1908 eap_connect(dev[0], apdev[0], "FAST", "user",
1909 anonymous_identity="FAST", password="password",
1910 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1913 eap_connect(dev[1], apdev[0], "FAST", "user",
1914 anonymous_identity="FAST", password="password",
1915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1916 phase1="fast_provisioning=1 fast_pac_format=binary",
1918 dev[1].request("REMOVE_NETWORK all")
1919 eap_connect(dev[1], apdev[0], "FAST", "user",
1920 anonymous_identity="FAST", password="password",
1921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1922 phase1="fast_pac_format=binary",
1925 subprocess.call(['sudo', 'rm', pac_file])
1926 subprocess.call(['sudo', 'rm', pac_file2])
1928 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
1929 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1930 check_eap_capa(dev[0], "FAST")
1931 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1932 hostapd.add_ap(apdev[0]['ifname'], params)
1933 eap_connect(dev[0], apdev[0], "FAST", "user",
1934 anonymous_identity="FAST", password="password",
1935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1936 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1937 pac_file="blob://fast_pac_bin")
1938 res = eap_reauth(dev[0], "FAST")
1939 if res['tls_session_reused'] != '1':
1940 raise Exception("EAP-FAST could not use PAC session ticket")
1942 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
1943 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1944 check_eap_capa(dev[0], "FAST")
1945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1946 hostapd.add_ap(apdev[0]['ifname'], params)
1948 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1949 identity="user", anonymous_identity="FAST",
1950 password="password",
1951 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1952 pac_file="blob://fast_pac_not_in_use",
1953 wait_connect=False, scan_freq="2412")
1954 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1956 raise Exception("Timeout on EAP failure report")
1957 dev[0].request("REMOVE_NETWORK all")
1959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1960 identity="user", anonymous_identity="FAST",
1961 password="password",
1962 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1963 wait_connect=False, scan_freq="2412")
1964 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1966 raise Exception("Timeout on EAP failure report")
1968 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
1969 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1970 check_eap_capa(dev[0], "FAST")
1971 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1972 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1973 eap_connect(dev[0], apdev[0], "FAST", "user",
1974 anonymous_identity="FAST", password="password",
1975 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
1976 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
1977 hwsim_utils.test_connectivity(dev[0], hapd)
1978 res = eap_reauth(dev[0], "FAST")
1979 if res['tls_session_reused'] != '1':
1980 raise Exception("EAP-FAST could not use PAC session ticket")
1982 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
1983 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1984 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1985 hostapd.add_ap(apdev[0]['ifname'], params)
1986 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1987 private_key="auth_serv/user.pkcs12",
1988 private_key_passwd="whatever", ocsp=2)
1990 def int_eap_server_params():
1991 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1992 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1993 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1994 "ca_cert": "auth_serv/ca.pem",
1995 "server_cert": "auth_serv/server.pem",
1996 "private_key": "auth_serv/server.key" }
1999 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2000 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2001 params = int_eap_server_params()
2002 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2003 hostapd.add_ap(apdev[0]['ifname'], params)
2004 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2005 identity="tls user", ca_cert="auth_serv/ca.pem",
2006 private_key="auth_serv/user.pkcs12",
2007 private_key_passwd="whatever", ocsp=2,
2008 wait_connect=False, scan_freq="2412")
2011 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2013 raise Exception("Timeout on EAP status")
2014 if 'bad certificate status response' in ev:
2018 raise Exception("Unexpected number of EAP status messages")
2020 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2022 raise Exception("Timeout on EAP failure report")
2024 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2025 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2026 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2027 if not os.path.exists(ocsp):
2028 raise HwsimSkip("No OCSP response available")
2029 params = int_eap_server_params()
2030 params["ocsp_stapling_response"] = ocsp
2031 hostapd.add_ap(apdev[0]['ifname'], params)
2032 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2033 identity="pap user", ca_cert="auth_serv/ca.pem",
2034 anonymous_identity="ttls", password="password",
2035 phase2="auth=PAP", ocsp=2,
2036 wait_connect=False, scan_freq="2412")
2039 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2041 raise Exception("Timeout on EAP status")
2042 if 'bad certificate status response' in ev:
2044 if 'certificate revoked' in ev:
2048 raise Exception("Unexpected number of EAP status messages")
2050 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2052 raise Exception("Timeout on EAP failure report")
