1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26 openssl_imported = True
28 openssl_imported = False
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
92 with open(fname, "r") as f:
101 if "-----BEGIN" in l:
103 return base64.b64decode(cert)
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
153 raise Exception("EAP success timed out")
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e = "WPA2-EAP-SHA256"
172 e = "WPA2/IEEE 802.1X/EAP"
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
252 logger.info("SIM full auth with pseudonym")
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
258 logger.info("SIM full auth with permanent identity")
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
265 logger.info("SIM reauth with mismatching MK")
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
329 dev[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
341 raise Exception("Network connected timed out")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
566 logger.info("AKA full auth with pseudonym")
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
572 logger.info("AKA full auth with permanent identity")
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
579 logger.info("AKA reauth with mismatching MK")
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
620 dev[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
633 raise Exception("Network connected timed out")
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
653 dev[0].dump_monitor()
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
682 dev[0].dump_monitor()
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
709 dev[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
751 logger.info("AKA' full auth with pseudonym")
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
757 logger.info("AKA' full auth with permanent identity")
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
764 logger.info("AKA' reauth with mismatching k_aut")
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
887 dev[0].request("REMOVE_NETWORK all")
888 dev[0].wait_disconnected()
889 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
890 anonymous_identity="ttls",
891 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
892 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
894 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
895 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
896 skip_with_fips(dev[0])
897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
898 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
899 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
900 anonymous_identity="ttls", password="wrong",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
903 eap_connect(dev[1], apdev[0], "TTLS", "user",
904 anonymous_identity="ttls", password="password",
905 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
907 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
912 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
913 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
914 check_domain_suffix_match(dev[0])
915 check_eap_capa(dev[0], "MSCHAPV2")
916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
917 hostapd.add_ap(apdev[0]['ifname'], params)
918 hapd = hostapd.Hostapd(apdev[0]['ifname'])
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
922 domain_suffix_match="server.w1.fi")
923 hwsim_utils.test_connectivity(dev[0], hapd)
924 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
925 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
926 eap_reauth(dev[0], "TTLS")
927 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
928 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
929 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
930 raise Exception("dot1xAuthEapolFramesRx did not increase")
931 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
932 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
933 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
934 raise Exception("backendAuthSuccesses did not increase")
936 logger.info("Password as hash value")
937 dev[0].request("REMOVE_NETWORK all")
938 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
939 anonymous_identity="ttls",
940 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
943 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
944 """EAP-TTLS with invalid phase2 parameter values"""
945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
946 hostapd.add_ap(apdev[0]['ifname'], params)
947 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
948 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP" ]
950 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
951 identity="DOMAIN\mschapv2 user",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2=t,
954 wait_connect=False, scan_freq="2412")
955 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
956 if ev is None or "method=21" not in ev:
957 raise Exception("EAP-TTLS not started")
958 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
959 "CTRL-EVENT-CONNECTED"], timeout=5)
960 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
961 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
962 dev[0].request("REMOVE_NETWORK all")
963 dev[0].wait_disconnected()
964 dev[0].dump_monitor()
966 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
967 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
968 check_domain_match_full(dev[0])
969 skip_with_fips(dev[0])
970 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
971 hostapd.add_ap(apdev[0]['ifname'], params)
972 hapd = hostapd.Hostapd(apdev[0]['ifname'])
973 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
974 anonymous_identity="ttls", password="password",
975 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
976 domain_suffix_match="w1.fi")
977 hwsim_utils.test_connectivity(dev[0], hapd)
978 eap_reauth(dev[0], "TTLS")
980 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
982 check_domain_match(dev[0])
983 skip_with_fips(dev[0])
984 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
985 hostapd.add_ap(apdev[0]['ifname'], params)
986 hapd = hostapd.Hostapd(apdev[0]['ifname'])
987 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
988 anonymous_identity="ttls", password="password",
989 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
990 domain_match="Server.w1.fi")
991 hwsim_utils.test_connectivity(dev[0], hapd)
992 eap_reauth(dev[0], "TTLS")
994 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
995 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
996 skip_with_fips(dev[0])
997 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
998 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
999 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1000 anonymous_identity="ttls", password="password1",
1001 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1002 expect_failure=True)
1003 eap_connect(dev[1], apdev[0], "TTLS", "user",
1004 anonymous_identity="ttls", password="password",
1005 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1006 expect_failure=True)
1008 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1009 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1010 skip_with_fips(dev[0])
1011 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1012 hostapd.add_ap(apdev[0]['ifname'], params)
1013 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1014 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1015 anonymous_identity="ttls", password="secret-åäö-€-password",
1016 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1017 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1018 anonymous_identity="ttls",
1019 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1020 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1021 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1022 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1023 eap="TTLS", identity="utf8-user-hash",
1024 anonymous_identity="ttls", password_hex=p,
1025 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1026 wait_connect=False, scan_freq="2412")
1027 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1029 raise Exception("No failure reported")
1030 dev[2].request("REMOVE_NETWORK all")
1031 dev[2].wait_disconnected()
1033 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1034 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1036 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1037 eap_connect(dev[0], apdev[0], "TTLS", "user",
1038 anonymous_identity="ttls", password="password",
1039 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1040 hwsim_utils.test_connectivity(dev[0], hapd)
1041 eap_reauth(dev[0], "TTLS")
1043 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1044 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1045 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1046 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1047 eap_connect(dev[0], apdev[0], "TTLS", "user",
1048 anonymous_identity="ttls", password="wrong",
1049 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1050 expect_failure=True)
1052 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1053 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1054 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1055 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1056 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1057 anonymous_identity="ttls", password="password",
1058 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1059 expect_failure=True)
1061 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1062 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1063 params = int_eap_server_params()
1064 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1065 with alloc_fail(hapd, 1, "eap_gtc_init"):
1066 eap_connect(dev[0], apdev[0], "TTLS", "user",
1067 anonymous_identity="ttls", password="password",
1068 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1069 expect_failure=True)
1070 dev[0].request("REMOVE_NETWORK all")
1072 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1073 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1074 eap="TTLS", identity="user",
1075 anonymous_identity="ttls", password="password",
1076 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1077 wait_connect=False, scan_freq="2412")
1078 # This would eventually time out, but we can stop after having reached
1079 # the allocation failure.
1082 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1085 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1086 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1087 check_eap_capa(dev[0], "MD5")
1088 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1089 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1090 eap_connect(dev[0], apdev[0], "TTLS", "user",
1091 anonymous_identity="ttls", password="password",
1092 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1093 hwsim_utils.test_connectivity(dev[0], hapd)
1094 eap_reauth(dev[0], "TTLS")
1096 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1097 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1098 check_eap_capa(dev[0], "MD5")
1099 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1100 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1101 eap_connect(dev[0], apdev[0], "TTLS", "user",
1102 anonymous_identity="ttls", password="wrong",
1103 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1104 expect_failure=True)
1106 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1107 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1108 check_eap_capa(dev[0], "MD5")
1109 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1110 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1111 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1112 anonymous_identity="ttls", password="password",
1113 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1114 expect_failure=True)
1116 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1117 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1118 check_eap_capa(dev[0], "MD5")
1119 params = int_eap_server_params()
1120 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1121 with alloc_fail(hapd, 1, "eap_md5_init"):
1122 eap_connect(dev[0], apdev[0], "TTLS", "user",
1123 anonymous_identity="ttls", password="password",
1124 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1125 expect_failure=True)
1126 dev[0].request("REMOVE_NETWORK all")
1128 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1129 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1130 eap="TTLS", identity="user",
1131 anonymous_identity="ttls", password="password",
1132 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1133 wait_connect=False, scan_freq="2412")
1134 # This would eventually time out, but we can stop after having reached
1135 # the allocation failure.
1138 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1141 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1143 check_eap_capa(dev[0], "MSCHAPV2")
1144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1146 eap_connect(dev[0], apdev[0], "TTLS", "user",
1147 anonymous_identity="ttls", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "TTLS")
1152 logger.info("Negative test with incorrect password")
1153 dev[0].request("REMOVE_NETWORK all")
1154 eap_connect(dev[0], apdev[0], "TTLS", "user",
1155 anonymous_identity="ttls", password="password1",
1156 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1157 expect_failure=True)
1159 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1160 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1161 check_eap_capa(dev[0], "MSCHAPV2")
1162 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1163 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1164 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1165 anonymous_identity="ttls", password="password",
1166 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1167 expect_failure=True)
1169 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1170 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1171 check_eap_capa(dev[0], "MSCHAPV2")
1172 params = int_eap_server_params()
1173 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1174 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1175 eap_connect(dev[0], apdev[0], "TTLS", "user",
1176 anonymous_identity="ttls", password="password",
1177 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1178 expect_failure=True)
1179 dev[0].request("REMOVE_NETWORK all")
1181 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1182 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1183 eap="TTLS", identity="user",
1184 anonymous_identity="ttls", password="password",
1185 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1186 wait_connect=False, scan_freq="2412")
1187 # This would eventually time out, but we can stop after having reached
1188 # the allocation failure.
1191 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1193 dev[0].request("REMOVE_NETWORK all")
1195 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1196 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1197 eap="TTLS", identity="user",
1198 anonymous_identity="ttls", password="password",
1199 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1200 wait_connect=False, scan_freq="2412")
1201 # This would eventually time out, but we can stop after having reached
1202 # the allocation failure.
1205 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1207 dev[0].request("REMOVE_NETWORK all")
1209 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1210 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1211 eap="TTLS", identity="user",
1212 anonymous_identity="ttls", password="wrong",
1213 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1214 wait_connect=False, scan_freq="2412")
1215 # This would eventually time out, but we can stop after having reached
1216 # the allocation failure.
1219 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1221 dev[0].request("REMOVE_NETWORK all")
1223 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1226 hostapd.add_ap(apdev[0]['ifname'], params)
1227 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1228 anonymous_identity="0232010000000000@ttls",
1229 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1230 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1232 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1233 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1234 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1235 hostapd.add_ap(apdev[0]['ifname'], params)
1236 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1237 anonymous_identity="0232010000000000@peap",
1238 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1239 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1241 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1242 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1243 check_eap_capa(dev[0], "FAST")
1244 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1245 hostapd.add_ap(apdev[0]['ifname'], params)
1246 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1247 anonymous_identity="0232010000000000@fast",
1248 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1249 phase1="fast_provisioning=2",
1250 pac_file="blob://fast_pac_auth_aka",
1251 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1253 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1254 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1255 check_eap_capa(dev[0], "MSCHAPV2")
1256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1257 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1258 eap_connect(dev[0], apdev[0], "PEAP", "user",
1259 anonymous_identity="peap", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1261 hwsim_utils.test_connectivity(dev[0], hapd)
1262 eap_reauth(dev[0], "PEAP")
1263 dev[0].request("REMOVE_NETWORK all")
1264 eap_connect(dev[0], apdev[0], "PEAP", "user",
1265 anonymous_identity="peap", password="password",
1266 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1267 fragment_size="200")
1269 logger.info("Password as hash value")
1270 dev[0].request("REMOVE_NETWORK all")
1271 eap_connect(dev[0], apdev[0], "PEAP", "user",
1272 anonymous_identity="peap",
1273 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1274 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1276 logger.info("Negative test with incorrect password")
1277 dev[0].request("REMOVE_NETWORK all")
1278 eap_connect(dev[0], apdev[0], "PEAP", "user",
1279 anonymous_identity="peap", password="password1",
1280 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1281 expect_failure=True)
1283 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1284 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1285 check_eap_capa(dev[0], "MSCHAPV2")
1286 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1287 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1288 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1289 anonymous_identity="peap", password="password",
1290 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1291 hwsim_utils.test_connectivity(dev[0], hapd)
1292 eap_reauth(dev[0], "PEAP")
1294 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1295 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1296 check_eap_capa(dev[0], "MSCHAPV2")
1297 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1298 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1299 eap_connect(dev[0], apdev[0], "PEAP", "user",
1300 anonymous_identity="peap", password="wrong",
1301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1302 expect_failure=True)
1304 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1305 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1306 check_eap_capa(dev[0], "MSCHAPV2")
1307 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1308 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1309 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1310 ca_cert="auth_serv/ca.pem",
1311 phase1="peapver=0 crypto_binding=2",
1312 phase2="auth=MSCHAPV2")
1313 hwsim_utils.test_connectivity(dev[0], hapd)
1314 eap_reauth(dev[0], "PEAP")
1316 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1317 ca_cert="auth_serv/ca.pem",
1318 phase1="peapver=0 crypto_binding=1",
1319 phase2="auth=MSCHAPV2")
1320 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1321 ca_cert="auth_serv/ca.pem",
1322 phase1="peapver=0 crypto_binding=0",
1323 phase2="auth=MSCHAPV2")
1325 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1326 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1327 check_eap_capa(dev[0], "MSCHAPV2")
1328 params = int_eap_server_params()
1329 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1330 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1331 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1332 ca_cert="auth_serv/ca.pem",
1333 phase1="peapver=0 crypto_binding=2",
1334 phase2="auth=MSCHAPV2",
1335 expect_failure=True, local_error_report=True)
1337 def test_ap_wpa2_eap_peap_params(dev, apdev):
1338 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1339 check_eap_capa(dev[0], "MSCHAPV2")
1340 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1341 hostapd.add_ap(apdev[0]['ifname'], params)
1342 eap_connect(dev[0], apdev[0], "PEAP", "user",
1343 anonymous_identity="peap", password="password",
1344 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1345 phase1="peapver=0 peaplabel=1",
1346 expect_failure=True)
1347 dev[0].request("REMOVE_NETWORK all")
1348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1350 anonymous_identity="peap", password="password",
1351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1352 phase1="peap_outer_success=0",
1353 wait_connect=False, scan_freq="2412")
1354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1356 raise Exception("No EAP success seen")
1357 # This won't succeed to connect with peap_outer_success=0, so stop here.
