1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip
19 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
21 def check_hlr_auc_gw_support():
22 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
25 def check_eap_capa(dev, method):
26 res = dev.get_capability("eap")
28 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 with open(fname, "r") as f:
42 return base64.b64decode(cert)
44 def eap_connect(dev, ap, method, identity,
45 sha256=False, expect_failure=False, local_error_report=False,
47 hapd = hostapd.Hostapd(ap['ifname'])
48 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
49 eap=method, identity=identity,
50 wait_connect=False, scan_freq="2412", ieee80211w="1",
52 eap_check_auth(dev, method, True, sha256=sha256,
53 expect_failure=expect_failure,
54 local_error_report=local_error_report)
57 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
59 raise Exception("No connection event received from hostapd")
62 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
63 expect_failure=False, local_error_report=False):
64 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
66 raise Exception("Association and EAP start timed out")
67 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
69 raise Exception("EAP method selection timed out")
71 raise Exception("Unexpected EAP method")
73 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
75 raise Exception("EAP failure timed out")
76 ev = dev.wait_disconnected(timeout=10)
77 if not local_error_report:
78 if "reason=23" not in ev:
79 raise Exception("Proper reason code for disconnection not reported")
81 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
83 raise Exception("EAP success timed out")
86 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
88 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
90 raise Exception("Association with the AP timed out")
91 status = dev.get_status()
92 if status["wpa_state"] != "COMPLETED":
93 raise Exception("Connection not completed")
95 if status["suppPortStatus"] != "Authorized":
96 raise Exception("Port not authorized")
97 if method not in status["selectedMethod"]:
98 raise Exception("Incorrect EAP method status")
100 e = "WPA2-EAP-SHA256"
102 e = "WPA2/IEEE 802.1X/EAP"
104 e = "WPA/IEEE 802.1X/EAP"
105 if status["key_mgmt"] != e:
106 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
109 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
110 dev.request("REAUTHENTICATE")
111 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
112 expect_failure=expect_failure)
114 def test_ap_wpa2_eap_sim(dev, apdev):
115 """WPA2-Enterprise connection using EAP-SIM"""
116 check_hlr_auc_gw_support()
117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
118 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
119 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
120 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
121 hwsim_utils.test_connectivity(dev[0], hapd)
122 eap_reauth(dev[0], "SIM")
124 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
125 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
126 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
127 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
130 logger.info("Negative test with incorrect key")
131 dev[0].request("REMOVE_NETWORK all")
132 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
133 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
136 logger.info("Invalid GSM-Milenage key")
137 dev[0].request("REMOVE_NETWORK all")
138 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
139 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
142 logger.info("Invalid GSM-Milenage key(2)")
143 dev[0].request("REMOVE_NETWORK all")
144 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
145 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
148 logger.info("Invalid GSM-Milenage key(3)")
149 dev[0].request("REMOVE_NETWORK all")
150 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
151 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
154 logger.info("Invalid GSM-Milenage key(4)")
155 dev[0].request("REMOVE_NETWORK all")
156 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
157 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
160 logger.info("Missing key configuration")
161 dev[0].request("REMOVE_NETWORK all")
162 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
165 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
166 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
167 check_hlr_auc_gw_support()
171 raise HwsimSkip("No sqlite3 module available")
172 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
173 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
174 params['auth_server_port'] = "1814"
175 hostapd.add_ap(apdev[0]['ifname'], params)
176 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
177 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
179 logger.info("SIM fast re-authentication")
180 eap_reauth(dev[0], "SIM")
182 logger.info("SIM full auth with pseudonym")
185 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
186 eap_reauth(dev[0], "SIM")
188 logger.info("SIM full auth with permanent identity")
191 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
192 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
193 eap_reauth(dev[0], "SIM")
195 logger.info("SIM reauth with mismatching MK")
198 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
199 eap_reauth(dev[0], "SIM", expect_failure=True)
200 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
210 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
211 logger.info("SIM reauth with mismatching counter")
212 eap_reauth(dev[0], "SIM")
213 dev[0].request("REMOVE_NETWORK all")
215 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
216 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
219 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
220 logger.info("SIM reauth with max reauth count reached")
221 eap_reauth(dev[0], "SIM")
223 def test_ap_wpa2_eap_sim_config(dev, apdev):
224 """EAP-SIM configuration options"""
225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
226 hostapd.add_ap(apdev[0]['ifname'], params)
227 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
228 identity="1232010000000000",
229 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
230 phase1="sim_min_num_chal=1",
231 wait_connect=False, scan_freq="2412")
232 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
234 raise Exception("No EAP error message seen")
235 dev[0].request("REMOVE_NETWORK all")
237 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
238 identity="1232010000000000",
239 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
240 phase1="sim_min_num_chal=4",
241 wait_connect=False, scan_freq="2412")
242 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
244 raise Exception("No EAP error message seen (2)")
245 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
248 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
249 phase1="sim_min_num_chal=2")
250 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
251 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
252 anonymous_identity="345678")
254 def test_ap_wpa2_eap_sim_ext(dev, apdev):
255 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
257 _test_ap_wpa2_eap_sim_ext(dev, apdev)
259 dev[0].request("SET external_sim 0")
261 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
262 check_hlr_auc_gw_support()
263 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
264 hostapd.add_ap(apdev[0]['ifname'], params)
265 dev[0].request("SET external_sim 1")
266 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
267 identity="1232010000000000",
268 wait_connect=False, scan_freq="2412")
269 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
271 raise Exception("Network connected timed out")
273 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
275 raise Exception("Wait for external SIM processing request timed out")
277 if p[1] != "GSM-AUTH":
278 raise Exception("Unexpected CTRL-REQ-SIM type")
279 rid = p[0].split('-')[3]
282 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
283 # This will fail during processing, but the ctrl_iface command succeeds
284 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
285 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
287 raise Exception("EAP failure not reported")
288 dev[0].request("DISCONNECT")
290 dev[0].select_network(id, freq="2412")
291 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
293 raise Exception("Wait for external SIM processing request timed out")
295 if p[1] != "GSM-AUTH":
296 raise Exception("Unexpected CTRL-REQ-SIM type")
297 rid = p[0].split('-')[3]
298 # This will fail during GSM auth validation
299 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
300 raise Exception("CTRL-RSP-SIM failed")
301 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
303 raise Exception("EAP failure not reported")
304 dev[0].request("DISCONNECT")
306 dev[0].select_network(id, freq="2412")
307 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
309 raise Exception("Wait for external SIM processing request timed out")
311 if p[1] != "GSM-AUTH":
312 raise Exception("Unexpected CTRL-REQ-SIM type")
313 rid = p[0].split('-')[3]
314 # This will fail during GSM auth validation
315 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
316 raise Exception("CTRL-RSP-SIM failed")
317 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
319 raise Exception("EAP failure not reported")
320 dev[0].request("DISCONNECT")
322 dev[0].select_network(id, freq="2412")
323 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
325 raise Exception("Wait for external SIM processing request timed out")
327 if p[1] != "GSM-AUTH":
328 raise Exception("Unexpected CTRL-REQ-SIM type")
329 rid = p[0].split('-')[3]
330 # This will fail during GSM auth validation
331 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
332 raise Exception("CTRL-RSP-SIM failed")
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
338 dev[0].select_network(id, freq="2412")
339 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
341 raise Exception("Wait for external SIM processing request timed out")
343 if p[1] != "GSM-AUTH":
344 raise Exception("Unexpected CTRL-REQ-SIM type")
345 rid = p[0].split('-')[3]
346 # This will fail during GSM auth validation
347 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
348 raise Exception("CTRL-RSP-SIM failed")
349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
351 raise Exception("EAP failure not reported")
352 dev[0].request("DISCONNECT")
354 dev[0].select_network(id, freq="2412")
355 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
357 raise Exception("Wait for external SIM processing request timed out")
359 if p[1] != "GSM-AUTH":
360 raise Exception("Unexpected CTRL-REQ-SIM type")
361 rid = p[0].split('-')[3]
362 # This will fail during GSM auth validation
363 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
364 raise Exception("CTRL-RSP-SIM failed")
365 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
367 raise Exception("EAP failure not reported")
368 dev[0].request("DISCONNECT")
370 dev[0].select_network(id, freq="2412")
371 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
373 raise Exception("Wait for external SIM processing request timed out")