2054 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2055 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2056 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2057 if not os.path.exists(ocsp):
2058 raise HwsimSkip("No OCSP response available")
2059 params = int_eap_server_params()
2060 params["ocsp_stapling_response"] = ocsp
2061 hostapd.add_ap(apdev[0]['ifname'], params)
2062 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2063 identity="pap user", ca_cert="auth_serv/ca.pem",
2064 anonymous_identity="ttls", password="password",
2065 phase2="auth=PAP", ocsp=2,
2066 wait_connect=False, scan_freq="2412")
2069 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2071 raise Exception("Timeout on EAP status")
2072 if 'bad certificate status response' in ev:
2076 raise Exception("Unexpected number of EAP status messages")
2078 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2080 raise Exception("Timeout on EAP failure report")
2082 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2083 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2084 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2085 if not os.path.exists(ocsp):
2086 raise HwsimSkip("No OCSP response available")
2087 params = int_eap_server_params()
2088 params["ocsp_stapling_response"] = ocsp
2089 hostapd.add_ap(apdev[0]['ifname'], params)
2090 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2091 identity="pap user", ca_cert="auth_serv/ca.pem",
2092 anonymous_identity="ttls", password="password",
2093 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2095 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2096 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2097 params = int_eap_server_params()
2098 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2099 params["private_key"] = "auth_serv/server-no-dnsname.key"
2100 hostapd.add_ap(apdev[0]['ifname'], params)
2101 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2102 identity="tls user", ca_cert="auth_serv/ca.pem",
2103 private_key="auth_serv/user.pkcs12",
2104 private_key_passwd="whatever",
2105 domain_suffix_match="server3.w1.fi",
2108 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2109 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2110 params = int_eap_server_params()
2111 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2112 params["private_key"] = "auth_serv/server-no-dnsname.key"
2113 hostapd.add_ap(apdev[0]['ifname'], params)
2114 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2115 identity="tls user", ca_cert="auth_serv/ca.pem",
2116 private_key="auth_serv/user.pkcs12",
2117 private_key_passwd="whatever",
2118 domain_match="server3.w1.fi",
2121 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2122 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2123 check_domain_match_full(dev[0])
2124 params = int_eap_server_params()
2125 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2126 params["private_key"] = "auth_serv/server-no-dnsname.key"
2127 hostapd.add_ap(apdev[0]['ifname'], params)
2128 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2129 identity="tls user", ca_cert="auth_serv/ca.pem",
2130 private_key="auth_serv/user.pkcs12",
2131 private_key_passwd="whatever",
2132 domain_suffix_match="w1.fi",
2135 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2136 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2137 params = int_eap_server_params()
2138 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2139 params["private_key"] = "auth_serv/server-no-dnsname.key"
2140 hostapd.add_ap(apdev[0]['ifname'], params)
2141 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2142 identity="tls user", ca_cert="auth_serv/ca.pem",
2143 private_key="auth_serv/user.pkcs12",
2144 private_key_passwd="whatever",
2145 domain_suffix_match="example.com",
2148 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2149 identity="tls user", ca_cert="auth_serv/ca.pem",
2150 private_key="auth_serv/user.pkcs12",
2151 private_key_passwd="whatever",
2152 domain_suffix_match="erver3.w1.fi",
2155 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2157 raise Exception("Timeout on EAP failure report")
2158 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2160 raise Exception("Timeout on EAP failure report (2)")
2162 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2163 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2164 params = int_eap_server_params()
2165 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2166 params["private_key"] = "auth_serv/server-no-dnsname.key"
2167 hostapd.add_ap(apdev[0]['ifname'], params)
2168 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2169 identity="tls user", ca_cert="auth_serv/ca.pem",
2170 private_key="auth_serv/user.pkcs12",
2171 private_key_passwd="whatever",
2172 domain_match="example.com",
2175 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2176 identity="tls user", ca_cert="auth_serv/ca.pem",
2177 private_key="auth_serv/user.pkcs12",
2178 private_key_passwd="whatever",
2179 domain_match="w1.fi",
2182 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2184 raise Exception("Timeout on EAP failure report")
2185 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2187 raise Exception("Timeout on EAP failure report (2)")
2189 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2190 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2191 params = int_eap_server_params()
2192 params["server_cert"] = "auth_serv/server-expired.pem"
2193 params["private_key"] = "auth_serv/server-expired.key"
2194 hostapd.add_ap(apdev[0]['ifname'], params)