1358 dev[0].request("REMOVE_NETWORK all")
1359 dev[0].wait_disconnected()
1360 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1361 ca_cert="auth_serv/ca.pem",
1362 phase1="peap_outer_success=1",
1363 phase2="auth=MSCHAPV2")
1364 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1365 ca_cert="auth_serv/ca.pem",
1366 phase1="peap_outer_success=2",
1367 phase2="auth=MSCHAPV2")
1368 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1370 anonymous_identity="peap", password="password",
1371 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1372 phase1="peapver=1 peaplabel=1",
1373 wait_connect=False, scan_freq="2412")
1374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1376 raise Exception("No EAP success seen")
1377 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1379 raise Exception("Unexpected connection")
1381 tests = [ ("peap-ver0", ""),
1383 ("peap-ver0", "peapver=0"),
1384 ("peap-ver1", "peapver=1") ]
1385 for anon,phase1 in tests:
1386 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1387 identity="user", anonymous_identity=anon,
1388 password="password", phase1=phase1,
1389 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1391 dev[0].request("REMOVE_NETWORK all")
1392 dev[0].wait_disconnected()
1394 tests = [ ("peap-ver0", "peapver=1"),
1395 ("peap-ver1", "peapver=0") ]
1396 for anon,phase1 in tests:
1397 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1398 identity="user", anonymous_identity=anon,
1399 password="password", phase1=phase1,
1400 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1401 wait_connect=False, scan_freq="2412")
1402 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1404 raise Exception("No EAP-Failure seen")
1405 dev[0].request("REMOVE_NETWORK all")
1406 dev[0].wait_disconnected()
1408 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1409 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1410 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1411 hostapd.add_ap(apdev[0]['ifname'], params)
1412 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1413 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1414 ca_cert2="auth_serv/ca.pem",
1415 client_cert2="auth_serv/user.pem",
1416 private_key2="auth_serv/user.key")
1417 eap_reauth(dev[0], "PEAP")
1419 def test_ap_wpa2_eap_tls(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TLS"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hostapd.add_ap(apdev[0]['ifname'], params)
1423 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1424 client_cert="auth_serv/user.pem",
1425 private_key="auth_serv/user.key")
1426 eap_reauth(dev[0], "TLS")
1428 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1429 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1430 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1431 hostapd.add_ap(apdev[0]['ifname'], params)
1432 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1433 client_cert="auth_serv/user.pem",
1434 private_key="auth_serv/user.key.pkcs8",
1435 private_key_passwd="whatever")
1437 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1438 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1439 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1440 hostapd.add_ap(apdev[0]['ifname'], params)
1441 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1442 client_cert="auth_serv/user.pem",
1443 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1444 private_key_passwd="whatever")
1446 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1447 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1449 hostapd.add_ap(apdev[0]['ifname'], params)
1450 cert = read_pem("auth_serv/ca.pem")
1451 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1452 raise Exception("Could not set cacert blob")
1453 cert = read_pem("auth_serv/user.pem")
1454 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1455 raise Exception("Could not set usercert blob")
1456 key = read_pem("auth_serv/user.rsa-key")
1457 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1458 raise Exception("Could not set cacert blob")
1459 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1460 client_cert="blob://usercert",
1461 private_key="blob://userkey")
1463 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1464 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1465 check_pkcs12_support(dev[0])
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hostapd.add_ap(apdev[0]['ifname'], params)
1468 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1469 private_key="auth_serv/user.pkcs12",
1470 private_key_passwd="whatever")
1471 dev[0].request("REMOVE_NETWORK all")
1472 dev[0].wait_disconnected()
1474 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1475 identity="tls user",
1476 ca_cert="auth_serv/ca.pem",
1477 private_key="auth_serv/user.pkcs12",
1478 wait_connect=False, scan_freq="2412")
1479 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1481 raise Exception("Request for private key passphrase timed out")
1482 id = ev.split(':')[0].split('-')[-1]
1483 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1484 dev[0].wait_connected(timeout=10)
1485 dev[0].request("REMOVE_NETWORK all")
1486 dev[0].wait_disconnected()
1488 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1489 # different files to cover both cases of the extra certificate being the
1490 # one that signed the client certificate and it being unrelated to the
1491 # client certificate.
1492 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1494 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1495 ca_cert="auth_serv/ca.pem",
1497 private_key_passwd="whatever")
1498 dev[0].request("REMOVE_NETWORK all")
1499 dev[0].wait_disconnected()
1501 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1502 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1503 check_pkcs12_support(dev[0])
1504 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1505 hostapd.add_ap(apdev[0]['ifname'], params)
1506 cert = read_pem("auth_serv/ca.pem")
1507 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1508 raise Exception("Could not set cacert blob")
1509 with open("auth_serv/user.pkcs12", "rb") as f:
1510 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1511 raise Exception("Could not set pkcs12 blob")
1512 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1513 private_key="blob://pkcs12",
1514 private_key_passwd="whatever")
1516 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1517 """WPA2-Enterprise negative test - incorrect trust root"""
1518 check_eap_capa(dev[0], "MSCHAPV2")
1519 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1520 hostapd.add_ap(apdev[0]['ifname'], params)
1521 cert = read_pem("auth_serv/ca-incorrect.pem")
1522 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1523 raise Exception("Could not set cacert blob")
1524 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1525 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1526 password="password", phase2="auth=MSCHAPV2",
1527 ca_cert="blob://cacert",
1528 wait_connect=False, scan_freq="2412")
1529 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1530 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1531 password="password", phase2="auth=MSCHAPV2",
1532 ca_cert="auth_serv/ca-incorrect.pem",
1533 wait_connect=False, scan_freq="2412")
1535 for dev in (dev[0], dev[1]):
1536 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1538 raise Exception("Association and EAP start timed out")
1540 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1542 raise Exception("EAP method selection timed out")
1543 if "TTLS" not in ev:
1544 raise Exception("Unexpected EAP method")
1546 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1547 "CTRL-EVENT-EAP-SUCCESS",
1548 "CTRL-EVENT-EAP-FAILURE",
1549 "CTRL-EVENT-CONNECTED",
1550 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1552 raise Exception("EAP result timed out")
1553 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1554 raise Exception("TLS certificate error not reported")
1556 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1557 "CTRL-EVENT-EAP-FAILURE",
1558 "CTRL-EVENT-CONNECTED",
1559 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1561 raise Exception("EAP result(2) timed out")
1562 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1563 raise Exception("EAP failure not reported")
1565 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1566 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1568 raise Exception("EAP result(3) timed out")
1569 if "CTRL-EVENT-DISCONNECTED" not in ev:
1570 raise Exception("Disconnection not reported")
1572 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1574 raise Exception("Network block disabling not reported")
1576 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1577 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1578 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1579 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1580 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1581 identity="pap user", anonymous_identity="ttls",
1582 password="password", phase2="auth=PAP",
1583 ca_cert="auth_serv/ca.pem",
1584 wait_connect=True, scan_freq="2412")
1585 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1586 identity="pap user", anonymous_identity="ttls",
1587 password="password", phase2="auth=PAP",
1588 ca_cert="auth_serv/ca-incorrect.pem",
1589 only_add_network=True, scan_freq="2412")
1591 dev[0].request("DISCONNECT")
1592 dev[0].wait_disconnected()
1593 dev[0].dump_monitor()
1594 dev[0].select_network(id, freq="2412")
1596 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1598 raise Exception("EAP-TTLS not re-started")
1600 ev = dev[0].wait_disconnected(timeout=15)
1601 if "reason=23" not in ev:
1602 raise Exception("Proper reason code for disconnection not reported")
1604 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1605 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1606 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1607 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1608 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1609 identity="pap user", anonymous_identity="ttls",
1610 password="password", phase2="auth=PAP",
1611 wait_connect=True, scan_freq="2412")
1612 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1613 identity="pap user", anonymous_identity="ttls",
1614 password="password", phase2="auth=PAP",
1615 ca_cert="auth_serv/ca-incorrect.pem",
1616 only_add_network=True, scan_freq="2412")
1618 dev[0].request("DISCONNECT")
1619 dev[0].wait_disconnected()
1620 dev[0].dump_monitor()
1621 dev[0].select_network(id, freq="2412")
1623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1625 raise Exception("EAP-TTLS not re-started")
1627 ev = dev[0].wait_disconnected(timeout=15)
1628 if "reason=23" not in ev:
1629 raise Exception("Proper reason code for disconnection not reported")
1631 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1632 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1633 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1634 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1635 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1636 identity="pap user", anonymous_identity="ttls",
1637 password="password", phase2="auth=PAP",
1638 ca_cert="auth_serv/ca.pem",
1639 wait_connect=True, scan_freq="2412")
1640 dev[0].request("DISCONNECT")
1641 dev[0].wait_disconnected()
1642 dev[0].dump_monitor()
1643 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1644 dev[0].select_network(id, freq="2412")
1646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1648 raise Exception("EAP-TTLS not re-started")
1650 ev = dev[0].wait_disconnected(timeout=15)
1651 if "reason=23" not in ev:
1652 raise Exception("Proper reason code for disconnection not reported")
1654 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1655 """WPA2-Enterprise negative test - domain suffix mismatch"""
1656 check_domain_suffix_match(dev[0])
1657 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1658 hostapd.add_ap(apdev[0]['ifname'], params)
1659 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1660 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1661 password="password", phase2="auth=MSCHAPV2",
1662 ca_cert="auth_serv/ca.pem",
1663 domain_suffix_match="incorrect.example.com",
1664 wait_connect=False, scan_freq="2412")
1666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1668 raise Exception("Association and EAP start timed out")
1670 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1672 raise Exception("EAP method selection timed out")
1673 if "TTLS" not in ev:
1674 raise Exception("Unexpected EAP method")
1676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1677 "CTRL-EVENT-EAP-SUCCESS",
1678 "CTRL-EVENT-EAP-FAILURE",
1679 "CTRL-EVENT-CONNECTED",
1680 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1682 raise Exception("EAP result timed out")
1683 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1684 raise Exception("TLS certificate error not reported")
1685 if "Domain suffix mismatch" not in ev:
1686 raise Exception("Domain suffix mismatch not reported")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1689 "CTRL-EVENT-EAP-FAILURE",
1690 "CTRL-EVENT-CONNECTED",
1691 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1693 raise Exception("EAP result(2) timed out")
1694 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1695 raise Exception("EAP failure not reported")
1697 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1698 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1700 raise Exception("EAP result(3) timed out")
1701 if "CTRL-EVENT-DISCONNECTED" not in ev:
1702 raise Exception("Disconnection not reported")
1704 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1706 raise Exception("Network block disabling not reported")
1708 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1709 """WPA2-Enterprise negative test - domain mismatch"""
1710 check_domain_match(dev[0])
1711 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1712 hostapd.add_ap(apdev[0]['ifname'], params)
1713 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1714 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1715 password="password", phase2="auth=MSCHAPV2",
1716 ca_cert="auth_serv/ca.pem",
1717 domain_match="w1.fi",
1718 wait_connect=False, scan_freq="2412")
1720 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1722 raise Exception("Association and EAP start timed out")
1724 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1726 raise Exception("EAP method selection timed out")
1727 if "TTLS" not in ev:
1728 raise Exception("Unexpected EAP method")
1730 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1731 "CTRL-EVENT-EAP-SUCCESS",
1732 "CTRL-EVENT-EAP-FAILURE",
1733 "CTRL-EVENT-CONNECTED",
1734 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1736 raise Exception("EAP result timed out")
1737 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1738 raise Exception("TLS certificate error not reported")
1739 if "Domain mismatch" not in ev:
1740 raise Exception("Domain mismatch not reported")
1742 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1743 "CTRL-EVENT-EAP-FAILURE",
1744 "CTRL-EVENT-CONNECTED",
1745 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1747 raise Exception("EAP result(2) timed out")
1748 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1749 raise Exception("EAP failure not reported")
1751 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1752 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1754 raise Exception("EAP result(3) timed out")
1755 if "CTRL-EVENT-DISCONNECTED" not in ev:
1756 raise Exception("Disconnection not reported")
1758 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1760 raise Exception("Network block disabling not reported")
1762 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1763 """WPA2-Enterprise negative test - subject mismatch"""
1764 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1765 hostapd.add_ap(apdev[0]['ifname'], params)
1766 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1767 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1768 password="password", phase2="auth=MSCHAPV2",
1769 ca_cert="auth_serv/ca.pem",
1770 subject_match="/C=FI/O=w1.fi/CN=example.com",
1771 wait_connect=False, scan_freq="2412")
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1775 raise Exception("Association and EAP start timed out")
1777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1778 "EAP: Failed to initialize EAP method"], timeout=10)