375 if p[1] != "GSM-AUTH":
376 raise Exception("Unexpected CTRL-REQ-SIM type")
377 rid = p[0].split('-')[3]
378 # This will fail during GSM auth validation
379 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
380 raise Exception("CTRL-RSP-SIM failed")
381 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
383 raise Exception("EAP failure not reported")
385 def test_ap_wpa2_eap_aka(dev, apdev):
386 """WPA2-Enterprise connection using EAP-AKA"""
387 check_hlr_auc_gw_support()
388 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
389 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
390 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
391 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
392 hwsim_utils.test_connectivity(dev[0], hapd)
393 eap_reauth(dev[0], "AKA")
395 logger.info("Negative test with incorrect key")
396 dev[0].request("REMOVE_NETWORK all")
397 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
398 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
401 logger.info("Invalid Milenage key")
402 dev[0].request("REMOVE_NETWORK all")
403 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
404 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
407 logger.info("Invalid Milenage key(2)")
408 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
409 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
412 logger.info("Invalid Milenage key(3)")
413 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
414 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
417 logger.info("Invalid Milenage key(4)")
418 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
419 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
422 logger.info("Invalid Milenage key(5)")
423 dev[0].request("REMOVE_NETWORK all")
424 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
425 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
428 logger.info("Invalid Milenage key(6)")
429 dev[0].request("REMOVE_NETWORK all")
430 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
431 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
434 logger.info("Missing key configuration")
435 dev[0].request("REMOVE_NETWORK all")
436 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
439 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
440 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
441 check_hlr_auc_gw_support()
445 raise HwsimSkip("No sqlite3 module available")
446 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
447 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
448 params['auth_server_port'] = "1814"
449 hostapd.add_ap(apdev[0]['ifname'], params)
450 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
451 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
453 logger.info("AKA fast re-authentication")
454 eap_reauth(dev[0], "AKA")
456 logger.info("AKA full auth with pseudonym")
459 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
460 eap_reauth(dev[0], "AKA")
462 logger.info("AKA full auth with permanent identity")
465 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
466 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
467 eap_reauth(dev[0], "AKA")
469 logger.info("AKA reauth with mismatching MK")
472 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
473 eap_reauth(dev[0], "AKA", expect_failure=True)
474 dev[0].request("REMOVE_NETWORK all")
476 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
477 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
480 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
481 eap_reauth(dev[0], "AKA")
484 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
485 logger.info("AKA reauth with mismatching counter")
486 eap_reauth(dev[0], "AKA")
487 dev[0].request("REMOVE_NETWORK all")
489 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
490 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
493 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
494 logger.info("AKA reauth with max reauth count reached")
495 eap_reauth(dev[0], "AKA")
497 def test_ap_wpa2_eap_aka_config(dev, apdev):
498 """EAP-AKA configuration options"""
499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
500 hostapd.add_ap(apdev[0]['ifname'], params)
501 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
502 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
503 anonymous_identity="2345678")
505 def test_ap_wpa2_eap_aka_ext(dev, apdev):
506 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
508 _test_ap_wpa2_eap_aka_ext(dev, apdev)
510 dev[0].request("SET external_sim 0")
512 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
513 check_hlr_auc_gw_support()
514 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
515 hostapd.add_ap(apdev[0]['ifname'], params)
516 dev[0].request("SET external_sim 1")
517 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
518 identity="0232010000000000",
519 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
520 wait_connect=False, scan_freq="2412")
521 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
523 raise Exception("Network connected timed out")
525 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
527 raise Exception("Wait for external SIM processing request timed out")
529 if p[1] != "UMTS-AUTH":
530 raise Exception("Unexpected CTRL-REQ-SIM type")
531 rid = p[0].split('-')[3]
534 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
535 # This will fail during processing, but the ctrl_iface command succeeds
536 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
539 raise Exception("EAP failure not reported")
540 dev[0].request("DISCONNECT")
542 dev[0].request("REASSOCIATE")
543 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
545 raise Exception("Wait for external SIM processing request timed out")
547 if p[1] != "UMTS-AUTH":
548 raise Exception("Unexpected CTRL-REQ-SIM type")
549 rid = p[0].split('-')[3]
550 # This will fail during UMTS auth validation
551 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp):
552 raise Exception("CTRL-RSP-SIM failed")
553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
555 raise Exception("EAP failure not reported")
556 dev[0].request("DISCONNECT")
558 dev[0].select_network(id, freq="2412")
559 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
561 raise Exception("Wait for external SIM processing request timed out")
563 if p[1] != "UMTS-AUTH":
564 raise Exception("Unexpected CTRL-REQ-SIM type")
565 rid = p[0].split('-')[3]
566 # This will fail during UMTS auth validation
567 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
568 raise Exception("CTRL-RSP-SIM failed")
569 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
571 raise Exception("Wait for external SIM processing request timed out")
573 if p[1] != "UMTS-AUTH":
574 raise Exception("Unexpected CTRL-REQ-SIM type")
575 rid = p[0].split('-')[3]
576 # This will fail during UMTS auth validation
577 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
578 raise Exception("CTRL-RSP-SIM failed")
579 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
581 raise Exception("EAP failure not reported")
582 dev[0].request("DISCONNECT")
584 dev[0].select_network(id, freq="2412")
585 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
587 raise Exception("Wait for external SIM processing request timed out")
589 if p[1] != "UMTS-AUTH":
590 raise Exception("Unexpected CTRL-REQ-SIM type")
591 rid = p[0].split('-')[3]
592 # This will fail during UMTS auth validation
593 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:34"):
594 raise Exception("CTRL-RSP-SIM failed")
595 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
597 raise Exception("EAP failure not reported")
598 dev[0].request("DISCONNECT")
600 dev[0].select_network(id, freq="2412")
601 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
603 raise Exception("Wait for external SIM processing request timed out")
605 if p[1] != "UMTS-AUTH":
606 raise Exception("Unexpected CTRL-REQ-SIM type")
607 rid = p[0].split('-')[3]
608 # This will fail during UMTS auth validation
609 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344"):
610 raise Exception("CTRL-RSP-SIM failed")
611 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
613 raise Exception("EAP failure not reported")
614 dev[0].request("DISCONNECT")
616 dev[0].select_network(id, freq="2412")
617 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
619 raise Exception("Wait for external SIM processing request timed out")
621 if p[1] != "UMTS-AUTH":
622 raise Exception("Unexpected CTRL-REQ-SIM type")
623 rid = p[0].split('-')[3]
624 # This will fail during UMTS auth validation
625 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344"):
626 raise Exception("CTRL-RSP-SIM failed")
627 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
629 raise Exception("EAP failure not reported")
630 dev[0].request("DISCONNECT")
632 dev[0].select_network(id, freq="2412")
633 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
635 raise Exception("Wait for external SIM processing request timed out")
637 if p[1] != "UMTS-AUTH":
638 raise Exception("Unexpected CTRL-REQ-SIM type")
639 rid = p[0].split('-')[3]
640 # This will fail during UMTS auth validation
641 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344"):
642 raise Exception("CTRL-RSP-SIM failed")
643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
645 raise Exception("EAP failure not reported")
646 dev[0].request("DISCONNECT")
648 dev[0].select_network(id, freq="2412")
649 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
651 raise Exception("Wait for external SIM processing request timed out")
653 if p[1] != "UMTS-AUTH":
654 raise Exception("Unexpected CTRL-REQ-SIM type")
655 rid = p[0].split('-')[3]
656 # This will fail during UMTS auth validation
657 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344"):
658 raise Exception("CTRL-RSP-SIM failed")
659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
661 raise Exception("EAP failure not reported")
662 dev[0].request("DISCONNECT")
664 dev[0].select_network(id, freq="2412")
665 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
667 raise Exception("Wait for external SIM processing request timed out")
669 if p[1] != "UMTS-AUTH":
670 raise Exception("Unexpected CTRL-REQ-SIM type")
671 rid = p[0].split('-')[3]
672 # This will fail during UMTS auth validation
673 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"):
674 raise Exception("CTRL-RSP-SIM failed")
675 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
677 raise Exception("EAP failure not reported")
679 def test_ap_wpa2_eap_aka_prime(dev, apdev):
680 """WPA2-Enterprise connection using EAP-AKA'"""
681 check_hlr_auc_gw_support()
682 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
683 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
684 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
685 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
686 hwsim_utils.test_connectivity(dev[0], hapd)
687 eap_reauth(dev[0], "AKA'")
689 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
690 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
691 identity="6555444333222111@both",
692 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
693 wait_connect=False, scan_freq="2412")
694 dev[1].wait_connected(timeout=15)
696 logger.info("Negative test with incorrect key")