2195 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2196 identity="mschap user", password="password",
2197 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2200 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2202 raise Exception("Timeout on EAP certificate error report")
2203 if "reason=4" not in ev or "certificate has expired" not in ev:
2204 raise Exception("Unexpected failure reason: " + ev)
2205 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2207 raise Exception("Timeout on EAP failure report")
2209 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2210 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2211 params = int_eap_server_params()
2212 params["server_cert"] = "auth_serv/server-expired.pem"
2213 params["private_key"] = "auth_serv/server-expired.key"
2214 hostapd.add_ap(apdev[0]['ifname'], params)
2215 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2216 identity="mschap user", password="password",
2217 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2218 phase1="tls_disable_time_checks=1",
2221 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2222 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2223 params = int_eap_server_params()
2224 params["server_cert"] = "auth_serv/server-eku-client.pem"
2225 params["private_key"] = "auth_serv/server-eku-client.key"
2226 hostapd.add_ap(apdev[0]['ifname'], params)
2227 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2228 identity="mschap user", password="password",
2229 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2232 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2234 raise Exception("Timeout on EAP failure report")
2236 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2237 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2238 params = int_eap_server_params()
2239 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2240 params["private_key"] = "auth_serv/server-eku-client-server.key"
2241 hostapd.add_ap(apdev[0]['ifname'], params)
2242 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2243 identity="mschap user", password="password",
2244 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2247 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2248 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2249 params = int_eap_server_params()
2250 del params["server_cert"]
2251 params["private_key"] = "auth_serv/server.pkcs12"
2252 hostapd.add_ap(apdev[0]['ifname'], params)
2253 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2254 identity="mschap user", password="password",
2255 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2258 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2259 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2260 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2261 hostapd.add_ap(apdev[0]['ifname'], params)
2262 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2263 anonymous_identity="ttls", password="password",
2264 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2265 dh_file="auth_serv/dh.conf")
2267 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2268 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2270 hostapd.add_ap(apdev[0]['ifname'], params)
2271 dh = read_pem("auth_serv/dh.conf")
2272 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2273 raise Exception("Could not set dhparams blob")
2274 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2275 anonymous_identity="ttls", password="password",
2276 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2277 dh_file="blob://dhparams")
2279 def test_ap_wpa2_eap_reauth(dev, apdev):
2280 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2282 params['eap_reauth_period'] = '2'
2283 hostapd.add_ap(apdev[0]['ifname'], params)
2284 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2285 password_hex="0123456789abcdef0123456789abcdef")
2286 logger.info("Wait for reauthentication")
2287 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2289 raise Exception("Timeout on reauthentication")
2290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2292 raise Exception("Timeout on reauthentication")
2293 for i in range(0, 20):
2294 state = dev[0].get_status_field("wpa_state")
2295 if state == "COMPLETED":
2298 if state != "COMPLETED":
2299 raise Exception("Reauthentication did not complete")
2301 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2302 """Optional displayable message in EAP Request-Identity"""
2303 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2304 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2305 hostapd.add_ap(apdev[0]['ifname'], params)
2306 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2307 password_hex="0123456789abcdef0123456789abcdef")
2309 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2310 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2311 check_hlr_auc_gw_support()
2312 params = int_eap_server_params()
2313 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2314 params['eap_sim_aka_result_ind'] = "1"
2315 hostapd.add_ap(apdev[0]['ifname'], params)
2317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2319 phase1="result_ind=1")
2320 eap_reauth(dev[0], "SIM")
2321 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2322 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2324 dev[0].request("REMOVE_NETWORK all")
2325 dev[1].request("REMOVE_NETWORK all")
2327 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2328 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2329 phase1="result_ind=1")
2330 eap_reauth(dev[0], "AKA")
2331 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2332 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2334 dev[0].request("REMOVE_NETWORK all")