1780 raise Exception("EAP method selection timed out")
1781 if "EAP: Failed to initialize EAP method" in ev:
1782 tls = dev[0].request("GET tls_library")
1783 if tls.startswith("OpenSSL"):
1784 raise Exception("Failed to select EAP method")
1785 logger.info("subject_match not supported - connection failed, so test succeeded")
1787 if "TTLS" not in ev:
1788 raise Exception("Unexpected EAP method")
1790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1791 "CTRL-EVENT-EAP-SUCCESS",
1792 "CTRL-EVENT-EAP-FAILURE",
1793 "CTRL-EVENT-CONNECTED",
1794 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1796 raise Exception("EAP result timed out")
1797 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1798 raise Exception("TLS certificate error not reported")
1799 if "Subject mismatch" not in ev:
1800 raise Exception("Subject mismatch not reported")
1802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1803 "CTRL-EVENT-EAP-FAILURE",
1804 "CTRL-EVENT-CONNECTED",
1805 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1807 raise Exception("EAP result(2) timed out")
1808 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1809 raise Exception("EAP failure not reported")
1811 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1812 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1814 raise Exception("EAP result(3) timed out")
1815 if "CTRL-EVENT-DISCONNECTED" not in ev:
1816 raise Exception("Disconnection not reported")
1818 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1820 raise Exception("Network block disabling not reported")
1822 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1823 """WPA2-Enterprise negative test - altsubject mismatch"""
1824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1825 hostapd.add_ap(apdev[0]['ifname'], params)
1827 tests = [ "incorrect.example.com",
1828 "DNS:incorrect.example.com",
1832 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1834 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1835 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1836 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1837 password="password", phase2="auth=MSCHAPV2",
1838 ca_cert="auth_serv/ca.pem",
1839 altsubject_match=match,
1840 wait_connect=False, scan_freq="2412")
1842 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1844 raise Exception("Association and EAP start timed out")
1846 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1847 "EAP: Failed to initialize EAP method"], timeout=10)
1849 raise Exception("EAP method selection timed out")
1850 if "EAP: Failed to initialize EAP method" in ev:
1851 tls = dev[0].request("GET tls_library")
1852 if tls.startswith("OpenSSL"):
1853 raise Exception("Failed to select EAP method")
1854 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1856 if "TTLS" not in ev:
1857 raise Exception("Unexpected EAP method")
1859 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1860 "CTRL-EVENT-EAP-SUCCESS",
1861 "CTRL-EVENT-EAP-FAILURE",
1862 "CTRL-EVENT-CONNECTED",
1863 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1865 raise Exception("EAP result timed out")
1866 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1867 raise Exception("TLS certificate error not reported")
1868 if "AltSubject mismatch" not in ev:
1869 raise Exception("altsubject mismatch not reported")
1871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1872 "CTRL-EVENT-EAP-FAILURE",
1873 "CTRL-EVENT-CONNECTED",
1874 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1876 raise Exception("EAP result(2) timed out")
1877 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1878 raise Exception("EAP failure not reported")
1880 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1881 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1883 raise Exception("EAP result(3) timed out")
1884 if "CTRL-EVENT-DISCONNECTED" not in ev:
1885 raise Exception("Disconnection not reported")
1887 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1889 raise Exception("Network block disabling not reported")
1891 dev[0].request("REMOVE_NETWORK all")
1893 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1894 """WPA2-Enterprise connection using UNAUTH-TLS"""
1895 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1896 hostapd.add_ap(apdev[0]['ifname'], params)
1897 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1898 ca_cert="auth_serv/ca.pem")
1899 eap_reauth(dev[0], "UNAUTH-TLS")
1901 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1902 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1903 check_cert_probe_support(dev[0])
1904 skip_with_fips(dev[0])
1905 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1906 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1907 hostapd.add_ap(apdev[0]['ifname'], params)
1908 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1909 identity="probe", ca_cert="probe://",
1910 wait_connect=False, scan_freq="2412")
1911 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1913 raise Exception("Association and EAP start timed out")
1914 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1916 raise Exception("No peer server certificate event seen")
1917 if "hash=" + srv_cert_hash not in ev:
1918 raise Exception("Expected server certificate hash not reported")
1919 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1921 raise Exception("EAP result timed out")
1922 if "Server certificate chain probe" not in ev:
1923 raise Exception("Server certificate probe not reported")
1924 dev[0].wait_disconnected(timeout=10)
1925 dev[0].request("REMOVE_NETWORK all")
1927 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1928 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1929 password="password", phase2="auth=MSCHAPV2",
1930 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1931 wait_connect=False, scan_freq="2412")
1932 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1934 raise Exception("Association and EAP start timed out")
1935 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1937 raise Exception("EAP result timed out")
1938 if "Server certificate mismatch" not in ev:
1939 raise Exception("Server certificate mismatch not reported")
1940 dev[0].wait_disconnected(timeout=10)
1941 dev[0].request("REMOVE_NETWORK all")
1943 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1944 anonymous_identity="ttls", password="password",
1945 ca_cert="hash://server/sha256/" + srv_cert_hash,
1946 phase2="auth=MSCHAPV2")
1948 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1949 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1950 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1951 hostapd.add_ap(apdev[0]['ifname'], params)
1952 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1953 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1954 password="password", phase2="auth=MSCHAPV2",
1955 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1956 wait_connect=False, scan_freq="2412")
1957 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1958 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1959 password="password", phase2="auth=MSCHAPV2",
1960 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1961 wait_connect=False, scan_freq="2412")
1962 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1963 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1964 password="password", phase2="auth=MSCHAPV2",
1965 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1966 wait_connect=False, scan_freq="2412")
1967 for i in range(0, 3):
1968 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1970 raise Exception("Association and EAP start timed out")
1971 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1973 raise Exception("Did not report EAP method initialization failure")
1975 def test_ap_wpa2_eap_pwd(dev, apdev):
1976 """WPA2-Enterprise connection using EAP-pwd"""
1977 check_eap_capa(dev[0], "PWD")
1978 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1979 hostapd.add_ap(apdev[0]['ifname'], params)
1980 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1981 eap_reauth(dev[0], "PWD")
1982 dev[0].request("REMOVE_NETWORK all")
1984 eap_connect(dev[1], apdev[0], "PWD",
1985 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1986 password="secret password",
1989 logger.info("Negative test with incorrect password")
1990 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1991 expect_failure=True, local_error_report=True)
1993 eap_connect(dev[0], apdev[0], "PWD",
1994 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1995 password="secret password",
1998 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1999 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2000 check_eap_capa(dev[0], "PWD")
2001 skip_with_fips(dev[0])
2002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2003 hostapd.add_ap(apdev[0]['ifname'], params)
2004 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2005 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2006 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2007 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2008 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2009 expect_failure=True, local_error_report=True)
2011 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2012 """WPA2-Enterprise connection using various EAP-pwd groups"""
2013 check_eap_capa(dev[0], "PWD")
2014 tls = dev[0].request("GET tls_library")
2015 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2016 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2017 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2018 groups = [ 19, 20, 21, 25, 26 ]
2019 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2020 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2021 groups += [ 27, 28, 29, 30 ]
2023 logger.info("Group %d" % i)
2024 params['pwd_group'] = str(i)
2025 hostapd.add_ap(apdev[0]['ifname'], params)
2027 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2028 password="secret password")
2029 dev[0].request("REMOVE_NETWORK all")
2030 dev[0].wait_disconnected()
2031 dev[0].dump_monitor()
2033 if "BoringSSL" in tls and i in [ 25 ]:
2034 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2035 dev[0].request("DISCONNECT")
2037 dev[0].request("REMOVE_NETWORK all")
2038 dev[0].dump_monitor()
2042 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2043 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2044 check_eap_capa(dev[0], "PWD")
2045 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2046 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2047 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2048 params['pwd_group'] = "0"
2049 hostapd.add_ap(apdev[0]['ifname'], params)
2050 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2051 identity="pwd user", password="secret password",
2052 scan_freq="2412", wait_connect=False)
2053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2055 raise Exception("Timeout on EAP failure report")
2057 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2058 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2059 check_eap_capa(dev[0], "PWD")
2060 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2061 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2062 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2063 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2064 "pwd_group": "19", "fragment_size": "40" }
2065 hostapd.add_ap(apdev[0]['ifname'], params)
2066 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2068 def test_ap_wpa2_eap_gpsk(dev, apdev):
2069 """WPA2-Enterprise connection using EAP-GPSK"""
2070 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2071 hostapd.add_ap(apdev[0]['ifname'], params)
2072 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2073 password="abcdefghijklmnop0123456789abcdef")
2074 eap_reauth(dev[0], "GPSK")
2076 logger.info("Test forced algorithm selection")
2077 for phase1 in [ "cipher=1", "cipher=2" ]:
2078 dev[0].set_network_quoted(id, "phase1", phase1)
2079 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2081 raise Exception("EAP success timed out")
2082 dev[0].wait_connected(timeout=10)
2084 logger.info("Test failed algorithm negotiation")
2085 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2088 raise Exception("EAP failure timed out")
2090 logger.info("Negative test with incorrect password")
2091 dev[0].request("REMOVE_NETWORK all")
2092 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2093 password="ffcdefghijklmnop0123456789abcdef",
2094 expect_failure=True)
2096 def test_ap_wpa2_eap_sake(dev, apdev):
2097 """WPA2-Enterprise connection using EAP-SAKE"""
2098 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2099 hostapd.add_ap(apdev[0]['ifname'], params)
2100 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2101 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2102 eap_reauth(dev[0], "SAKE")
2104 logger.info("Negative test with incorrect password")
2105 dev[0].request("REMOVE_NETWORK all")
2106 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2107 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2108 expect_failure=True)
2110 def test_ap_wpa2_eap_eke(dev, apdev):
2111 """WPA2-Enterprise connection using EAP-EKE"""
2112 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2113 hostapd.add_ap(apdev[0]['ifname'], params)
2114 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2115 eap_reauth(dev[0], "EKE")
2117 logger.info("Test forced algorithm selection")
2118 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2119 "dhgroup=4 encr=1 prf=2 mac=2",
2120 "dhgroup=3 encr=1 prf=2 mac=2",
2121 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2122 dev[0].set_network_quoted(id, "phase1", phase1)
2123 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2125 raise Exception("EAP success timed out")
2126 dev[0].wait_connected(timeout=10)
2128 logger.info("Test failed algorithm negotiation")
2129 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2130 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2132 raise Exception("EAP failure timed out")
2134 logger.info("Negative test with incorrect password")
2135 dev[0].request("REMOVE_NETWORK all")
2136 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2137 expect_failure=True)
2139 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2140 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2141 params = int_eap_server_params()
2142 params['server_id'] = 'example.server@w1.fi'
2143 hostapd.add_ap(apdev[0]['ifname'], params)
2144 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2146 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2147 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2148 params = int_eap_server_params()
2149 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2150 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2152 for count,func in [ (1, "eap_eke_build_commit"),
2153 (2, "eap_eke_build_commit"),
2154 (3, "eap_eke_build_commit"),
2155 (1, "eap_eke_build_confirm"),
2156 (2, "eap_eke_build_confirm"),
2157 (1, "eap_eke_process_commit"),
2158 (2, "eap_eke_process_commit"),
2159 (1, "eap_eke_process_confirm"),
2160 (1, "eap_eke_process_identity"),
2161 (2, "eap_eke_process_identity"),
2162 (3, "eap_eke_process_identity"),
2163 (4, "eap_eke_process_identity") ]:
2164 with alloc_fail(hapd, count, func):
2165 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2166 expect_failure=True)
2167 dev[0].request("REMOVE_NETWORK all")
2169 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2170 (1, "eap_eke_get_session_id", "hello"),
2171 (1, "eap_eke_getKey", "hello"),
2172 (1, "eap_eke_build_msg", "hello"),
2173 (1, "eap_eke_build_failure", "wrong"),
2174 (1, "eap_eke_build_identity", "hello"),
2175 (2, "eap_eke_build_identity", "hello") ]:
2176 with alloc_fail(hapd, count, func):
2177 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2178 eap="EKE", identity="eke user", password=pw,
2179 wait_connect=False, scan_freq="2412")
2180 # This would eventually time out, but we can stop after having
2181 # reached the allocation failure.
2184 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2186 dev[0].request("REMOVE_NETWORK all")
2188 for count in range(1, 1000):
2190 with alloc_fail(hapd, count, "eap_server_sm_step"):
2191 dev[0].connect("test-wpa2-eap",
2192 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2193 eap="EKE", identity="eke user", password=pw,
2194 wait_connect=False, scan_freq="2412")
2195 # This would eventually time out, but we can stop after having
2196 # reached the allocation failure.