697 dev[0].request("REMOVE_NETWORK all")
698 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
699 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
702 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
703 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
704 check_hlr_auc_gw_support()
708 raise HwsimSkip("No sqlite3 module available")
709 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
710 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
711 params['auth_server_port'] = "1814"
712 hostapd.add_ap(apdev[0]['ifname'], params)
713 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
714 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
716 logger.info("AKA' fast re-authentication")
717 eap_reauth(dev[0], "AKA'")
719 logger.info("AKA' full auth with pseudonym")
722 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
723 eap_reauth(dev[0], "AKA'")
725 logger.info("AKA' full auth with permanent identity")
728 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
729 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
730 eap_reauth(dev[0], "AKA'")
732 logger.info("AKA' reauth with mismatching k_aut")
735 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
736 eap_reauth(dev[0], "AKA'", expect_failure=True)
737 dev[0].request("REMOVE_NETWORK all")
739 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
740 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
743 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
744 eap_reauth(dev[0], "AKA'")
747 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
748 logger.info("AKA' reauth with mismatching counter")
749 eap_reauth(dev[0], "AKA'")
750 dev[0].request("REMOVE_NETWORK all")
752 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
753 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
756 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
757 logger.info("AKA' reauth with max reauth count reached")
758 eap_reauth(dev[0], "AKA'")
760 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
761 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
762 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
763 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
764 key_mgmt = hapd.get_config()['key_mgmt']
765 if key_mgmt.split(' ')[0] != "WPA-EAP":
766 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
767 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
768 anonymous_identity="ttls", password="password",
769 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
770 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
771 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
772 hwsim_utils.test_connectivity(dev[0], hapd)
773 eap_reauth(dev[0], "TTLS")
774 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
775 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
777 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
778 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
781 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
782 anonymous_identity="ttls", password="wrong",
783 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 eap_connect(dev[1], apdev[0], "TTLS", "user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
791 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
792 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
793 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
794 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
795 anonymous_identity="ttls", password="password",
796 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
797 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
798 hwsim_utils.test_connectivity(dev[0], hapd)
799 eap_reauth(dev[0], "TTLS")
801 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
802 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
804 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
805 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
806 anonymous_identity="ttls", password="wrong",
807 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
809 eap_connect(dev[1], apdev[0], "TTLS", "user",
810 anonymous_identity="ttls", password="password",
811 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
814 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
815 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
817 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
818 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
819 anonymous_identity="ttls", password="password",
820 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
821 domain_suffix_match="server.w1.fi")
822 hwsim_utils.test_connectivity(dev[0], hapd)
823 eap_reauth(dev[0], "TTLS")
824 dev[0].request("REMOVE_NETWORK all")
825 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
826 anonymous_identity="ttls", password="password",
827 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
830 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
831 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
832 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
833 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
834 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
835 anonymous_identity="ttls", password="wrong",
836 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
838 eap_connect(dev[1], apdev[0], "TTLS", "user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
842 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
843 anonymous_identity="ttls", password="password",
844 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
847 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
848 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
849 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
850 hostapd.add_ap(apdev[0]['ifname'], params)
851 hapd = hostapd.Hostapd(apdev[0]['ifname'])
852 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
853 anonymous_identity="ttls", password="password",
854 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
855 domain_suffix_match="w1.fi")
856 hwsim_utils.test_connectivity(dev[0], hapd)
857 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
858 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
859 eap_reauth(dev[0], "TTLS")
860 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
861 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
862 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
863 raise Exception("dot1xAuthEapolFramesRx did not increase")
864 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
865 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
866 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
867 raise Exception("backendAuthSuccesses did not increase")
869 logger.info("Password as hash value")
870 dev[0].request("REMOVE_NETWORK all")
871 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
872 anonymous_identity="ttls",
873 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
874 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
876 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
877 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
878 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
879 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
880 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
881 anonymous_identity="ttls", password="password1",
882 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
884 eap_connect(dev[1], apdev[0], "TTLS", "user",
885 anonymous_identity="ttls", password="password",
886 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
889 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
890 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hostapd.add_ap(apdev[0]['ifname'], params)
893 hapd = hostapd.Hostapd(apdev[0]['ifname'])
894 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
895 anonymous_identity="ttls", password="secret-åäö-€-password",
896 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
897 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
898 anonymous_identity="ttls",
899 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
900 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
902 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
903 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
906 eap_connect(dev[0], apdev[0], "TTLS", "user",
907 anonymous_identity="ttls", password="password",
908 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
909 hwsim_utils.test_connectivity(dev[0], hapd)
910 eap_reauth(dev[0], "TTLS")
912 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
913 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
914 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
915 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
916 eap_connect(dev[0], apdev[0], "TTLS", "user",
917 anonymous_identity="ttls", password="password",
918 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
919 hwsim_utils.test_connectivity(dev[0], hapd)
920 eap_reauth(dev[0], "TTLS")
922 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
923 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
924 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
925 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
926 eap_connect(dev[0], apdev[0], "TTLS", "user",
927 anonymous_identity="ttls", password="password",
928 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
929 hwsim_utils.test_connectivity(dev[0], hapd)
930 eap_reauth(dev[0], "TTLS")
932 logger.info("Negative test with incorrect password")
933 dev[0].request("REMOVE_NETWORK all")
934 eap_connect(dev[0], apdev[0], "TTLS", "user",
935 anonymous_identity="ttls", password="password1",
936 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
939 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
940 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
941 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
942 hostapd.add_ap(apdev[0]['ifname'], params)
943 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
944 anonymous_identity="0232010000000000@ttls",
945 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
946 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
948 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
949 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
950 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
951 hostapd.add_ap(apdev[0]['ifname'], params)
952 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
953 anonymous_identity="0232010000000000@peap",
954 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
955 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
957 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
958 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
959 check_eap_capa(dev[0], "FAST")
960 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
961 hostapd.add_ap(apdev[0]['ifname'], params)
962 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
963 anonymous_identity="0232010000000000@fast",
964 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
965 phase1="fast_provisioning=2",
966 pac_file="blob://fast_pac_auth_aka",
967 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
969 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
970 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
971 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
972 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
973 eap_connect(dev[0], apdev[0], "PEAP", "user",