2335 dev[1].request("REMOVE_NETWORK all")
2337 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2338 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2339 phase1="result_ind=1")
2340 eap_reauth(dev[0], "AKA'")
2341 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2342 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2344 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2345 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2346 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2347 hostapd.add_ap(apdev[0]['ifname'], params)
2348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2349 eap="TTLS", identity="mschap user",
2350 wait_connect=False, scan_freq="2412", ieee80211w="1",
2351 anonymous_identity="ttls", password="password",
2352 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2354 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2356 raise Exception("EAP roundtrip limit not reached")
2358 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2359 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2360 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2361 hostapd.add_ap(apdev[0]['ifname'], params)
2362 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2363 eap="PSK", identity="vendor-test",
2364 password_hex="ff23456789abcdef0123456789abcdef",
2368 for i in range(0, 5):
2369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2371 raise Exception("Association and EAP start timed out")
2372 if "refuse proposed method" in ev:
2376 raise Exception("Unexpected EAP status: " + ev)
2378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2380 raise Exception("EAP failure timed out")
2382 def test_ap_wpa2_eap_sql(dev, apdev, params):
2383 """WPA2-Enterprise connection using SQLite for user DB"""
2387 raise HwsimSkip("No sqlite3 module available")
2388 dbfile = os.path.join(params['logdir'], "eap-user.db")
2393 con = sqlite3.connect(dbfile)
2396 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2397 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2398 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2399 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2400 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2401 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2402 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2403 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2406 params = int_eap_server_params()
2407 params["eap_user_file"] = "sqlite:" + dbfile
2408 hostapd.add_ap(apdev[0]['ifname'], params)
2409 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2410 anonymous_identity="ttls", password="password",
2411 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2412 dev[0].request("REMOVE_NETWORK all")
2413 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2414 anonymous_identity="ttls", password="password",
2415 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2416 dev[1].request("REMOVE_NETWORK all")
2417 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2418 anonymous_identity="ttls", password="password",
2419 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2420 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2421 anonymous_identity="ttls", password="password",
2422 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2426 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2427 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2428 params = int_eap_server_params()
2429 hostapd.add_ap(apdev[0]['ifname'], params)
2430 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2431 identity="\x80", password="password", wait_connect=False)
2432 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2433 identity="a\x80", password="password", wait_connect=False)
2434 for i in range(0, 2):
2435 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2437 raise Exception("Association and EAP start timed out")
2438 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2440 raise Exception("EAP method selection timed out")
2442 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2443 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2444 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2445 hostapd.add_ap(apdev[0]['ifname'], params)
2446 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2447 identity="\x80", password="password", wait_connect=False)
2448 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2449 identity="a\x80", password="password", wait_connect=False)
2450 for i in range(0, 2):
2451 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2453 raise Exception("Association and EAP start timed out")
2454 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2456 raise Exception("EAP method selection timed out")
2458 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2459 """OpenSSL cipher suite configuration on wpa_supplicant"""
2460 tls = dev[0].request("GET tls_library")
2461 if not tls.startswith("OpenSSL"):
2462 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2463 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2464 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2465 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2466 anonymous_identity="ttls", password="password",
2467 openssl_ciphers="AES128",
2468 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2469 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2470 anonymous_identity="ttls", password="password",
2471 openssl_ciphers="EXPORT",
2472 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2473 expect_failure=True)