2199 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2201 dev[0].request("REMOVE_NETWORK all")
2202 except Exception, e:
2203 if str(e) == "Allocation failure did not trigger":
2205 raise Exception("Too few allocation failures")
2206 logger.info("%d allocation failures tested" % (count - 1))
2210 def test_ap_wpa2_eap_ikev2(dev, apdev):
2211 """WPA2-Enterprise connection using EAP-IKEv2"""
2212 check_eap_capa(dev[0], "IKEV2")
2213 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2214 hostapd.add_ap(apdev[0]['ifname'], params)
2215 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2216 password="ike password")
2217 eap_reauth(dev[0], "IKEV2")
2218 dev[0].request("REMOVE_NETWORK all")
2219 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2220 password="ike password", fragment_size="50")
2222 logger.info("Negative test with incorrect password")
2223 dev[0].request("REMOVE_NETWORK all")
2224 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2225 password="ike-password", expect_failure=True)
2227 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2228 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2229 check_eap_capa(dev[0], "IKEV2")
2230 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2231 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2232 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2233 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2234 "fragment_size": "50" }
2235 hostapd.add_ap(apdev[0]['ifname'], params)
2236 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2237 password="ike password")
2238 eap_reauth(dev[0], "IKEV2")
2240 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2241 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2242 check_eap_capa(dev[0], "IKEV2")
2243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2244 hostapd.add_ap(apdev[0]['ifname'], params)
2246 tests = [ (1, "dh_init"),
2248 (1, "dh_derive_shared") ]
2249 for count, func in tests:
2250 with alloc_fail(dev[0], count, func):
2251 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2252 identity="ikev2 user", password="ike password",
2253 wait_connect=False, scan_freq="2412")
2254 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2256 raise Exception("EAP method not selected")
2258 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2261 dev[0].request("REMOVE_NETWORK all")
2263 tests = [ (1, "os_get_random;dh_init") ]
2264 for count, func in tests:
2265 with fail_test(dev[0], count, func):
2266 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2267 identity="ikev2 user", password="ike password",
2268 wait_connect=False, scan_freq="2412")
2269 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2271 raise Exception("EAP method not selected")
2273 if "0:" in dev[0].request("GET_FAIL"):
2276 dev[0].request("REMOVE_NETWORK all")
2278 def test_ap_wpa2_eap_pax(dev, apdev):
2279 """WPA2-Enterprise connection using EAP-PAX"""
2280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2281 hostapd.add_ap(apdev[0]['ifname'], params)
2282 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2283 password_hex="0123456789abcdef0123456789abcdef")
2284 eap_reauth(dev[0], "PAX")
2286 logger.info("Negative test with incorrect password")
2287 dev[0].request("REMOVE_NETWORK all")
2288 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2289 password_hex="ff23456789abcdef0123456789abcdef",
2290 expect_failure=True)
2292 def test_ap_wpa2_eap_psk(dev, apdev):
2293 """WPA2-Enterprise connection using EAP-PSK"""
2294 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2295 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2296 params["ieee80211w"] = "2"
2297 hostapd.add_ap(apdev[0]['ifname'], params)
2298 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2299 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2300 eap_reauth(dev[0], "PSK", sha256=True)
2301 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2302 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2304 bss = dev[0].get_bss(apdev[0]['bssid'])
2305 if 'flags' not in bss:
2306 raise Exception("Could not get BSS flags from BSS table")
2307 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2308 raise Exception("Unexpected BSS flags: " + bss['flags'])
2310 logger.info("Negative test with incorrect password")
2311 dev[0].request("REMOVE_NETWORK all")
2312 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2313 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2314 expect_failure=True)
2316 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2317 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2318 skip_with_fips(dev[0])
2319 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2320 hostapd.add_ap(apdev[0]['ifname'], params)
2321 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2322 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2323 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2324 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2325 (1, "=aes_128_eax_encrypt"),
2326 (1, "omac1_aes_vector"),
2327 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2328 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2329 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2330 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2331 (1, "=aes_128_eax_decrypt") ]
2332 for count, func in tests:
2333 with alloc_fail(dev[0], count, func):
2334 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2335 identity="psk.user@example.com",
2336 password_hex="0123456789abcdef0123456789abcdef",
2337 wait_connect=False, scan_freq="2412")
2338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2340 raise Exception("EAP method not selected")
2342 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2345 dev[0].request("REMOVE_NETWORK all")
2347 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2349 identity="psk.user@example.com",
2350 password_hex="0123456789abcdef0123456789abcdef",
2351 wait_connect=False, scan_freq="2412")
2352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2354 raise Exception("EAP method failure not reported")
2355 dev[0].request("REMOVE_NETWORK all")
2357 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2358 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2359 check_eap_capa(dev[0], "MSCHAPV2")
2360 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2361 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2362 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2363 identity="user", password="password", phase2="auth=MSCHAPV2",
2364 ca_cert="auth_serv/ca.pem", wait_connect=False,
2366 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2367 hwsim_utils.test_connectivity(dev[0], hapd)
2368 eap_reauth(dev[0], "PEAP", rsn=False)
2369 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2370 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2371 status = dev[0].get_status(extra="VERBOSE")
2372 if 'portControl' not in status:
2373 raise Exception("portControl missing from STATUS-VERBOSE")
2374 if status['portControl'] != 'Auto':
2375 raise Exception("Unexpected portControl value: " + status['portControl'])
2376 if 'eap_session_id' not in status:
2377 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2378 if not status['eap_session_id'].startswith("19"):
2379 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2381 def test_ap_wpa2_eap_interactive(dev, apdev):
2382 """WPA2-Enterprise connection using interactive identity/password entry"""
2383 check_eap_capa(dev[0], "MSCHAPV2")
2384 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2385 hostapd.add_ap(apdev[0]['ifname'], params)
2386 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2388 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2389 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2391 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2392 "TTLS", "ttls", None, "auth=MSCHAPV2",
2393 "DOMAIN\mschapv2 user", "password"),
2394 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2395 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2396 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2397 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2398 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2399 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2400 ("Connection with dynamic PEAP/EAP-GTC password entry",
2401 "PEAP", None, "user", "auth=GTC", None, "password") ]
2402 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2404 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2405 anonymous_identity=anon, identity=identity,
2406 ca_cert="auth_serv/ca.pem", phase2=phase2,
2407 wait_connect=False, scan_freq="2412")
2409 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2411 raise Exception("Request for identity timed out")
2412 id = ev.split(':')[0].split('-')[-1]
2413 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2414 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2416 raise Exception("Request for password timed out")
2417 id = ev.split(':')[0].split('-')[-1]
2418 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2419 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2420 dev[0].wait_connected(timeout=10)
2421 dev[0].request("REMOVE_NETWORK all")
2423 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2424 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2425 check_eap_capa(dev[0], "MSCHAPV2")
2426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2427 hostapd.add_ap(apdev[0]['ifname'], params)
2428 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2430 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2431 only_add_network=True)
2433 req_id = "DOMAIN\mschapv2 user"
2434 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2435 anonymous_identity="ttls", identity=None,
2436 password="password",
2437 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2438 wait_connect=False, scan_freq="2412")
2439 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2441 raise Exception("Request for identity timed out")
2442 id = ev.split(':')[0].split('-')[-1]
2443 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2444 dev[0].wait_connected(timeout=10)
2446 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2447 raise Exception("Failed to enable network")
2448 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2450 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2451 dev[0].request("REMOVE_NETWORK all")
2453 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2454 """WPA2-Enterprise connection using EAP vendor test"""
2455 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2456 hostapd.add_ap(apdev[0]['ifname'], params)
2457 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2458 eap_reauth(dev[0], "VENDOR-TEST")
2459 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2462 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2463 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2464 check_eap_capa(dev[0], "FAST")
2465 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2466 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2467 eap_connect(dev[0], apdev[0], "FAST", "user",
2468 anonymous_identity="FAST", password="password",
2469 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2470 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2471 hwsim_utils.test_connectivity(dev[0], hapd)
2472 res = eap_reauth(dev[0], "FAST")
2473 if res['tls_session_reused'] != '1':
2474 raise Exception("EAP-FAST could not use PAC session ticket")
2476 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2477 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2478 check_eap_capa(dev[0], "FAST")
2479 pac_file = os.path.join(params['logdir'], "fast.pac")
2480 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2481 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2482 hostapd.add_ap(apdev[0]['ifname'], params)
2485 eap_connect(dev[0], apdev[0], "FAST", "user",
2486 anonymous_identity="FAST", password="password",
2487 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2488 phase1="fast_provisioning=1", pac_file=pac_file)
2489 with open(pac_file, "r") as f:
2491 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2492 raise Exception("PAC file header missing")
2493 if "PAC-Key=" not in data:
2494 raise Exception("PAC-Key missing from PAC file")
2495 dev[0].request("REMOVE_NETWORK all")
2496 eap_connect(dev[0], apdev[0], "FAST", "user",
2497 anonymous_identity="FAST", password="password",
2498 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2501 eap_connect(dev[1], apdev[0], "FAST", "user",
2502 anonymous_identity="FAST", password="password",
2503 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2504 phase1="fast_provisioning=1 fast_pac_format=binary",
2506 dev[1].request("REMOVE_NETWORK all")
2507 eap_connect(dev[1], apdev[0], "FAST", "user",
2508 anonymous_identity="FAST", password="password",
2509 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2510 phase1="fast_pac_format=binary",
2518 os.remove(pac_file2)
2522 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2523 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2524 check_eap_capa(dev[0], "FAST")
2525 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2526 hostapd.add_ap(apdev[0]['ifname'], params)
2527 eap_connect(dev[0], apdev[0], "FAST", "user",
2528 anonymous_identity="FAST", password="password",
2529 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2530 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2531 pac_file="blob://fast_pac_bin")
2532 res = eap_reauth(dev[0], "FAST")
2533 if res['tls_session_reused'] != '1':
2534 raise Exception("EAP-FAST could not use PAC session ticket")
2536 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2537 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2538 check_eap_capa(dev[0], "FAST")
2539 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2540 hostapd.add_ap(apdev[0]['ifname'], params)
2542 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2543 identity="user", anonymous_identity="FAST",
2544 password="password",
2545 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2546 pac_file="blob://fast_pac_not_in_use",
2547 wait_connect=False, scan_freq="2412")
2548 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2550 raise Exception("Timeout on EAP failure report")
2551 dev[0].request("REMOVE_NETWORK all")
2553 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2554 identity="user", anonymous_identity="FAST",
2555 password="password",
2556 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2557 wait_connect=False, scan_freq="2412")
2558 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2560 raise Exception("Timeout on EAP failure report")
2562 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2563 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2564 check_eap_capa(dev[0], "FAST")
2565 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2566 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2567 eap_connect(dev[0], apdev[0], "FAST", "user",
2568 anonymous_identity="FAST", password="password",
2569 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2570 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2571 hwsim_utils.test_connectivity(dev[0], hapd)
2572 res = eap_reauth(dev[0], "FAST")
2573 if res['tls_session_reused'] != '1':
2574 raise Exception("EAP-FAST could not use PAC session ticket")
2576 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2577 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2578 check_eap_capa(dev[0], "FAST")
2579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2580 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2581 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2582 anonymous_identity="FAST", password="password",
2583 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2584 phase1="fast_provisioning=2",
2585 pac_file="blob://fast_pac_auth")
2586 dev[0].set_network_quoted(id, "identity", "user2")
2587 dev[0].wait_disconnected()
2588 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2590 raise Exception("EAP-FAST not started")
2591 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2593 raise Exception("EAP failure not reported")
2594 dev[0].wait_disconnected()
2596 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2597 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2598 check_eap_capa(dev[0], "FAST")
2599 tls = dev[0].request("GET tls_library")
2600 if tls.startswith("OpenSSL"):
2601 func = "openssl_tls_prf"
2603 elif tls.startswith("internal"):
2604 func = "tls_connection_prf"
2607 raise HwsimSkip("Unsupported TLS library")
2608 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2609 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2610 with alloc_fail(dev[0], count, func):
2611 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2612 identity="user", anonymous_identity="FAST",
2613 password="password", ca_cert="auth_serv/ca.pem",
2615 phase1="fast_provisioning=2",
2616 pac_file="blob://fast_pac_auth",
2617 wait_connect=False, scan_freq="2412")
2618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2620 raise Exception("EAP failure not reported")
2621 dev[0].request("DISCONNECT")
2623 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2624 """EAP-FAST/MSCHAPv2 and server OOM"""
2625 check_eap_capa(dev[0], "FAST")
2627 params = int_eap_server_params()
2628 params['dh_file'] = 'auth_serv/dh.conf'
2629 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2630 params['eap_fast_a_id'] = '1011'
2631 params['eap_fast_a_id_info'] = 'another test server'
2632 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2634 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2635 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2636 anonymous_identity="FAST", password="password",