974 anonymous_identity="peap", password="password",
975 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
976 hwsim_utils.test_connectivity(dev[0], hapd)
977 eap_reauth(dev[0], "PEAP")
978 dev[0].request("REMOVE_NETWORK all")
979 eap_connect(dev[0], apdev[0], "PEAP", "user",
980 anonymous_identity="peap", password="password",
981 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
984 logger.info("Password as hash value")
985 dev[0].request("REMOVE_NETWORK all")
986 eap_connect(dev[0], apdev[0], "PEAP", "user",
987 anonymous_identity="peap",
988 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
989 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
991 logger.info("Negative test with incorrect password")
992 dev[0].request("REMOVE_NETWORK all")
993 eap_connect(dev[0], apdev[0], "PEAP", "user",
994 anonymous_identity="peap", password="password1",
995 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
998 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
999 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1000 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1001 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1002 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1003 ca_cert="auth_serv/ca.pem",
1004 phase1="peapver=0 crypto_binding=2",
1005 phase2="auth=MSCHAPV2")
1006 hwsim_utils.test_connectivity(dev[0], hapd)
1007 eap_reauth(dev[0], "PEAP")
1009 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1010 ca_cert="auth_serv/ca.pem",
1011 phase1="peapver=0 crypto_binding=1",
1012 phase2="auth=MSCHAPV2")
1013 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1014 ca_cert="auth_serv/ca.pem",
1015 phase1="peapver=0 crypto_binding=0",
1016 phase2="auth=MSCHAPV2")
1018 def test_ap_wpa2_eap_peap_params(dev, apdev):
1019 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1021 hostapd.add_ap(apdev[0]['ifname'], params)
1022 eap_connect(dev[0], apdev[0], "PEAP", "user",
1023 anonymous_identity="peap", password="password",
1024 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1025 phase1="peapver=0 peaplabel=1",
1026 expect_failure=True)
1027 dev[0].request("REMOVE_NETWORK all")
1028 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1029 ca_cert="auth_serv/ca.pem",
1030 phase1="peap_outer_success=1",
1031 phase2="auth=MSCHAPV2")
1032 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1033 ca_cert="auth_serv/ca.pem",
1034 phase1="peap_outer_success=2",
1035 phase2="auth=MSCHAPV2")
1036 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1038 anonymous_identity="peap", password="password",
1039 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1040 phase1="peapver=1 peaplabel=1",
1041 wait_connect=False, scan_freq="2412")
1042 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1044 raise Exception("No EAP success seen")
1045 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1047 raise Exception("Unexpected connection")
1049 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1050 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1052 hostapd.add_ap(apdev[0]['ifname'], params)
1053 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1054 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1055 ca_cert2="auth_serv/ca.pem",
1056 client_cert2="auth_serv/user.pem",
1057 private_key2="auth_serv/user.key")
1058 eap_reauth(dev[0], "PEAP")
1060 def test_ap_wpa2_eap_tls(dev, apdev):
1061 """WPA2-Enterprise connection using EAP-TLS"""
1062 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1063 hostapd.add_ap(apdev[0]['ifname'], params)
1064 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1065 client_cert="auth_serv/user.pem",
1066 private_key="auth_serv/user.key")
1067 eap_reauth(dev[0], "TLS")
1069 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1070 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1071 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1072 hostapd.add_ap(apdev[0]['ifname'], params)
1073 cert = read_pem("auth_serv/ca.pem")
1074 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1075 raise Exception("Could not set cacert blob")
1076 cert = read_pem("auth_serv/user.pem")
1077 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1078 raise Exception("Could not set usercert blob")
1079 key = read_pem("auth_serv/user.key")
1080 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1081 raise Exception("Could not set cacert blob")
1082 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1083 client_cert="blob://usercert",
1084 private_key="blob://userkey")
1086 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1087 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1088 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1089 hostapd.add_ap(apdev[0]['ifname'], params)
1090 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1091 private_key="auth_serv/user.pkcs12",
1092 private_key_passwd="whatever")
1093 dev[0].request("REMOVE_NETWORK all")
1094 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1095 identity="tls user",
1096 ca_cert="auth_serv/ca.pem",
1097 private_key="auth_serv/user.pkcs12",
1098 wait_connect=False, scan_freq="2412")
1099 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1101 raise Exception("Request for private key passphrase timed out")
1102 id = ev.split(':')[0].split('-')[-1]
1103 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1104 dev[0].wait_connected(timeout=10)
1106 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1107 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1108 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1109 hostapd.add_ap(apdev[0]['ifname'], params)
1110 cert = read_pem("auth_serv/ca.pem")
1111 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1112 raise Exception("Could not set cacert blob")
1113 with open("auth_serv/user.pkcs12", "rb") as f:
1114 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1115 raise Exception("Could not set pkcs12 blob")
1116 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1117 private_key="blob://pkcs12",
1118 private_key_passwd="whatever")
1120 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1121 """WPA2-Enterprise negative test - incorrect trust root"""
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hostapd.add_ap(apdev[0]['ifname'], params)
1124 cert = read_pem("auth_serv/ca-incorrect.pem")
1125 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1126 raise Exception("Could not set cacert blob")
1127 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1128 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1129 password="password", phase2="auth=MSCHAPV2",
1130 ca_cert="blob://cacert",
1131 wait_connect=False, scan_freq="2412")
1132 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1133 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1134 password="password", phase2="auth=MSCHAPV2",
1135 ca_cert="auth_serv/ca-incorrect.pem",
1136 wait_connect=False, scan_freq="2412")
1138 for dev in (dev[0], dev[1]):
1139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1141 raise Exception("Association and EAP start timed out")
1143 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1145 raise Exception("EAP method selection timed out")
1146 if "TTLS" not in ev:
1147 raise Exception("Unexpected EAP method")
1149 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1150 "CTRL-EVENT-EAP-SUCCESS",
1151 "CTRL-EVENT-EAP-FAILURE",
1152 "CTRL-EVENT-CONNECTED",
1153 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1155 raise Exception("EAP result timed out")
1156 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1157 raise Exception("TLS certificate error not reported")
1159 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1160 "CTRL-EVENT-EAP-FAILURE",
1161 "CTRL-EVENT-CONNECTED",
1162 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1164 raise Exception("EAP result(2) timed out")
1165 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1166 raise Exception("EAP failure not reported")
1168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1169 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1171 raise Exception("EAP result(3) timed out")
1172 if "CTRL-EVENT-DISCONNECTED" not in ev:
1173 raise Exception("Disconnection not reported")
1175 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1177 raise Exception("Network block disabling not reported")
1179 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1180 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1181 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1182 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1184 identity="pap user", anonymous_identity="ttls",
1185 password="password", phase2="auth=PAP",
1186 ca_cert="auth_serv/ca.pem",
1187 wait_connect=True, scan_freq="2412")
1188 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1189 identity="pap user", anonymous_identity="ttls",
1190 password="password", phase2="auth=PAP",
1191 ca_cert="auth_serv/ca-incorrect.pem",
1192 only_add_network=True, scan_freq="2412")
1194 dev[0].request("DISCONNECT")
1195 dev[0].dump_monitor()
1196 dev[0].select_network(id, freq="2412")
1198 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1200 raise Exception("EAP-TTLS not re-started")
1202 ev = dev[0].wait_disconnected(timeout=15)
1203 if "reason=23" not in ev:
1204 raise Exception("Proper reason code for disconnection not reported")
1206 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1207 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1208 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1209 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1210 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1211 identity="pap user", anonymous_identity="ttls",
1212 password="password", phase2="auth=PAP",
1213 wait_connect=True, scan_freq="2412")
1214 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1215 identity="pap user", anonymous_identity="ttls",
1216 password="password", phase2="auth=PAP",
1217 ca_cert="auth_serv/ca-incorrect.pem",
1218 only_add_network=True, scan_freq="2412")
1220 dev[0].request("DISCONNECT")
1221 dev[0].dump_monitor()
1222 dev[0].select_network(id, freq="2412")
1224 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1226 raise Exception("EAP-TTLS not re-started")
1228 ev = dev[0].wait_disconnected(timeout=15)
1229 if "reason=23" not in ev:
1230 raise Exception("Proper reason code for disconnection not reported")
1232 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1233 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1234 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1235 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1236 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1237 identity="pap user", anonymous_identity="ttls",
1238 password="password", phase2="auth=PAP",
1239 ca_cert="auth_serv/ca.pem",
1240 wait_connect=True, scan_freq="2412")
1241 dev[0].request("DISCONNECT")
1242 dev[0].dump_monitor()
1243 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1244 dev[0].select_network(id, freq="2412")
1246 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1248 raise Exception("EAP-TTLS not re-started")
1250 ev = dev[0].wait_disconnected(timeout=15)
1251 if "reason=23" not in ev:
1252 raise Exception("Proper reason code for disconnection not reported")
1254 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1255 """WPA2-Enterprise negative test - domain suffix mismatch"""