2475 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2476 """OpenSSL cipher suite configuration on hostapd"""
2477 tls = dev[0].request("GET tls_library")
2478 if not tls.startswith("OpenSSL"):
2479 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2480 params = int_eap_server_params()
2481 params['openssl_ciphers'] = "AES256"
2482 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2483 tls = hapd.request("GET tls_library")
2484 if not tls.startswith("OpenSSL"):
2485 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2486 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2487 anonymous_identity="ttls", password="password",
2488 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2489 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2490 anonymous_identity="ttls", password="password",
2491 openssl_ciphers="AES128",
2492 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2493 expect_failure=True)
2494 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2495 anonymous_identity="ttls", password="password",
2496 openssl_ciphers="HIGH:!ADH",
2497 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2499 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2500 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2501 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2502 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2503 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2504 pid = find_wpas_process(dev[0])
2505 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2506 anonymous_identity="ttls", password=password,
2507 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2509 buf = read_process_memory(pid, password)
2511 dev[0].request("DISCONNECT")
2512 dev[0].wait_disconnected()
2520 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2521 for l in f.readlines():
2522 if "EAP-TTLS: Derived key - hexdump" in l:
2523 val = l.strip().split(':')[3].replace(' ', '')
2524 msk = binascii.unhexlify(val)
2525 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2526 val = l.strip().split(':')[3].replace(' ', '')
2527 emsk = binascii.unhexlify(val)
2528 if "WPA: PMK - hexdump" in l:
2529 val = l.strip().split(':')[3].replace(' ', '')
2530 pmk = binascii.unhexlify(val)
2531 if "WPA: PTK - hexdump" in l:
2532 val = l.strip().split(':')[3].replace(' ', '')
2533 ptk = binascii.unhexlify(val)
2534 if "WPA: Group Key - hexdump" in l:
2535 val = l.strip().split(':')[3].replace(' ', '')
2536 gtk = binascii.unhexlify(val)
2537 if not msk or not emsk or not pmk or not ptk or not gtk:
2538 raise Exception("Could not find keys from debug log")
2540 raise Exception("Unexpected GTK length")
2546 fname = os.path.join(params['logdir'],
2547 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2549 logger.info("Checking keys in memory while associated")
2550 get_key_locations(buf, password, "Password")
2551 get_key_locations(buf, pmk, "PMK")
2552 get_key_locations(buf, msk, "MSK")
2553 get_key_locations(buf, emsk, "EMSK")
2554 if password not in buf:
2555 raise HwsimSkip("Password not found while associated")
2557 raise HwsimSkip("PMK not found while associated")
2559 raise Exception("KCK not found while associated")
2561 raise Exception("KEK not found while associated")
2563 raise Exception("TK found from memory")
2565 raise Exception("GTK found from memory")
2567 logger.info("Checking keys in memory after disassociation")
2568 buf = read_process_memory(pid, password)
2570 # Note: Password is still present in network configuration
2571 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2573 get_key_locations(buf, password, "Password")
2574 get_key_locations(buf, pmk, "PMK")
2575 get_key_locations(buf, msk, "MSK")
2576 get_key_locations(buf, emsk, "EMSK")
2577 verify_not_present(buf, kck, fname, "KCK")
2578 verify_not_present(buf, kek, fname, "KEK")
2579 verify_not_present(buf, tk, fname, "TK")
2580 verify_not_present(buf, gtk, fname, "GTK")
2582 dev[0].request("PMKSA_FLUSH")
2583 dev[0].set_network_quoted(id, "identity", "foo")
2584 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2585 buf = read_process_memory(pid, password)
2586 get_key_locations(buf, password, "Password")
2587 get_key_locations(buf, pmk, "PMK")
2588 get_key_locations(buf, msk, "MSK")
2589 get_key_locations(buf, emsk, "EMSK")
2590 verify_not_present(buf, pmk, fname, "PMK")
2592 dev[0].request("REMOVE_NETWORK all")
2594 logger.info("Checking keys in memory after network profile removal")
2595 buf = read_process_memory(pid, password)
2597 get_key_locations(buf, password, "Password")
2598 get_key_locations(buf, pmk, "PMK")
2599 get_key_locations(buf, msk, "MSK")
2600 get_key_locations(buf, emsk, "EMSK")
2601 verify_not_present(buf, password, fname, "password")
2602 verify_not_present(buf, pmk, fname, "PMK")
2603 verify_not_present(buf, kck, fname, "KCK")
2604 verify_not_present(buf, kek, fname, "KEK")
2605 verify_not_present(buf, tk, fname, "TK")
2606 verify_not_present(buf, gtk, fname, "GTK")
2607 verify_not_present(buf, msk, fname, "MSK")
2608 verify_not_present(buf, emsk, fname, "EMSK")
2610 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
2611 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2612 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2613 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2614 bssid = apdev[0]['bssid']
2615 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2616 anonymous_identity="ttls", password="password",
2617 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2619 # Send unexpected WEP EAPOL-Key; this gets dropped
2620 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2622 raise Exception("EAPOL_RX to wpa_supplicant failed")