2637 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2638 phase1="fast_provisioning=1",
2639 pac_file="blob://fast_pac",
2640 expect_failure=True)
2641 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2643 raise Exception("No EAP failure reported")
2644 dev[0].wait_disconnected()
2645 dev[0].request("DISCONNECT")
2647 dev[0].select_network(id, freq="2412")
2649 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2650 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2651 check_ocsp_support(dev[0])
2652 check_pkcs12_support(dev[0])
2653 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2654 hostapd.add_ap(apdev[0]['ifname'], params)
2655 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2656 private_key="auth_serv/user.pkcs12",
2657 private_key_passwd="whatever", ocsp=2)
2659 def int_eap_server_params():
2660 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2661 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2662 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2663 "ca_cert": "auth_serv/ca.pem",
2664 "server_cert": "auth_serv/server.pem",
2665 "private_key": "auth_serv/server.key" }
2668 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2669 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2670 check_ocsp_support(dev[0])
2671 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2672 if not os.path.exists(ocsp):
2673 raise HwsimSkip("No OCSP response available")
2674 params = int_eap_server_params()
2675 params["ocsp_stapling_response"] = ocsp
2676 hostapd.add_ap(apdev[0]['ifname'], params)
2677 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2678 identity="tls user", ca_cert="auth_serv/ca.pem",
2679 private_key="auth_serv/user.pkcs12",
2680 private_key_passwd="whatever", ocsp=2,
2683 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2684 """EAP-TLS and CA signed OCSP response (good)"""
2685 check_ocsp_support(dev[0])
2686 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2687 if not os.path.exists(ocsp):
2688 raise HwsimSkip("No OCSP response available")
2689 params = int_eap_server_params()
2690 params["ocsp_stapling_response"] = ocsp
2691 hostapd.add_ap(apdev[0]['ifname'], params)
2692 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2693 identity="tls user", ca_cert="auth_serv/ca.pem",
2694 private_key="auth_serv/user.pkcs12",
2695 private_key_passwd="whatever", ocsp=2,
2698 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2699 """EAP-TLS and CA signed OCSP response (revoked)"""
2700 check_ocsp_support(dev[0])
2701 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2702 if not os.path.exists(ocsp):
2703 raise HwsimSkip("No OCSP response available")
2704 params = int_eap_server_params()
2705 params["ocsp_stapling_response"] = ocsp
2706 hostapd.add_ap(apdev[0]['ifname'], params)
2707 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2708 identity="tls user", ca_cert="auth_serv/ca.pem",
2709 private_key="auth_serv/user.pkcs12",
2710 private_key_passwd="whatever", ocsp=2,
2711 wait_connect=False, scan_freq="2412")
2714 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2716 raise Exception("Timeout on EAP status")
2717 if 'bad certificate status response' in ev:
2719 if 'certificate revoked' in ev:
2723 raise Exception("Unexpected number of EAP status messages")
2725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2727 raise Exception("Timeout on EAP failure report")
2729 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2730 """EAP-TLS and CA signed OCSP response (unknown)"""
2731 check_ocsp_support(dev[0])
2732 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2733 if not os.path.exists(ocsp):
2734 raise HwsimSkip("No OCSP response available")
2735 params = int_eap_server_params()
2736 params["ocsp_stapling_response"] = ocsp
2737 hostapd.add_ap(apdev[0]['ifname'], params)
2738 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2739 identity="tls user", ca_cert="auth_serv/ca.pem",
2740 private_key="auth_serv/user.pkcs12",
2741 private_key_passwd="whatever", ocsp=2,
2742 wait_connect=False, scan_freq="2412")
2745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2747 raise Exception("Timeout on EAP status")
2748 if 'bad certificate status response' in ev:
2752 raise Exception("Unexpected number of EAP status messages")
2754 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2756 raise Exception("Timeout on EAP failure report")
2758 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2759 """EAP-TLS and server signed OCSP response"""
2760 check_ocsp_support(dev[0])
2761 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2762 if not os.path.exists(ocsp):
2763 raise HwsimSkip("No OCSP response available")
2764 params = int_eap_server_params()
2765 params["ocsp_stapling_response"] = ocsp
2766 hostapd.add_ap(apdev[0]['ifname'], params)
2767 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2768 identity="tls user", ca_cert="auth_serv/ca.pem",
2769 private_key="auth_serv/user.pkcs12",
2770 private_key_passwd="whatever", ocsp=2,
2771 wait_connect=False, scan_freq="2412")
2774 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2776 raise Exception("Timeout on EAP status")
2777 if 'bad certificate status response' in ev:
2781 raise Exception("Unexpected number of EAP status messages")
2783 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2785 raise Exception("Timeout on EAP failure report")
2787 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2788 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2789 check_ocsp_support(dev[0])
2790 params = int_eap_server_params()
2791 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2792 hostapd.add_ap(apdev[0]['ifname'], params)
2793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2794 identity="tls user", ca_cert="auth_serv/ca.pem",
2795 private_key="auth_serv/user.pkcs12",
2796 private_key_passwd="whatever", ocsp=2,
2797 wait_connect=False, scan_freq="2412")
2800 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2802 raise Exception("Timeout on EAP status")
2803 if 'bad certificate status response' in ev:
2807 raise Exception("Unexpected number of EAP status messages")
2809 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2811 raise Exception("Timeout on EAP failure report")
2813 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2814 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2815 check_ocsp_support(dev[0])
2816 params = int_eap_server_params()
2817 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2818 hostapd.add_ap(apdev[0]['ifname'], params)
2819 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2820 identity="tls user", ca_cert="auth_serv/ca.pem",
2821 private_key="auth_serv/user.pkcs12",
2822 private_key_passwd="whatever", ocsp=2,
2823 wait_connect=False, scan_freq="2412")
2826 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2828 raise Exception("Timeout on EAP status")
2829 if 'bad certificate status response' in ev:
2833 raise Exception("Unexpected number of EAP status messages")
2835 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2837 raise Exception("Timeout on EAP failure report")
2839 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2840 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2841 check_ocsp_support(dev[0])
2842 params = int_eap_server_params()
2843 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2844 hostapd.add_ap(apdev[0]['ifname'], params)
2845 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2846 identity="tls user", ca_cert="auth_serv/ca.pem",
2847 private_key="auth_serv/user.pkcs12",
2848 private_key_passwd="whatever", ocsp=2,
2849 wait_connect=False, scan_freq="2412")
2852 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2854 raise Exception("Timeout on EAP status")
2855 if 'bad certificate status response' in ev:
2859 raise Exception("Unexpected number of EAP status messages")
2861 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2863 raise Exception("Timeout on EAP failure report")
2865 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2866 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2867 check_ocsp_support(dev[0])
2868 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2869 if not os.path.exists(ocsp):
2870 raise HwsimSkip("No OCSP response available")
2871 params = int_eap_server_params()
2872 params["ocsp_stapling_response"] = ocsp
2873 hostapd.add_ap(apdev[0]['ifname'], params)
2874 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2875 identity="pap user", ca_cert="auth_serv/ca.pem",
2876 anonymous_identity="ttls", password="password",
2877 phase2="auth=PAP", ocsp=2,
2878 wait_connect=False, scan_freq="2412")
2881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2883 raise Exception("Timeout on EAP status")
2884 if 'bad certificate status response' in ev:
2886 if 'certificate revoked' in ev:
2890 raise Exception("Unexpected number of EAP status messages")
2892 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2894 raise Exception("Timeout on EAP failure report")
2896 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2897 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2898 check_ocsp_support(dev[0])
2899 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2900 if not os.path.exists(ocsp):
2901 raise HwsimSkip("No OCSP response available")
2902 params = int_eap_server_params()
2903 params["ocsp_stapling_response"] = ocsp
2904 hostapd.add_ap(apdev[0]['ifname'], params)
2905 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2906 identity="pap user", ca_cert="auth_serv/ca.pem",
2907 anonymous_identity="ttls", password="password",
2908 phase2="auth=PAP", ocsp=2,
2909 wait_connect=False, scan_freq="2412")
2912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2914 raise Exception("Timeout on EAP status")
2915 if 'bad certificate status response' in ev:
2919 raise Exception("Unexpected number of EAP status messages")
2921 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2923 raise Exception("Timeout on EAP failure report")
2925 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2926 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2927 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2928 if not os.path.exists(ocsp):
2929 raise HwsimSkip("No OCSP response available")
2930 params = int_eap_server_params()
2931 params["ocsp_stapling_response"] = ocsp
2932 hostapd.add_ap(apdev[0]['ifname'], params)
2933 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2934 identity="pap user", ca_cert="auth_serv/ca.pem",
2935 anonymous_identity="ttls", password="password",
2936 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2938 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2939 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2940 check_domain_match_full(dev[0])
2941 params = int_eap_server_params()
2942 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2943 params["private_key"] = "auth_serv/server-no-dnsname.key"
2944 hostapd.add_ap(apdev[0]['ifname'], params)
2945 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2946 identity="tls user", ca_cert="auth_serv/ca.pem",
2947 private_key="auth_serv/user.pkcs12",
2948 private_key_passwd="whatever",
2949 domain_suffix_match="server3.w1.fi",
2952 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2953 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2954 check_domain_match(dev[0])
2955 params = int_eap_server_params()
2956 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2957 params["private_key"] = "auth_serv/server-no-dnsname.key"
2958 hostapd.add_ap(apdev[0]['ifname'], params)
2959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2960 identity="tls user", ca_cert="auth_serv/ca.pem",
2961 private_key="auth_serv/user.pkcs12",
2962 private_key_passwd="whatever",
2963 domain_match="server3.w1.fi",
2966 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2967 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2968 check_domain_match_full(dev[0])
2969 params = int_eap_server_params()
2970 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2971 params["private_key"] = "auth_serv/server-no-dnsname.key"
2972 hostapd.add_ap(apdev[0]['ifname'], params)
2973 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2974 identity="tls user", ca_cert="auth_serv/ca.pem",
2975 private_key="auth_serv/user.pkcs12",
2976 private_key_passwd="whatever",
2977 domain_suffix_match="w1.fi",
2980 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2981 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2982 check_domain_suffix_match(dev[0])
2983 params = int_eap_server_params()
2984 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2985 params["private_key"] = "auth_serv/server-no-dnsname.key"
2986 hostapd.add_ap(apdev[0]['ifname'], params)
2987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2988 identity="tls user", ca_cert="auth_serv/ca.pem",
2989 private_key="auth_serv/user.pkcs12",
2990 private_key_passwd="whatever",
2991 domain_suffix_match="example.com",
2994 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2995 identity="tls user", ca_cert="auth_serv/ca.pem",
2996 private_key="auth_serv/user.pkcs12",
2997 private_key_passwd="whatever",
2998 domain_suffix_match="erver3.w1.fi",
3001 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3003 raise Exception("Timeout on EAP failure report")
3004 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3006 raise Exception("Timeout on EAP failure report (2)")
3008 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3009 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3010 check_domain_match(dev[0])
3011 params = int_eap_server_params()
3012 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3013 params["private_key"] = "auth_serv/server-no-dnsname.key"
3014 hostapd.add_ap(apdev[0]['ifname'], params)
3015 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3016 identity="tls user", ca_cert="auth_serv/ca.pem",
3017 private_key="auth_serv/user.pkcs12",
3018 private_key_passwd="whatever",
3019 domain_match="example.com",
3022 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3023 identity="tls user", ca_cert="auth_serv/ca.pem",
3024 private_key="auth_serv/user.pkcs12",
3025 private_key_passwd="whatever",
3026 domain_match="w1.fi",
3029 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3031 raise Exception("Timeout on EAP failure report")
3032 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3034 raise Exception("Timeout on EAP failure report (2)")
3036 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3037 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3038 skip_with_fips(dev[0])
3039 params = int_eap_server_params()
3040 params["server_cert"] = "auth_serv/server-expired.pem"
3041 params["private_key"] = "auth_serv/server-expired.key"
3042 hostapd.add_ap(apdev[0]['ifname'], params)
3043 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3044 identity="mschap user", password="password",
3045 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3048 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3050 raise Exception("Timeout on EAP certificate error report")
3051 if "reason=4" not in ev or "certificate has expired" not in ev:
3052 raise Exception("Unexpected failure reason: " + ev)
3053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3055 raise Exception("Timeout on EAP failure report")
3057 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3058 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3059 skip_with_fips(dev[0])
3060 params = int_eap_server_params()
3061 params["server_cert"] = "auth_serv/server-expired.pem"
3062 params["private_key"] = "auth_serv/server-expired.key"
3063 hostapd.add_ap(apdev[0]['ifname'], params)
3064 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3065 identity="mschap user", password="password",
3066 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3067 phase1="tls_disable_time_checks=1",
3070 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3071 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3072 skip_with_fips(dev[0])
3073 params = int_eap_server_params()
3074 params["server_cert"] = "auth_serv/server-long-duration.pem"
3075 params["private_key"] = "auth_serv/server-long-duration.key"
3076 hostapd.add_ap(apdev[0]['ifname'], params)
3077 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3078 identity="mschap user", password="password",
3079 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3082 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3083 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3084 skip_with_fips(dev[0])
3085 params = int_eap_server_params()
3086 params["server_cert"] = "auth_serv/server-eku-client.pem"
3087 params["private_key"] = "auth_serv/server-eku-client.key"
3088 hostapd.add_ap(apdev[0]['ifname'], params)
3089 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3090 identity="mschap user", password="password",
3091 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3094 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3096 raise Exception("Timeout on EAP failure report")
3098 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3099 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3100 skip_with_fips(dev[0])
3101 params = int_eap_server_params()
3102 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3103 params["private_key"] = "auth_serv/server-eku-client-server.key"
3104 hostapd.add_ap(apdev[0]['ifname'], params)
3105 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3106 identity="mschap user", password="password",
3107 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3110 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3111 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3112 skip_with_fips(dev[0])
3113 params = int_eap_server_params()