1256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1257 hostapd.add_ap(apdev[0]['ifname'], params)
1258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1259 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1260 password="password", phase2="auth=MSCHAPV2",
1261 ca_cert="auth_serv/ca.pem",
1262 domain_suffix_match="incorrect.example.com",
1263 wait_connect=False, scan_freq="2412")
1265 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1267 raise Exception("Association and EAP start timed out")
1269 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1271 raise Exception("EAP method selection timed out")
1272 if "TTLS" not in ev:
1273 raise Exception("Unexpected EAP method")
1275 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1276 "CTRL-EVENT-EAP-SUCCESS",
1277 "CTRL-EVENT-EAP-FAILURE",
1278 "CTRL-EVENT-CONNECTED",
1279 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1281 raise Exception("EAP result timed out")
1282 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1283 raise Exception("TLS certificate error not reported")
1284 if "Domain suffix mismatch" not in ev:
1285 raise Exception("Domain suffix mismatch not reported")
1287 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1288 "CTRL-EVENT-EAP-FAILURE",
1289 "CTRL-EVENT-CONNECTED",
1290 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1292 raise Exception("EAP result(2) timed out")
1293 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1294 raise Exception("EAP failure not reported")
1296 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1297 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1299 raise Exception("EAP result(3) timed out")
1300 if "CTRL-EVENT-DISCONNECTED" not in ev:
1301 raise Exception("Disconnection not reported")
1303 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1305 raise Exception("Network block disabling not reported")
1307 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1308 """WPA2-Enterprise negative test - subject mismatch"""
1309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1310 hostapd.add_ap(apdev[0]['ifname'], params)
1311 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1312 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1313 password="password", phase2="auth=MSCHAPV2",
1314 ca_cert="auth_serv/ca.pem",
1315 subject_match="/C=FI/O=w1.fi/CN=example.com",
1316 wait_connect=False, scan_freq="2412")
1318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1320 raise Exception("Association and EAP start timed out")
1322 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1324 raise Exception("EAP method selection timed out")
1325 if "TTLS" not in ev:
1326 raise Exception("Unexpected EAP method")
1328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1329 "CTRL-EVENT-EAP-SUCCESS",
1330 "CTRL-EVENT-EAP-FAILURE",
1331 "CTRL-EVENT-CONNECTED",
1332 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1334 raise Exception("EAP result timed out")
1335 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1336 raise Exception("TLS certificate error not reported")
1337 if "Subject mismatch" not in ev:
1338 raise Exception("Subject mismatch not reported")
1340 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1341 "CTRL-EVENT-EAP-FAILURE",
1342 "CTRL-EVENT-CONNECTED",
1343 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1345 raise Exception("EAP result(2) timed out")
1346 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1347 raise Exception("EAP failure not reported")
1349 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1350 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1352 raise Exception("EAP result(3) timed out")
1353 if "CTRL-EVENT-DISCONNECTED" not in ev:
1354 raise Exception("Disconnection not reported")
1356 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1358 raise Exception("Network block disabling not reported")
1360 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1361 """WPA2-Enterprise negative test - altsubject mismatch"""
1362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1363 hostapd.add_ap(apdev[0]['ifname'], params)
1365 tests = [ "incorrect.example.com",
1366 "DNS:incorrect.example.com",
1370 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1372 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1373 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1374 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1375 password="password", phase2="auth=MSCHAPV2",
1376 ca_cert="auth_serv/ca.pem",
1377 altsubject_match=match,
1378 wait_connect=False, scan_freq="2412")
1380 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1382 raise Exception("Association and EAP start timed out")
1384 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1386 raise Exception("EAP method selection timed out")
1387 if "TTLS" not in ev:
1388 raise Exception("Unexpected EAP method")
1390 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1391 "CTRL-EVENT-EAP-SUCCESS",
1392 "CTRL-EVENT-EAP-FAILURE",
1393 "CTRL-EVENT-CONNECTED",
1394 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1396 raise Exception("EAP result timed out")
1397 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1398 raise Exception("TLS certificate error not reported")
1399 if "AltSubject mismatch" not in ev:
1400 raise Exception("altsubject mismatch not reported")
1402 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1403 "CTRL-EVENT-EAP-FAILURE",
1404 "CTRL-EVENT-CONNECTED",
1405 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1407 raise Exception("EAP result(2) timed out")
1408 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1409 raise Exception("EAP failure not reported")
1411 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1412 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1414 raise Exception("EAP result(3) timed out")
1415 if "CTRL-EVENT-DISCONNECTED" not in ev:
1416 raise Exception("Disconnection not reported")
1418 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1420 raise Exception("Network block disabling not reported")
1422 dev[0].request("REMOVE_NETWORK all")
1424 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1425 """WPA2-Enterprise connection using UNAUTH-TLS"""
1426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1427 hostapd.add_ap(apdev[0]['ifname'], params)
1428 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1429 ca_cert="auth_serv/ca.pem")
1430 eap_reauth(dev[0], "UNAUTH-TLS")
1432 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1433 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1434 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1435 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1436 hostapd.add_ap(apdev[0]['ifname'], params)
1437 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1438 identity="probe", ca_cert="probe://",
1439 wait_connect=False, scan_freq="2412")
1440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1442 raise Exception("Association and EAP start timed out")
1443 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1445 raise Exception("No peer server certificate event seen")
1446 if "hash=" + srv_cert_hash not in ev:
1447 raise Exception("Expected server certificate hash not reported")
1448 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1450 raise Exception("EAP result timed out")
1451 if "Server certificate chain probe" not in ev:
1452 raise Exception("Server certificate probe not reported")
1453 dev[0].wait_disconnected(timeout=10)
1454 dev[0].request("REMOVE_NETWORK all")
1456 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1457 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1458 password="password", phase2="auth=MSCHAPV2",
1459 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1460 wait_connect=False, scan_freq="2412")
1461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1463 raise Exception("Association and EAP start timed out")
1464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1466 raise Exception("EAP result timed out")
1467 if "Server certificate mismatch" not in ev:
1468 raise Exception("Server certificate mismatch not reported")
1469 dev[0].wait_disconnected(timeout=10)
1470 dev[0].request("REMOVE_NETWORK all")
1472 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1473 anonymous_identity="ttls", password="password",
1474 ca_cert="hash://server/sha256/" + srv_cert_hash,
1475 phase2="auth=MSCHAPV2")
1477 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1478 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1479 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1480 hostapd.add_ap(apdev[0]['ifname'], params)
1481 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1482 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1483 password="password", phase2="auth=MSCHAPV2",
1484 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1485 wait_connect=False, scan_freq="2412")
1486 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1487 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1488 password="password", phase2="auth=MSCHAPV2",
1489 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1490 wait_connect=False, scan_freq="2412")
1491 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1492 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1493 password="password", phase2="auth=MSCHAPV2",
1494 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1495 wait_connect=False, scan_freq="2412")
1496 for i in range(0, 3):
1497 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1499 raise Exception("Association and EAP start timed out")
1500 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1502 raise Exception("Did not report EAP method initialization failure")
1504 def test_ap_wpa2_eap_pwd(dev, apdev):
1505 """WPA2-Enterprise connection using EAP-pwd"""
1506 check_eap_capa(dev[0], "PWD")
1507 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1508 hostapd.add_ap(apdev[0]['ifname'], params)
1509 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1510 eap_reauth(dev[0], "PWD")
1511 dev[0].request("REMOVE_NETWORK all")
1513 eap_connect(dev[1], apdev[0], "PWD",
1514 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1515 password="secret password",
1518 logger.info("Negative test with incorrect password")
1519 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1520 expect_failure=True, local_error_report=True)
1522 eap_connect(dev[0], apdev[0], "PWD",
1523 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1524 password="secret password",
1527 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1528 """WPA2-Enterprise connection using various EAP-pwd groups"""
1529 check_eap_capa(dev[0], "PWD")
1530 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1531 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1532 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1533 for i in [ 19, 20, 21, 25, 26 ]:
1534 params['pwd_group'] = str(i)
1535 hostapd.add_ap(apdev[0]['ifname'], params)
1536 dev[0].request("REMOVE_NETWORK all")
1537 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1539 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1540 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1541 check_eap_capa(dev[0], "PWD")
1542 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1543 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1544 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1545 params['pwd_group'] = "0"
1546 hostapd.add_ap(apdev[0]['ifname'], params)
1547 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1548 identity="pwd user", password="secret password",
1549 scan_freq="2412", wait_connect=False)
1550 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1552 raise Exception("Timeout on EAP failure report")
1554 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1555 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1556 check_eap_capa(dev[0], "PWD")
1557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1558 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1559 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1560 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1561 "pwd_group": "19", "fragment_size": "40" }
1562 hostapd.add_ap(apdev[0]['ifname'], params)
1563 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1565 def test_ap_wpa2_eap_gpsk(dev, apdev):
1566 """WPA2-Enterprise connection using EAP-GPSK"""
1567 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1568 hostapd.add_ap(apdev[0]['ifname'], params)
1569 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1570 password="abcdefghijklmnop0123456789abcdef")
1571 eap_reauth(dev[0], "GPSK")
1573 logger.info("Test forced algorithm selection")
1574 for phase1 in [ "cipher=1", "cipher=2" ]:
1575 dev[0].set_network_quoted(id, "phase1", phase1)
1576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1578 raise Exception("EAP success timed out")
1579 dev[0].wait_connected(timeout=10)
1581 logger.info("Test failed algorithm negotiation")
1582 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1585 raise Exception("EAP failure timed out")
1587 logger.info("Negative test with incorrect password")
1588 dev[0].request("REMOVE_NETWORK all")
1589 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1590 password="ffcdefghijklmnop0123456789abcdef",
1591 expect_failure=True)
1593 def test_ap_wpa2_eap_sake(dev, apdev):
1594 """WPA2-Enterprise connection using EAP-SAKE"""
1595 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1596 hostapd.add_ap(apdev[0]['ifname'], params)
1597 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1598 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1599 eap_reauth(dev[0], "SAKE")
1601 logger.info("Negative test with incorrect password")
1602 dev[0].request("REMOVE_NETWORK all")
1603 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1604 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1605 expect_failure=True)
1607 def test_ap_wpa2_eap_eke(dev, apdev):
1608 """WPA2-Enterprise connection using EAP-EKE"""
1609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1610 hostapd.add_ap(apdev[0]['ifname'], params)
1611 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1612 eap_reauth(dev[0], "EKE")
1614 logger.info("Test forced algorithm selection")
1615 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1616 "dhgroup=4 encr=1 prf=2 mac=2",
1617 "dhgroup=3 encr=1 prf=2 mac=2",
1618 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1619 dev[0].set_network_quoted(id, "phase1", phase1)
1620 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1622 raise Exception("EAP success timed out")
1623 dev[0].wait_connected(timeout=10)
1625 logger.info("Test failed algorithm negotiation")
1626 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1627 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1629 raise Exception("EAP failure timed out")
1631 logger.info("Negative test with incorrect password")
1632 dev[0].request("REMOVE_NETWORK all")
1633 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1634 expect_failure=True)
1636 def test_ap_wpa2_eap_ikev2(dev, apdev):
1637 """WPA2-Enterprise connection using EAP-IKEv2"""
1638 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1639 hostapd.add_ap(apdev[0]['ifname'], params)
1640 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1641 password="ike password")
1642 eap_reauth(dev[0], "IKEV2")
1643 dev[0].request("REMOVE_NETWORK all")
1644 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1645 password="ike password", fragment_size="50")
1647 logger.info("Negative test with incorrect password")
1648 dev[0].request("REMOVE_NETWORK all")
1649 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1650 password="ike-password", expect_failure=True)
1652 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1653 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1654 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1655 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1656 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1657 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1658 "fragment_size": "50" }
1659 hostapd.add_ap(apdev[0]['ifname'], params)
1660 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1661 password="ike password")
1662 eap_reauth(dev[0], "IKEV2")
1664 def test_ap_wpa2_eap_pax(dev, apdev):
1665 """WPA2-Enterprise connection using EAP-PAX"""
1666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1667 hostapd.add_ap(apdev[0]['ifname'], params)
1668 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1669 password_hex="0123456789abcdef0123456789abcdef")
1670 eap_reauth(dev[0], "PAX")
1672 logger.info("Negative test with incorrect password")
1673 dev[0].request("REMOVE_NETWORK all")
1674 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1675 password_hex="ff23456789abcdef0123456789abcdef",
1676 expect_failure=True)
1678 def test_ap_wpa2_eap_psk(dev, apdev):
1679 """WPA2-Enterprise connection using EAP-PSK"""
1680 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1681 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1682 params["ieee80211w"] = "2"
1683 hostapd.add_ap(apdev[0]['ifname'], params)
1684 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1685 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1686 eap_reauth(dev[0], "PSK", sha256=True)
1687 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1688 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1690 bss = dev[0].get_bss(apdev[0]['bssid'])
1691 if 'flags' not in bss:
1692 raise Exception("Could not get BSS flags from BSS table")
1693 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
1694 raise Exception("Unexpected BSS flags: " + bss['flags'])
1696 logger.info("Negative test with incorrect password")
1697 dev[0].request("REMOVE_NETWORK all")
1698 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1699 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1700 expect_failure=True)
1702 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1703 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1704 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1705 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1706 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1707 identity="user", password="password", phase2="auth=MSCHAPV2",
1708 ca_cert="auth_serv/ca.pem", wait_connect=False,
1710 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1711 hwsim_utils.test_connectivity(dev[0], hapd)
1712 eap_reauth(dev[0], "PEAP", rsn=False)
1713 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1714 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1716 def test_ap_wpa2_eap_interactive(dev, apdev):
1717 """WPA2-Enterprise connection using interactive identity/password entry"""
1718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1719 hostapd.add_ap(apdev[0]['ifname'], params)
1720 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1722 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1723 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1725 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1726 "TTLS", "ttls", None, "auth=MSCHAPV2",
1727 "DOMAIN\mschapv2 user", "password"),
1728 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1729 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1730 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1731 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1732 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1733 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1734 ("Connection with dynamic PEAP/EAP-GTC password entry",
1735 "PEAP", None, "user", "auth=GTC", None, "password") ]
1736 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1738 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1739 anonymous_identity=anon, identity=identity,
1740 ca_cert="auth_serv/ca.pem", phase2=phase2,
1741 wait_connect=False, scan_freq="2412")
1743 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1745 raise Exception("Request for identity timed out")
1746 id = ev.split(':')[0].split('-')[-1]
1747 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1748 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1750 raise Exception("Request for password timed out")
1751 id = ev.split(':')[0].split('-')[-1]
1752 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1753 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1754 dev[0].wait_connected(timeout=10)
1755 dev[0].request("REMOVE_NETWORK all")
1757 def test_ap_wpa2_eap_vendor_test(dev, apdev):
1758 """WPA2-Enterprise connection using EAP vendor test"""
1759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1760 hostapd.add_ap(apdev[0]['ifname'], params)
1761 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1762 eap_reauth(dev[0], "VENDOR-TEST")
1764 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
1765 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1766 check_eap_capa(dev[0], "FAST")
1767 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1768 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1769 eap_connect(dev[0], apdev[0], "FAST", "user",
1770 anonymous_identity="FAST", password="password",
1771 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1772 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
1773 hwsim_utils.test_connectivity(dev[0], hapd)
1774 res = eap_reauth(dev[0], "FAST")
1775 if res['tls_session_reused'] != '1':
1776 raise Exception("EAP-FAST could not use PAC session ticket")
1778 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
1779 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1780 check_eap_capa(dev[0], "FAST")
1781 pac_file = os.path.join(params['logdir'], "fast.pac")
1782 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
1783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1784 hostapd.add_ap(apdev[0]['ifname'], params)
1787 eap_connect(dev[0], apdev[0], "FAST", "user",
1788 anonymous_identity="FAST", password="password",
1789 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1790 phase1="fast_provisioning=1", pac_file=pac_file)
1791 with open(pac_file, "r") as f:
1793 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
1794 raise Exception("PAC file header missing")
1795 if "PAC-Key=" not in data:
1796 raise Exception("PAC-Key missing from PAC file")
1797 dev[0].request("REMOVE_NETWORK all")
1798 eap_connect(dev[0], apdev[0], "FAST", "user",
1799 anonymous_identity="FAST", password="password",
1800 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1803 eap_connect(dev[1], apdev[0], "FAST", "user",
1804 anonymous_identity="FAST", password="password",
1805 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1806 phase1="fast_provisioning=1 fast_pac_format=binary",