3114 del params["server_cert"]
3115 params["private_key"] = "auth_serv/server.pkcs12"
3116 hostapd.add_ap(apdev[0]['ifname'], params)
3117 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3118 identity="mschap user", password="password",
3119 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3122 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3123 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3124 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3125 hostapd.add_ap(apdev[0]['ifname'], params)
3126 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3127 anonymous_identity="ttls", password="password",
3128 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3129 dh_file="auth_serv/dh.conf")
3131 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3132 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3133 check_dh_dsa_support(dev[0])
3134 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3135 hostapd.add_ap(apdev[0]['ifname'], params)
3136 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3137 anonymous_identity="ttls", password="password",
3138 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3139 dh_file="auth_serv/dsaparam.pem")
3141 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3142 """EAP-TTLS and DH params file not found"""
3143 skip_with_fips(dev[0])
3144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3145 hostapd.add_ap(apdev[0]['ifname'], params)
3146 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3147 identity="mschap user", password="password",
3148 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3149 dh_file="auth_serv/dh-no-such-file.conf",
3150 scan_freq="2412", wait_connect=False)
3151 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3153 raise Exception("EAP failure timed out")
3154 dev[0].request("REMOVE_NETWORK all")
3155 dev[0].wait_disconnected()
3157 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3158 """EAP-TTLS and invalid DH params file"""
3159 skip_with_fips(dev[0])
3160 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3161 hostapd.add_ap(apdev[0]['ifname'], params)
3162 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3163 identity="mschap user", password="password",
3164 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3165 dh_file="auth_serv/ca.pem",
3166 scan_freq="2412", wait_connect=False)
3167 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3169 raise Exception("EAP failure timed out")
3170 dev[0].request("REMOVE_NETWORK all")
3171 dev[0].wait_disconnected()
3173 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3174 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176 hostapd.add_ap(apdev[0]['ifname'], params)
3177 dh = read_pem("auth_serv/dh2.conf")
3178 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3179 raise Exception("Could not set dhparams blob")
3180 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3181 anonymous_identity="ttls", password="password",
3182 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3183 dh_file="blob://dhparams")
3185 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3186 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3187 params = int_eap_server_params()
3188 params["dh_file"] = "auth_serv/dh2.conf"
3189 hostapd.add_ap(apdev[0]['ifname'], params)
3190 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3191 anonymous_identity="ttls", password="password",
3192 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3194 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3195 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3196 params = int_eap_server_params()
3197 params["dh_file"] = "auth_serv/dsaparam.pem"
3198 hostapd.add_ap(apdev[0]['ifname'], params)
3199 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3200 anonymous_identity="ttls", password="password",
3201 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3203 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3204 """EAP-TLS server and dhparams file not found"""
3205 params = int_eap_server_params()
3206 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3207 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3208 if "FAIL" not in hapd.request("ENABLE"):
3209 raise Exception("Invalid configuration accepted")
3211 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3212 """EAP-TLS server and invalid dhparams file"""
3213 params = int_eap_server_params()
3214 params["dh_file"] = "auth_serv/ca.pem"
3215 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3216 if "FAIL" not in hapd.request("ENABLE"):
3217 raise Exception("Invalid configuration accepted")
3219 def test_ap_wpa2_eap_reauth(dev, apdev):
3220 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3222 params['eap_reauth_period'] = '2'
3223 hostapd.add_ap(apdev[0]['ifname'], params)
3224 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3225 password_hex="0123456789abcdef0123456789abcdef")
3226 logger.info("Wait for reauthentication")
3227 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3229 raise Exception("Timeout on reauthentication")
3230 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3232 raise Exception("Timeout on reauthentication")
3233 for i in range(0, 20):
3234 state = dev[0].get_status_field("wpa_state")
3235 if state == "COMPLETED":
3238 if state != "COMPLETED":
3239 raise Exception("Reauthentication did not complete")
3241 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3242 """Optional displayable message in EAP Request-Identity"""
3243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3244 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3245 hostapd.add_ap(apdev[0]['ifname'], params)
3246 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3247 password_hex="0123456789abcdef0123456789abcdef")
3249 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3250 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3251 check_hlr_auc_gw_support()
3252 params = int_eap_server_params()
3253 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3254 params['eap_sim_aka_result_ind'] = "1"
3255 hostapd.add_ap(apdev[0]['ifname'], params)
3257 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3258 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3259 phase1="result_ind=1")
3260 eap_reauth(dev[0], "SIM")
3261 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3264 dev[0].request("REMOVE_NETWORK all")
3265 dev[1].request("REMOVE_NETWORK all")
3267 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3268 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3269 phase1="result_ind=1")
3270 eap_reauth(dev[0], "AKA")
3271 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3274 dev[0].request("REMOVE_NETWORK all")
3275 dev[1].request("REMOVE_NETWORK all")
3277 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3278 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3279 phase1="result_ind=1")
3280 eap_reauth(dev[0], "AKA'")
3281 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3282 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3284 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3285 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3286 skip_with_fips(dev[0])
3287 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3288 hostapd.add_ap(apdev[0]['ifname'], params)
3289 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3290 eap="TTLS", identity="mschap user",
3291 wait_connect=False, scan_freq="2412", ieee80211w="1",
3292 anonymous_identity="ttls", password="password",
3293 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3295 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3297 raise Exception("EAP roundtrip limit not reached")
3299 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3300 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3302 hostapd.add_ap(apdev[0]['ifname'], params)
3303 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3304 eap="PSK", identity="vendor-test",
3305 password_hex="ff23456789abcdef0123456789abcdef",
3309 for i in range(0, 5):
3310 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3312 raise Exception("Association and EAP start timed out")
3313 if "refuse proposed method" in ev:
3317 raise Exception("Unexpected EAP status: " + ev)
3319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3321 raise Exception("EAP failure timed out")
3323 def test_ap_wpa2_eap_sql(dev, apdev, params):
3324 """WPA2-Enterprise connection using SQLite for user DB"""
3325 skip_with_fips(dev[0])
3329 raise HwsimSkip("No sqlite3 module available")
3330 dbfile = os.path.join(params['logdir'], "eap-user.db")
3335 con = sqlite3.connect(dbfile)
3338 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3339 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3340 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3341 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3342 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3343 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3344 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3345 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3348 params = int_eap_server_params()
3349 params["eap_user_file"] = "sqlite:" + dbfile
3350 hostapd.add_ap(apdev[0]['ifname'], params)
3351 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3352 anonymous_identity="ttls", password="password",
3353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3354 dev[0].request("REMOVE_NETWORK all")
3355 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3356 anonymous_identity="ttls", password="password",
3357 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3358 dev[1].request("REMOVE_NETWORK all")
3359 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3360 anonymous_identity="ttls", password="password",
3361 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3362 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3363 anonymous_identity="ttls", password="password",
3364 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3368 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3369 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3370 params = int_eap_server_params()
3371 hostapd.add_ap(apdev[0]['ifname'], params)
3372 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3373 identity="\x80", password="password", wait_connect=False)
3374 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3375 identity="a\x80", password="password", wait_connect=False)
3376 for i in range(0, 2):
3377 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3379 raise Exception("Association and EAP start timed out")
3380 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3382 raise Exception("EAP method selection timed out")
3384 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3385 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3386 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3387 hostapd.add_ap(apdev[0]['ifname'], params)
3388 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3389 identity="\x80", password="password", wait_connect=False)
3390 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3391 identity="a\x80", password="password", wait_connect=False)
3392 for i in range(0, 2):
3393 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3395 raise Exception("Association and EAP start timed out")
3396 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3398 raise Exception("EAP method selection timed out")
3400 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3401 """OpenSSL cipher suite configuration on wpa_supplicant"""
3402 tls = dev[0].request("GET tls_library")
3403 if not tls.startswith("OpenSSL"):
3404 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3405 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3406 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3407 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3408 anonymous_identity="ttls", password="password",
3409 openssl_ciphers="AES128",
3410 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3411 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3412 anonymous_identity="ttls", password="password",
3413 openssl_ciphers="EXPORT",
3414 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3415 expect_failure=True, maybe_local_error=True)
3416 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3417 identity="pap user", anonymous_identity="ttls",
3418 password="password",
3419 openssl_ciphers="FOO",
3420 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3422 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3424 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3425 dev[2].request("DISCONNECT")
3427 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3428 """OpenSSL cipher suite configuration on hostapd"""
3429 tls = dev[0].request("GET tls_library")
3430 if not tls.startswith("OpenSSL"):
3431 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3432 params = int_eap_server_params()
3433 params['openssl_ciphers'] = "AES256"
3434 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3435 tls = hapd.request("GET tls_library")
3436 if not tls.startswith("OpenSSL"):
3437 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3438 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3439 anonymous_identity="ttls", password="password",
3440 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3441 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3442 anonymous_identity="ttls", password="password",
3443 openssl_ciphers="AES128",
3444 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3445 expect_failure=True)
3446 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3447 anonymous_identity="ttls", password="password",
3448 openssl_ciphers="HIGH:!ADH",
3449 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3451 params['openssl_ciphers'] = "FOO"
3452 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3453 if "FAIL" not in hapd2.request("ENABLE"):
3454 raise Exception("Invalid openssl_ciphers value accepted")
3456 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3457 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3458 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3459 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3460 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3461 pid = find_wpas_process(dev[0])
3462 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3463 anonymous_identity="ttls", password=password,
3464 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3465 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3466 # event has been delivered, so verify that wpa_supplicant has returned to
3467 # eloop before reading process memory.
3470 buf = read_process_memory(pid, password)
3472 dev[0].request("DISCONNECT")
3473 dev[0].wait_disconnected()
3481 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3482 for l in f.readlines():
3483 if "EAP-TTLS: Derived key - hexdump" in l:
3484 val = l.strip().split(':')[3].replace(' ', '')
3485 msk = binascii.unhexlify(val)
3486 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3487 val = l.strip().split(':')[3].replace(' ', '')
3488 emsk = binascii.unhexlify(val)
3489 if "WPA: PMK - hexdump" in l:
3490 val = l.strip().split(':')[3].replace(' ', '')
3491 pmk = binascii.unhexlify(val)
3492 if "WPA: PTK - hexdump" in l:
3493 val = l.strip().split(':')[3].replace(' ', '')
3494 ptk = binascii.unhexlify(val)
3495 if "WPA: Group Key - hexdump" in l:
3496 val = l.strip().split(':')[3].replace(' ', '')
3497 gtk = binascii.unhexlify(val)
3498 if not msk or not emsk or not pmk or not ptk or not gtk:
3499 raise Exception("Could not find keys from debug log")
3501 raise Exception("Unexpected GTK length")
3507 fname = os.path.join(params['logdir'],
3508 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3510 logger.info("Checking keys in memory while associated")
3511 get_key_locations(buf, password, "Password")
3512 get_key_locations(buf, pmk, "PMK")
3513 get_key_locations(buf, msk, "MSK")
3514 get_key_locations(buf, emsk, "EMSK")
3515 if password not in buf:
3516 raise HwsimSkip("Password not found while associated")
3518 raise HwsimSkip("PMK not found while associated")
3520 raise Exception("KCK not found while associated")
3522 raise Exception("KEK not found while associated")
3524 raise Exception("TK found from memory")
3526 get_key_locations(buf, gtk, "GTK")
3527 raise Exception("GTK found from memory")
3529 logger.info("Checking keys in memory after disassociation")
3530 buf = read_process_memory(pid, password)
3532 # Note: Password is still present in network configuration
3533 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3535 get_key_locations(buf, password, "Password")
3536 get_key_locations(buf, pmk, "PMK")
3537 get_key_locations(buf, msk, "MSK")
3538 get_key_locations(buf, emsk, "EMSK")
3539 verify_not_present(buf, kck, fname, "KCK")
3540 verify_not_present(buf, kek, fname, "KEK")
3541 verify_not_present(buf, tk, fname, "TK")
3542 verify_not_present(buf, gtk, fname, "GTK")
3544 dev[0].request("PMKSA_FLUSH")
3545 dev[0].set_network_quoted(id, "identity", "foo")
3546 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3547 buf = read_process_memory(pid, password)
3548 get_key_locations(buf, password, "Password")
3549 get_key_locations(buf, pmk, "PMK")
3550 get_key_locations(buf, msk, "MSK")
3551 get_key_locations(buf, emsk, "EMSK")
3552 verify_not_present(buf, pmk, fname, "PMK")
3554 dev[0].request("REMOVE_NETWORK all")
3556 logger.info("Checking keys in memory after network profile removal")
3557 buf = read_process_memory(pid, password)
3559 get_key_locations(buf, password, "Password")
3560 get_key_locations(buf, pmk, "PMK")
3561 get_key_locations(buf, msk, "MSK")
3562 get_key_locations(buf, emsk, "EMSK")
3563 verify_not_present(buf, password, fname, "password")