1808 dev[1].request("REMOVE_NETWORK all")
1809 eap_connect(dev[1], apdev[0], "FAST", "user",
1810 anonymous_identity="FAST", password="password",
1811 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1812 phase1="fast_pac_format=binary",
1815 subprocess.call(['sudo', 'rm', pac_file])
1816 subprocess.call(['sudo', 'rm', pac_file2])
1818 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
1819 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1820 check_eap_capa(dev[0], "FAST")
1821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1822 hostapd.add_ap(apdev[0]['ifname'], params)
1823 eap_connect(dev[0], apdev[0], "FAST", "user",
1824 anonymous_identity="FAST", password="password",
1825 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1826 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1827 pac_file="blob://fast_pac_bin")
1828 res = eap_reauth(dev[0], "FAST")
1829 if res['tls_session_reused'] != '1':
1830 raise Exception("EAP-FAST could not use PAC session ticket")
1832 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
1833 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1834 check_eap_capa(dev[0], "FAST")
1835 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1836 hostapd.add_ap(apdev[0]['ifname'], params)
1838 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1839 identity="user", anonymous_identity="FAST",
1840 password="password",
1841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1842 pac_file="blob://fast_pac_not_in_use",
1843 wait_connect=False, scan_freq="2412")
1844 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1846 raise Exception("Timeout on EAP failure report")
1847 dev[0].request("REMOVE_NETWORK all")
1849 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1850 identity="user", anonymous_identity="FAST",
1851 password="password",
1852 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1853 wait_connect=False, scan_freq="2412")
1854 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1856 raise Exception("Timeout on EAP failure report")
1858 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
1859 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1860 check_eap_capa(dev[0], "FAST")
1861 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1862 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1863 eap_connect(dev[0], apdev[0], "FAST", "user",
1864 anonymous_identity="FAST", password="password",
1865 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
1866 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
1867 hwsim_utils.test_connectivity(dev[0], hapd)
1868 res = eap_reauth(dev[0], "FAST")
1869 if res['tls_session_reused'] != '1':
1870 raise Exception("EAP-FAST could not use PAC session ticket")
1872 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
1873 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1875 hostapd.add_ap(apdev[0]['ifname'], params)
1876 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1877 private_key="auth_serv/user.pkcs12",
1878 private_key_passwd="whatever", ocsp=2)
1880 def int_eap_server_params():
1881 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1882 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1883 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1884 "ca_cert": "auth_serv/ca.pem",
1885 "server_cert": "auth_serv/server.pem",
1886 "private_key": "auth_serv/server.key" }
1889 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
1890 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1891 params = int_eap_server_params()
1892 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
1893 hostapd.add_ap(apdev[0]['ifname'], params)
1894 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1895 identity="tls user", ca_cert="auth_serv/ca.pem",
1896 private_key="auth_serv/user.pkcs12",
1897 private_key_passwd="whatever", ocsp=2,
1898 wait_connect=False, scan_freq="2412")
1901 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
1903 raise Exception("Timeout on EAP status")
1904 if 'bad certificate status response' in ev:
1908 raise Exception("Unexpected number of EAP status messages")
1910 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1912 raise Exception("Timeout on EAP failure report")
1914 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
1915 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
1916 params = int_eap_server_params()
1917 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1918 params["private_key"] = "auth_serv/server-no-dnsname.key"
1919 hostapd.add_ap(apdev[0]['ifname'], params)
1920 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1921 identity="tls user", ca_cert="auth_serv/ca.pem",
1922 private_key="auth_serv/user.pkcs12",
1923 private_key_passwd="whatever",
1924 domain_suffix_match="server3.w1.fi",
1926 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1927 identity="tls user", ca_cert="auth_serv/ca.pem",
1928 private_key="auth_serv/user.pkcs12",
1929 private_key_passwd="whatever",
1930 domain_suffix_match="w1.fi",
1933 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
1934 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
1935 params = int_eap_server_params()
1936 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1937 params["private_key"] = "auth_serv/server-no-dnsname.key"
1938 hostapd.add_ap(apdev[0]['ifname'], params)
1939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1940 identity="tls user", ca_cert="auth_serv/ca.pem",
1941 private_key="auth_serv/user.pkcs12",
1942 private_key_passwd="whatever",
1943 domain_suffix_match="example.com",
1946 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1947 identity="tls user", ca_cert="auth_serv/ca.pem",
1948 private_key="auth_serv/user.pkcs12",
1949 private_key_passwd="whatever",
1950 domain_suffix_match="erver3.w1.fi",
1953 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1955 raise Exception("Timeout on EAP failure report")
1956 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1958 raise Exception("Timeout on EAP failure report (2)")
1960 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
1961 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
1962 params = int_eap_server_params()
1963 params["server_cert"] = "auth_serv/server-expired.pem"
1964 params["private_key"] = "auth_serv/server-expired.key"
1965 hostapd.add_ap(apdev[0]['ifname'], params)
1966 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1967 identity="mschap user", password="password",
1968 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1971 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
1973 raise Exception("Timeout on EAP certificate error report")
1974 if "reason=4" not in ev or "certificate has expired" not in ev:
1975 raise Exception("Unexpected failure reason: " + ev)
1976 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1978 raise Exception("Timeout on EAP failure report")
1980 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
1981 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
1982 params = int_eap_server_params()
1983 params["server_cert"] = "auth_serv/server-expired.pem"
1984 params["private_key"] = "auth_serv/server-expired.key"
1985 hostapd.add_ap(apdev[0]['ifname'], params)
1986 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1987 identity="mschap user", password="password",
1988 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1989 phase1="tls_disable_time_checks=1",
1992 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
1993 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
1994 params = int_eap_server_params()
1995 params["server_cert"] = "auth_serv/server-eku-client.pem"
1996 params["private_key"] = "auth_serv/server-eku-client.key"
1997 hostapd.add_ap(apdev[0]['ifname'], params)
1998 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1999 identity="mschap user", password="password",
2000 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2003 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2005 raise Exception("Timeout on EAP failure report")
2007 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2008 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2009 params = int_eap_server_params()
2010 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2011 params["private_key"] = "auth_serv/server-eku-client-server.key"
2012 hostapd.add_ap(apdev[0]['ifname'], params)
2013 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2014 identity="mschap user", password="password",
2015 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2018 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2019 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2020 params = int_eap_server_params()
2021 del params["server_cert"]
2022 params["private_key"] = "auth_serv/server.pkcs12"
2023 hostapd.add_ap(apdev[0]['ifname'], params)
2024 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2025 identity="mschap user", password="password",
2026 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2029 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2030 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2031 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2032 hostapd.add_ap(apdev[0]['ifname'], params)
2033 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2034 anonymous_identity="ttls", password="password",
2035 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2036 dh_file="auth_serv/dh.conf")
2038 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2039 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2040 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2041 hostapd.add_ap(apdev[0]['ifname'], params)
2042 dh = read_pem("auth_serv/dh.conf")
2043 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2044 raise Exception("Could not set dhparams blob")
2045 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2046 anonymous_identity="ttls", password="password",
2047 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2048 dh_file="blob://dhparams")
2050 def test_ap_wpa2_eap_reauth(dev, apdev):
2051 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2052 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2053 params['eap_reauth_period'] = '2'
2054 hostapd.add_ap(apdev[0]['ifname'], params)
2055 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2056 password_hex="0123456789abcdef0123456789abcdef")
2057 logger.info("Wait for reauthentication")
2058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2060 raise Exception("Timeout on reauthentication")
2061 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2063 raise Exception("Timeout on reauthentication")
2064 for i in range(0, 20):
2065 state = dev[0].get_status_field("wpa_state")
2066 if state == "COMPLETED":
2069 if state != "COMPLETED":
2070 raise Exception("Reauthentication did not complete")
2072 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2073 """Optional displayable message in EAP Request-Identity"""
2074 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2075 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2076 hostapd.add_ap(apdev[0]['ifname'], params)
2077 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2078 password_hex="0123456789abcdef0123456789abcdef")
2080 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2081 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2082 check_hlr_auc_gw_support()
2083 params = int_eap_server_params()
2084 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2085 params['eap_sim_aka_result_ind'] = "1"
2086 hostapd.add_ap(apdev[0]['ifname'], params)
2088 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2089 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2090 phase1="result_ind=1")
2091 eap_reauth(dev[0], "SIM")
2092 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2093 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2095 dev[0].request("REMOVE_NETWORK all")
2096 dev[1].request("REMOVE_NETWORK all")
2098 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2099 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2100 phase1="result_ind=1")
2101 eap_reauth(dev[0], "AKA")
2102 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2103 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2105 dev[0].request("REMOVE_NETWORK all")
2106 dev[1].request("REMOVE_NETWORK all")
2108 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2109 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2110 phase1="result_ind=1")
2111 eap_reauth(dev[0], "AKA'")
2112 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2113 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2115 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2116 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2118 hostapd.add_ap(apdev[0]['ifname'], params)
2119 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2120 eap="TTLS", identity="mschap user",
2121 wait_connect=False, scan_freq="2412", ieee80211w="1",
2122 anonymous_identity="ttls", password="password",
2123 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2125 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2127 raise Exception("EAP roundtrip limit not reached")
2129 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2130 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2131 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2132 hostapd.add_ap(apdev[0]['ifname'], params)
2133 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2134 eap="PSK", identity="vendor-test",
2135 password_hex="ff23456789abcdef0123456789abcdef",
2139 for i in range(0, 5):
2140 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2142 raise Exception("Association and EAP start timed out")
2143 if "refuse proposed method" in ev:
2147 raise Exception("Unexpected EAP status: " + ev)
2149 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2151 raise Exception("EAP failure timed out")
2153 def test_ap_wpa2_eap_sql(dev, apdev, params):
2154 """WPA2-Enterprise connection using SQLite for user DB"""
2158 raise HwsimSkip("No sqlite3 module available")
2159 dbfile = os.path.join(params['logdir'], "eap-user.db")
2164 con = sqlite3.connect(dbfile)
2167 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2168 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2169 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2170 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2171 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2172 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2173 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2174 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2177 params = int_eap_server_params()
2178 params["eap_user_file"] = "sqlite:" + dbfile
2179 hostapd.add_ap(apdev[0]['ifname'], params)
2180 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2181 anonymous_identity="ttls", password="password",
2182 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2183 dev[0].request("REMOVE_NETWORK all")
2184 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2185 anonymous_identity="ttls", password="password",
2186 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2187 dev[1].request("REMOVE_NETWORK all")
2188 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2189 anonymous_identity="ttls", password="password",
2190 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2191 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2192 anonymous_identity="ttls", password="password",
2193 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2197 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2198 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2199 params = int_eap_server_params()
2200 hostapd.add_ap(apdev[0]['ifname'], params)
2201 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2202 identity="\x80", password="password", wait_connect=False)
2203 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2204 identity="a\x80", password="password", wait_connect=False)
2205 for i in range(0, 2):
2206 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2208 raise Exception("Association and EAP start timed out")
2209 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2211 raise Exception("EAP method selection timed out")
2213 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2214 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2215 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2216 hostapd.add_ap(apdev[0]['ifname'], params)
2217 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2218 identity="\x80", password="password", wait_connect=False)
2219 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2220 identity="a\x80", password="password", wait_connect=False)
2221 for i in range(0, 2):
2222 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2224 raise Exception("Association and EAP start timed out")
2225 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2227 raise Exception("EAP method selection timed out")
2229 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2230 """OpenSSL cipher suite configuration on wpa_supplicant"""
2231 tls = dev[0].request("GET tls_library")
2232 if not tls.startswith("OpenSSL"):
2233 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2234 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2235 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2236 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2237 anonymous_identity="ttls", password="password",
2238 openssl_ciphers="AES128",
2239 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2240 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2241 anonymous_identity="ttls", password="password",
2242 openssl_ciphers="EXPORT",
2243 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2244 expect_failure=True)
2246 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2247 """OpenSSL cipher suite configuration on hostapd"""
2248 tls = dev[0].request("GET tls_library")
2249 if not tls.startswith("OpenSSL"):
2250 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2251 params = int_eap_server_params()
2252 params['openssl_ciphers'] = "AES256"
2253 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2254 tls = hapd.request("GET tls_library")
2255 if not tls.startswith("OpenSSL"):
2256 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2257 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2258 anonymous_identity="ttls", password="password",
2259 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2260 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2261 anonymous_identity="ttls", password="password",
2262 openssl_ciphers="AES128",
2263 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2264 expect_failure=True)
2265 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2266 anonymous_identity="ttls", password="password",
2267 openssl_ciphers="HIGH:!ADH",
2268 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2270 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2271 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2272 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2273 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2274 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2275 pid = find_wpas_process(dev[0])
2276 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2277 anonymous_identity="ttls", password=password,
2278 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2280 buf = read_process_memory(pid, password)
2282 dev[0].request("DISCONNECT")
2283 dev[0].wait_disconnected()
2291 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2292 for l in f.readlines():
2293 if "EAP-TTLS: Derived key - hexdump" in l:
2294 val = l.strip().split(':')[3].replace(' ', '')
2295 msk = binascii.unhexlify(val)
2296 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2297 val = l.strip().split(':')[3].replace(' ', '')
2298 emsk = binascii.unhexlify(val)
2299 if "WPA: PMK - hexdump" in l:
2300 val = l.strip().split(':')[3].replace(' ', '')
2301 pmk = binascii.unhexlify(val)
2302 if "WPA: PTK - hexdump" in l:
2303 val = l.strip().split(':')[3].replace(' ', '')
2304 ptk = binascii.unhexlify(val)
2305 if "WPA: Group Key - hexdump" in l:
2306 val = l.strip().split(':')[3].replace(' ', '')
2307 gtk = binascii.unhexlify(val)
2308 if not msk or not emsk or not pmk or not ptk or not gtk:
2309 raise Exception("Could not find keys from debug log")
2311 raise Exception("Unexpected GTK length")
2317 fname = os.path.join(params['logdir'],
2318 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2320 logger.info("Checking keys in memory while associated")
2321 get_key_locations(buf, password, "Password")
2322 get_key_locations(buf, pmk, "PMK")
2323 get_key_locations(buf, msk, "MSK")
2324 get_key_locations(buf, emsk, "EMSK")
2325 if password not in buf:
2326 raise HwsimSkip("Password not found while associated")
2328 raise HwsimSkip("PMK not found while associated")
2330 raise Exception("KCK not found while associated")
2332 raise Exception("KEK not found while associated")
2334 raise Exception("TK found from memory")
2336 raise Exception("GTK found from memory")
2338 logger.info("Checking keys in memory after disassociation")
2339 buf = read_process_memory(pid, password)
2341 # Note: Password is still present in network configuration
2342 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2344 get_key_locations(buf, password, "Password")
2345 get_key_locations(buf, pmk, "PMK")
2346 get_key_locations(buf, msk, "MSK")
2347 get_key_locations(buf, emsk, "EMSK")
2348 verify_not_present(buf, kck, fname, "KCK")
2349 verify_not_present(buf, kek, fname, "KEK")
2350 verify_not_present(buf, tk, fname, "TK")
2351 verify_not_present(buf, gtk, fname, "GTK")
2353 dev[0].request("PMKSA_FLUSH")
2354 dev[0].set_network_quoted(id, "identity", "foo")
2355 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2356 buf = read_process_memory(pid, password)
2357 get_key_locations(buf, password, "Password")
2358 get_key_locations(buf, pmk, "PMK")
2359 get_key_locations(buf, msk, "MSK")
2360 get_key_locations(buf, emsk, "EMSK")
2361 verify_not_present(buf, pmk, fname, "PMK")
2363 dev[0].request("REMOVE_NETWORK all")
2365 logger.info("Checking keys in memory after network profile removal")
2366 buf = read_process_memory(pid, password)
2368 get_key_locations(buf, password, "Password")
2369 get_key_locations(buf, pmk, "PMK")
2370 get_key_locations(buf, msk, "MSK")
2371 get_key_locations(buf, emsk, "EMSK")
2372 verify_not_present(buf, password, fname, "password")
2373 verify_not_present(buf, pmk, fname, "PMK")
2374 verify_not_present(buf, kck, fname, "KCK")
2375 verify_not_present(buf, kek, fname, "KEK")
2376 verify_not_present(buf, tk, fname, "TK")
2377 verify_not_present(buf, gtk, fname, "GTK")
2378 verify_not_present(buf, msk, fname, "MSK")
2379 verify_not_present(buf, emsk, fname, "EMSK")