3564 verify_not_present(buf, pmk, fname, "PMK")
3565 verify_not_present(buf, kck, fname, "KCK")
3566 verify_not_present(buf, kek, fname, "KEK")
3567 verify_not_present(buf, tk, fname, "TK")
3568 verify_not_present(buf, gtk, fname, "GTK")
3569 verify_not_present(buf, msk, fname, "MSK")
3570 verify_not_present(buf, emsk, fname, "EMSK")
3572 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3573 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3574 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3575 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3576 bssid = apdev[0]['bssid']
3577 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3578 anonymous_identity="ttls", password="password",
3579 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3581 # Send unexpected WEP EAPOL-Key; this gets dropped
3582 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3584 raise Exception("EAPOL_RX to wpa_supplicant failed")
3586 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3587 """WPA2-EAP and wpas interface in a bridge"""
3591 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3593 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3594 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3595 subprocess.call(['brctl', 'delbr', br_ifname])
3596 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3598 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3599 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3600 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3604 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3605 subprocess.call(['brctl', 'addbr', br_ifname])
3606 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3607 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3608 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3609 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3610 wpas.interface_add(ifname, br_ifname=br_ifname)
3613 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3614 password_hex="0123456789abcdef0123456789abcdef")
3616 eap_reauth(wpas, "PAX")
3618 # Try again as a regression test for packet socket workaround
3619 eap_reauth(wpas, "PAX")
3621 wpas.request("DISCONNECT")
3622 wpas.wait_disconnected()
3624 wpas.request("RECONNECT")
3625 wpas.wait_connected()
3628 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3629 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3630 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3631 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3632 key_mgmt = hapd.get_config()['key_mgmt']
3633 if key_mgmt.split(' ')[0] != "WPA-EAP":
3634 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3635 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3636 anonymous_identity="ttls", password="password",
3637 ca_cert="auth_serv/ca.pem",
3638 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3639 eap_reauth(dev[0], "TTLS")
3641 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3642 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3643 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3644 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3645 key_mgmt = hapd.get_config()['key_mgmt']
3646 if key_mgmt.split(' ')[0] != "WPA-EAP":
3647 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3648 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3649 anonymous_identity="ttls", password="password",
3650 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3652 eap_reauth(dev[0], "TTLS")
3654 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3655 """EAP-TLS and server checking CRL"""
3656 params = int_eap_server_params()
3657 params['check_crl'] = '1'
3658 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3660 # check_crl=1 and no CRL available --> reject connection
3661 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3662 client_cert="auth_serv/user.pem",
3663 private_key="auth_serv/user.key", expect_failure=True)
3664 dev[0].request("REMOVE_NETWORK all")
3667 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3670 # check_crl=1 and valid CRL --> accept
3671 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3672 client_cert="auth_serv/user.pem",
3673 private_key="auth_serv/user.key")
3674 dev[0].request("REMOVE_NETWORK all")
3677 hapd.set("check_crl", "2")
3680 # check_crl=2 and valid CRL --> accept
3681 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3682 client_cert="auth_serv/user.pem",
3683 private_key="auth_serv/user.key")
3684 dev[0].request("REMOVE_NETWORK all")
3686 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3687 """EAP-TLS and OOM"""
3688 check_subject_match_support(dev[0])
3689 check_altsubject_match_support(dev[0])
3690 check_domain_match(dev[0])
3691 check_domain_match_full(dev[0])
3693 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3694 hostapd.add_ap(apdev[0]['ifname'], params)
3696 tests = [ (1, "tls_connection_set_subject_match"),
3697 (2, "tls_connection_set_subject_match"),
3698 (3, "tls_connection_set_subject_match"),
3699 (4, "tls_connection_set_subject_match") ]
3700 for count, func in tests:
3701 with alloc_fail(dev[0], count, func):
3702 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3703 identity="tls user", ca_cert="auth_serv/ca.pem",
3704 client_cert="auth_serv/user.pem",
3705 private_key="auth_serv/user.key",
3706 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3707 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3708 domain_suffix_match="server.w1.fi",
3709 domain_match="server.w1.fi",
3710 wait_connect=False, scan_freq="2412")
3711 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3712 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3714 raise Exception("No passphrase request")
3715 dev[0].request("REMOVE_NETWORK all")
3716 dev[0].wait_disconnected()
3718 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3719 """WPA2-Enterprise connection using MAC ACL"""
3720 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3721 params["macaddr_acl"] = "2"
3722 hostapd.add_ap(apdev[0]['ifname'], params)
3723 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3724 client_cert="auth_serv/user.pem",
3725 private_key="auth_serv/user.key")
3727 def test_ap_wpa2_eap_oom(dev, apdev):
3728 """EAP server and OOM"""
3729 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3730 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3731 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3733 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3734 # The first attempt fails, but STA will send EAPOL-Start to retry and
3736 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3737 identity="tls user", ca_cert="auth_serv/ca.pem",
3738 client_cert="auth_serv/user.pem",
3739 private_key="auth_serv/user.key",
3742 def check_tls_ver(dev, ap, phase1, expected):
3743 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3744 client_cert="auth_serv/user.pem",
3745 private_key="auth_serv/user.key",
3747 ver = dev.get_status_field("eap_tls_version")
3749 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3751 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3752 """EAP-TLS and TLS version configuration"""
3753 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3754 hostapd.add_ap(apdev[0]['ifname'], params)
3756 tls = dev[0].request("GET tls_library")
3757 if tls.startswith("OpenSSL"):
3758 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3759 check_tls_ver(dev[0], apdev[0],
3760 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3762 elif tls.startswith("internal"):
3763 check_tls_ver(dev[0], apdev[0],
3764 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3765 check_tls_ver(dev[1], apdev[0],
3766 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3767 check_tls_ver(dev[2], apdev[0],
3768 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3770 def test_rsn_ie_proto_eap_sta(dev, apdev):
3771 """RSN element protocol testing for EAP cases on STA side"""
3772 bssid = apdev[0]['bssid']
3773 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3774 # This is the RSN element used normally by hostapd
3775 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3776 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3777 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3778 identity="gpsk user",
3779 password="abcdefghijklmnop0123456789abcdef",
3782 tests = [ ('No RSN Capabilities field',
3783 '30120100000fac040100000fac040100000fac01'),
3784 ('No AKM Suite fields',
3785 '300c0100000fac040100000fac04'),
3786 ('No Pairwise Cipher Suite fields',
3787 '30060100000fac04'),
3788 ('No Group Data Cipher Suite field',
3790 for txt,ie in tests:
3791 dev[0].request("DISCONNECT")
3792 dev[0].wait_disconnected()
3795 hapd.set('own_ie_override', ie)
3797 dev[0].request("BSS_FLUSH 0")
3798 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3799 dev[0].select_network(id, freq=2412)
3800 dev[0].wait_connected()
3802 def check_tls_session_resumption_capa(dev, hapd):
3803 tls = hapd.request("GET tls_library")
3804 if not tls.startswith("OpenSSL"):
3805 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3807 tls = dev.request("GET tls_library")
3808 if not tls.startswith("OpenSSL"):
3809 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3811 def test_eap_ttls_pap_session_resumption(dev, apdev):
3812 """EAP-TTLS/PAP session resumption"""
3813 params = int_eap_server_params()
3814 params['tls_session_lifetime'] = '60'
3815 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3816 check_tls_session_resumption_capa(dev[0], hapd)
3817 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3818 anonymous_identity="ttls", password="password",
3819 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3821 if dev[0].get_status_field("tls_session_reused") != '0':
3822 raise Exception("Unexpected session resumption on the first connection")
3824 dev[0].request("REAUTHENTICATE")
3825 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3827 raise Exception("EAP success timed out")
3828 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3830 raise Exception("Key handshake with the AP timed out")
3831 if dev[0].get_status_field("tls_session_reused") != '1':
3832 raise Exception("Session resumption not used on the second connection")
3834 def test_eap_ttls_chap_session_resumption(dev, apdev):
3835 """EAP-TTLS/CHAP session resumption"""
3836 params = int_eap_server_params()
3837 params['tls_session_lifetime'] = '60'
3838 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3839 check_tls_session_resumption_capa(dev[0], hapd)
3840 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3841 anonymous_identity="ttls", password="password",
3842 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3843 if dev[0].get_status_field("tls_session_reused") != '0':
3844 raise Exception("Unexpected session resumption on the first connection")
3846 dev[0].request("REAUTHENTICATE")
3847 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3849 raise Exception("EAP success timed out")
3850 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3852 raise Exception("Key handshake with the AP timed out")
3853 if dev[0].get_status_field("tls_session_reused") != '1':
3854 raise Exception("Session resumption not used on the second connection")
3856 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3857 """EAP-TTLS/MSCHAP session resumption"""
3858 check_domain_suffix_match(dev[0])
3859 params = int_eap_server_params()
3860 params['tls_session_lifetime'] = '60'
3861 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3862 check_tls_session_resumption_capa(dev[0], hapd)
3863 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3864 anonymous_identity="ttls", password="password",
3865 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3866 domain_suffix_match="server.w1.fi")
3867 if dev[0].get_status_field("tls_session_reused") != '0':
3868 raise Exception("Unexpected session resumption on the first connection")
3870 dev[0].request("REAUTHENTICATE")
3871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3873 raise Exception("EAP success timed out")
3874 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3876 raise Exception("Key handshake with the AP timed out")
3877 if dev[0].get_status_field("tls_session_reused") != '1':
3878 raise Exception("Session resumption not used on the second connection")
3880 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3881 """EAP-TTLS/MSCHAPv2 session resumption"""
3882 check_domain_suffix_match(dev[0])
3883 check_eap_capa(dev[0], "MSCHAPV2")
3884 params = int_eap_server_params()
3885 params['tls_session_lifetime'] = '60'
3886 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3887 check_tls_session_resumption_capa(dev[0], hapd)
3888 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3889 anonymous_identity="ttls", password="password",
3890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3891 domain_suffix_match="server.w1.fi")
3892 if dev[0].get_status_field("tls_session_reused") != '0':
3893 raise Exception("Unexpected session resumption on the first connection")
3895 dev[0].request("REAUTHENTICATE")
3896 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3898 raise Exception("EAP success timed out")
3899 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3901 raise Exception("Key handshake with the AP timed out")
3902 if dev[0].get_status_field("tls_session_reused") != '1':
3903 raise Exception("Session resumption not used on the second connection")
3905 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3906 """EAP-TTLS/EAP-GTC session resumption"""
3907 params = int_eap_server_params()
3908 params['tls_session_lifetime'] = '60'
3909 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3910 check_tls_session_resumption_capa(dev[0], hapd)
3911 eap_connect(dev[0], apdev[0], "TTLS", "user",
3912 anonymous_identity="ttls", password="password",
3913 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3914 if dev[0].get_status_field("tls_session_reused") != '0':
3915 raise Exception("Unexpected session resumption on the first connection")
3917 dev[0].request("REAUTHENTICATE")
3918 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3920 raise Exception("EAP success timed out")
3921 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3923 raise Exception("Key handshake with the AP timed out")
3924 if dev[0].get_status_field("tls_session_reused") != '1':
3925 raise Exception("Session resumption not used on the second connection")
3927 def test_eap_ttls_no_session_resumption(dev, apdev):
3928 """EAP-TTLS session resumption disabled on server"""
3929 params = int_eap_server_params()
3930 params['tls_session_lifetime'] = '0'
3931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3932 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3933 anonymous_identity="ttls", password="password",
3934 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3936 if dev[0].get_status_field("tls_session_reused") != '0':
3937 raise Exception("Unexpected session resumption on the first connection")
3939 dev[0].request("REAUTHENTICATE")
3940 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3942 raise Exception("EAP success timed out")
3943 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3945 raise Exception("Key handshake with the AP timed out")
3946 if dev[0].get_status_field("tls_session_reused") != '0':
3947 raise Exception("Unexpected session resumption on the second connection")
3949 def test_eap_peap_session_resumption(dev, apdev):
3950 """EAP-PEAP session resumption"""
3951 params = int_eap_server_params()
3952 params['tls_session_lifetime'] = '60'
3953 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3954 check_tls_session_resumption_capa(dev[0], hapd)
3955 eap_connect(dev[0], apdev[0], "PEAP", "user",
3956 anonymous_identity="peap", password="password",
3957 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3958 if dev[0].get_status_field("tls_session_reused") != '0':
3959 raise Exception("Unexpected session resumption on the first connection")
3961 dev[0].request("REAUTHENTICATE")
3962 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3964 raise Exception("EAP success timed out")
3965 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3967 raise Exception("Key handshake with the AP timed out")
3968 if dev[0].get_status_field("tls_session_reused") != '1':
3969 raise Exception("Session resumption not used on the second connection")
3971 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
3972 """EAP-PEAP session resumption with crypto binding"""
3973 params = int_eap_server_params()
3974 params['tls_session_lifetime'] = '60'
3975 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3976 check_tls_session_resumption_capa(dev[0], hapd)
3977 eap_connect(dev[0], apdev[0], "PEAP", "user",
3978 anonymous_identity="peap", password="password",
3979 phase1="peapver=0 crypto_binding=2",
3980 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3981 if dev[0].get_status_field("tls_session_reused") != '0':
3982 raise Exception("Unexpected session resumption on the first connection")
3984 dev[0].request("REAUTHENTICATE")
3985 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3987 raise Exception("EAP success timed out")
3988 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3990 raise Exception("Key handshake with the AP timed out")
3991 if dev[0].get_status_field("tls_session_reused") != '1':
3992 raise Exception("Session resumption not used on the second connection")
3994 def test_eap_peap_no_session_resumption(dev, apdev):
3995 """EAP-PEAP session resumption disabled on server"""
3996 params = int_eap_server_params()
3997 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3998 eap_connect(dev[0], apdev[0], "PEAP", "user",
3999 anonymous_identity="peap", password="password",
4000 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4001 if dev[0].get_status_field("tls_session_reused") != '0':
4002 raise Exception("Unexpected session resumption on the first connection")
4004 dev[0].request("REAUTHENTICATE")
4005 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4007 raise Exception("EAP success timed out")
4008 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4010 raise Exception("Key handshake with the AP timed out")
4011 if dev[0].get_status_field("tls_session_reused") != '0':
4012 raise Exception("Unexpected session resumption on the second connection")
4014 def test_eap_tls_session_resumption(dev, apdev):
4015 """EAP-TLS session resumption"""
4016 params = int_eap_server_params()
4017 params['tls_session_lifetime'] = '60'
4018 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4019 check_tls_session_resumption_capa(dev[0], hapd)
4020 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4021 client_cert="auth_serv/user.pem",
4022 private_key="auth_serv/user.key")
4023 if dev[0].get_status_field("tls_session_reused") != '0':
4024 raise Exception("Unexpected session resumption on the first connection")
4026 dev[0].request("REAUTHENTICATE")
4027 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4029 raise Exception("EAP success timed out")
4030 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4032 raise Exception("Key handshake with the AP timed out")
4033 if dev[0].get_status_field("tls_session_reused") != '1':
4034 raise Exception("Session resumption not used on the second connection")
4036 dev[0].request("REAUTHENTICATE")
4037 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4039 raise Exception("EAP success timed out")
4040 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4042 raise Exception("Key handshake with the AP timed out")
4043 if dev[0].get_status_field("tls_session_reused") != '1':
4044 raise Exception("Session resumption not used on the third connection")
4046 def test_eap_tls_session_resumption_expiration(dev, apdev):
4047 """EAP-TLS session resumption"""
4048 params = int_eap_server_params()
4049 params['tls_session_lifetime'] = '1'
4050 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4051 check_tls_session_resumption_capa(dev[0], hapd)
4052 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4053 client_cert="auth_serv/user.pem",
4054 private_key="auth_serv/user.key")
4055 if dev[0].get_status_field("tls_session_reused") != '0':
4056 raise Exception("Unexpected session resumption on the first connection")
4058 # Allow multiple attempts since OpenSSL may not expire the cached entry
4063 dev[0].request("REAUTHENTICATE")
4064 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4066 raise Exception("EAP success timed out")
4067 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4069 raise Exception("Key handshake with the AP timed out")
4070 if dev[0].get_status_field("tls_session_reused") == '0':
4072 if dev[0].get_status_field("tls_session_reused") != '0':
4073 raise Exception("Session resumption used after lifetime expiration")
4075 def test_eap_tls_no_session_resumption(dev, apdev):
4076 """EAP-TLS session resumption disabled on server"""
4077 params = int_eap_server_params()
4078 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4079 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4080 client_cert="auth_serv/user.pem",
4081 private_key="auth_serv/user.key")
4082 if dev[0].get_status_field("tls_session_reused") != '0':
4083 raise Exception("Unexpected session resumption on the first connection")
4085 dev[0].request("REAUTHENTICATE")
4086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4088 raise Exception("EAP success timed out")
4089 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4091 raise Exception("Key handshake with the AP timed out")
4092 if dev[0].get_status_field("tls_session_reused") != '0':
4093 raise Exception("Unexpected session resumption on the second connection")
4095 def test_eap_tls_session_resumption_radius(dev, apdev):
4096 """EAP-TLS session resumption (RADIUS)"""
4097 params = { "ssid": "as", "beacon_int": "2000",
4098 "radius_server_clients": "auth_serv/radius_clients.conf",
4099 "radius_server_auth_port": '18128',
4101 "eap_user_file": "auth_serv/eap_user.conf",
4102 "ca_cert": "auth_serv/ca.pem",
4103 "server_cert": "auth_serv/server.pem",
4104 "private_key": "auth_serv/server.key",
4105 "tls_session_lifetime": "60" }
4106 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4107 check_tls_session_resumption_capa(dev[0], authsrv)
4109 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4110 params['auth_server_port'] = "18128"
4111 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4112 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4113 client_cert="auth_serv/user.pem",
4114 private_key="auth_serv/user.key")
4115 if dev[0].get_status_field("tls_session_reused") != '0':
4116 raise Exception("Unexpected session resumption on the first connection")
4118 dev[0].request("REAUTHENTICATE")
4119 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4121 raise Exception("EAP success timed out")
4122 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4124 raise Exception("Key handshake with the AP timed out")
4125 if dev[0].get_status_field("tls_session_reused") != '1':
4126 raise Exception("Session resumption not used on the second connection")
4128 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4129 """EAP-TLS session resumption disabled (RADIUS)"""
4130 params = { "ssid": "as", "beacon_int": "2000",
4131 "radius_server_clients": "auth_serv/radius_clients.conf",
4132 "radius_server_auth_port": '18128',
4134 "eap_user_file": "auth_serv/eap_user.conf",
4135 "ca_cert": "auth_serv/ca.pem",
4136 "server_cert": "auth_serv/server.pem",
4137 "private_key": "auth_serv/server.key",
4138 "tls_session_lifetime": "0" }
4139 hostapd.add_ap(apdev[1]['ifname'], params)
4141 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4142 params['auth_server_port'] = "18128"
4143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4144 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4145 client_cert="auth_serv/user.pem",
4146 private_key="auth_serv/user.key")
4147 if dev[0].get_status_field("tls_session_reused") != '0':
4148 raise Exception("Unexpected session resumption on the first connection")
4150 dev[0].request("REAUTHENTICATE")
4151 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4153 raise Exception("EAP success timed out")
4154 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4156 raise Exception("Key handshake with the AP timed out")
4157 if dev[0].get_status_field("tls_session_reused") != '0':
4158 raise Exception("Unexpected session resumption on the second connection")
4160 def test_eap_mschapv2_errors(dev, apdev):
4161 """EAP-MSCHAPv2 error cases"""
4162 check_eap_capa(dev[0], "MSCHAPV2")
4163 check_eap_capa(dev[0], "FAST")
4165 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4167 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4168 identity="phase1-user", password="password",
4170 dev[0].request("REMOVE_NETWORK all")
4171 dev[0].wait_disconnected()
4173 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4174 (1, "nt_password_hash;mschapv2_derive_response"),
4175 (1, "nt_password_hash;=mschapv2_derive_response"),
4176 (1, "generate_nt_response;mschapv2_derive_response"),
4177 (1, "generate_authenticator_response;mschapv2_derive_response"),
4178 (1, "nt_password_hash;=mschapv2_derive_response"),
4179 (1, "get_master_key;mschapv2_derive_response"),
4180 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4181 for count, func in tests:
4182 with fail_test(dev[0], count, func):
4183 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4184 identity="phase1-user", password="password",
4185 wait_connect=False, scan_freq="2412")
4186 wait_fail_trigger(dev[0], "GET_FAIL")
4187 dev[0].request("REMOVE_NETWORK all")
4188 dev[0].wait_disconnected()
4190 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4191 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4192 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4193 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4194 for count, func in tests:
4195 with fail_test(dev[0], count, func):
4196 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4197 identity="phase1-user",
4198 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4199 wait_connect=False, scan_freq="2412")
4200 wait_fail_trigger(dev[0], "GET_FAIL")
4201 dev[0].request("REMOVE_NETWORK all")
4202 dev[0].wait_disconnected()
4204 tests = [ (1, "eap_mschapv2_init"),
4205 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4206 (1, "eap_msg_alloc;eap_mschapv2_success"),
4207 (1, "eap_mschapv2_getKey") ]
4208 for count, func in tests:
4209 with alloc_fail(dev[0], count, func):
4210 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4211 identity="phase1-user", password="password",
4212 wait_connect=False, scan_freq="2412")
4213 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4214 dev[0].request("REMOVE_NETWORK all")
4215 dev[0].wait_disconnected()
4217 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4218 for count, func in tests:
4219 with alloc_fail(dev[0], count, func):
4220 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4221 identity="phase1-user", password="wrong password",
4222 wait_connect=False, scan_freq="2412")
4223 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4224 dev[0].request("REMOVE_NETWORK all")
4225 dev[0].wait_disconnected()
4227 tests = [ (2, "eap_mschapv2_init"),
4228 (3, "eap_mschapv2_init") ]
4229 for count, func in tests:
4230 with alloc_fail(dev[0], count, func):
4231 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4232 anonymous_identity="FAST", identity="user",
4233 password="password",
4234 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4235 phase1="fast_provisioning=1",
4236 pac_file="blob://fast_pac",
4237 wait_connect=False, scan_freq="2412")
4238 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4239 dev[0].request("REMOVE_NETWORK all")
4240 dev[0].wait_disconnected()
4242 def test_eap_gpsk_errors(dev, apdev):
4243 """EAP-GPSK error cases"""
4244 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4245 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4246 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4247 identity="gpsk user",
4248 password="abcdefghijklmnop0123456789abcdef",
4250 dev[0].request("REMOVE_NETWORK all")
4251 dev[0].wait_disconnected()
4253 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4254 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4256 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4258 (1, "eap_gpsk_derive_keys_helper", None),
4259 (2, "eap_gpsk_derive_keys_helper", None),
4260 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4262 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4264 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4265 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4266 (1, "eap_gpsk_derive_mid_helper", None) ]
4267 for count, func, phase1 in tests:
4268 with fail_test(dev[0], count, func):
4269 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4270 identity="gpsk user",
4271 password="abcdefghijklmnop0123456789abcdef",
4273 wait_connect=False, scan_freq="2412")
4274 wait_fail_trigger(dev[0], "GET_FAIL")
4275 dev[0].request("REMOVE_NETWORK all")
4276 dev[0].wait_disconnected()
4278 tests = [ (1, "eap_gpsk_init"),
4279 (2, "eap_gpsk_init"),
4280 (3, "eap_gpsk_init"),
4281 (1, "eap_gpsk_process_id_server"),
4282 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4283 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4284 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4285 (1, "eap_gpsk_derive_keys"),
4286 (1, "eap_gpsk_derive_keys_helper"),
4287 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4288 (1, "eap_gpsk_getKey"),
4289 (1, "eap_gpsk_get_emsk"),
4290 (1, "eap_gpsk_get_session_id") ]
4291 for count, func in tests:
4292 with alloc_fail(dev[0], count, func):
4293 dev[0].request("ERP_FLUSH")
4294 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4295 identity="gpsk user", erp="1",
4296 password="abcdefghijklmnop0123456789abcdef",
4297 wait_connect=False, scan_freq="2412")
4298 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4299 dev[0].request("REMOVE_NETWORK all")
4300 dev[0].wait_disconnected()
4302 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4303 """EAP-SIM DB error cases"""
4304 sockpath = '/tmp/hlr_auc_gw.sock-test'
4309 hparams = int_eap_server_params()
4310 hparams['eap_sim_db'] = 'unix:' + sockpath
4311 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4313 # Initial test with hlr_auc_gw socket not available
4314 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4315 eap="SIM", identity="1232010000000000",
4316 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4317 scan_freq="2412", wait_connect=False)
4318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4320 raise Exception("EAP-Failure not reported")
4321 dev[0].wait_disconnected()
4322 dev[0].request("DISCONNECT")
4324 # Test with invalid responses and response timeout
4326 class test_handler(SocketServer.DatagramRequestHandler):
4328 data = self.request[0].strip()
4329 socket = self.request[1]
4330 logger.debug("Received hlr_auc_gw request: " + data)
4331 # EAP-SIM DB: Failed to parse response string
4332 socket.sendto("FOO", self.client_address)
4333 # EAP-SIM DB: Failed to parse response string
4334 socket.sendto("FOO 1", self.client_address)
4335 # EAP-SIM DB: Unknown external response
4336 socket.sendto("FOO 1 2", self.client_address)
4337 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4339 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4342 dev[0].select_network(id)
4343 server.handle_request()
4344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4346 raise Exception("EAP-Failure not reported")
4347 dev[0].wait_disconnected()
4348 dev[0].request("DISCONNECT")
4350 # Test with a valid response
4352 class test_handler2(SocketServer.DatagramRequestHandler):
4354 data = self.request[0].strip()
4355 socket = self.request[1]
4356 logger.debug("Received hlr_auc_gw request: " + data)
4357 fname = os.path.join(params['logdir'],
4358 'hlr_auc_gw.milenage_db')
4359 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4361 stdout=subprocess.PIPE)
4362 res = cmd.stdout.read().strip()
4364 logger.debug("hlr_auc_gw response: " + res)
4365 socket.sendto(res, self.client_address)
4367 server.RequestHandlerClass = test_handler2
4369 dev[0].select_network(id)
4370 server.handle_request()
4371 dev[0].wait_connected()
4372 dev[0].request("DISCONNECT")
4373 dev[0].wait_disconnected()
4375 def test_eap_tls_sha512(dev, apdev, params):
4376 """EAP-TLS with SHA512 signature"""
4377 params = int_eap_server_params()
4378 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4379 params["server_cert"] = "auth_serv/sha512-server.pem"
4380 params["private_key"] = "auth_serv/sha512-server.key"
4381 hostapd.add_ap(apdev[0]['ifname'], params)
4383 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4384 identity="tls user sha512",
4385 ca_cert="auth_serv/sha512-ca.pem",
4386 client_cert="auth_serv/sha512-user.pem",
4387 private_key="auth_serv/sha512-user.key",
4389 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4390 identity="tls user sha512",
4391 ca_cert="auth_serv/sha512-ca.pem",
4392 client_cert="auth_serv/sha384-user.pem",
4393 private_key="auth_serv/sha384-user.key",
4396 def test_eap_tls_sha384(dev, apdev, params):
4397 """EAP-TLS with SHA384 signature"""
4398 params = int_eap_server_params()
4399 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4400 params["server_cert"] = "auth_serv/sha384-server.pem"
4401 params["private_key"] = "auth_serv/sha384-server.key"
4402 hostapd.add_ap(apdev[0]['ifname'], params)
4404 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4405 identity="tls user sha512",
4406 ca_cert="auth_serv/sha512-ca.pem",
4407 client_cert="auth_serv/sha512-user.pem",
4408 private_key="auth_serv/sha512-user.key",
4410 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4411 identity="tls user sha512",
4412 ca_cert="auth_serv/sha512-ca.pem",
4413 client_cert="auth_serv/sha384-user.pem",
4414 private_key="auth_serv/sha384-user.key",
4417 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4418 """WPA2-Enterprise AP and association request RSN IE differences"""
4419 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4420 hostapd.add_ap(apdev[0]['ifname'], params)
4422 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4423 params["ieee80211w"] = "2"
4424 hostapd.add_ap(apdev[1]['ifname'], params)
4426 # Success cases with optional RSN IE fields removed one by one
4427 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4428 "30140100000fac040100000fac040100000fac010000"),
4429 ("Extra PMKIDCount field in RSN IE",
4430 "30160100000fac040100000fac040100000fac0100000000"),
4431 ("Extra Group Management Cipher Suite in RSN IE",
4432 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4433 ("Extra undefined extension field in RSN IE",
4434 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4435 ("RSN IE without RSN Capabilities",
4436 "30120100000fac040100000fac040100000fac01"),
4437 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4438 ("RSN IE without pairwise", "30060100000fac04"),
4439 ("RSN IE without group", "30020100") ]
4440 for title, ie in tests:
4442 set_test_assoc_ie(dev[0], ie)
4443 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4444 identity="gpsk user",
4445 password="abcdefghijklmnop0123456789abcdef",
4447 dev[0].request("REMOVE_NETWORK all")
4448 dev[0].wait_disconnected()
4450 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4451 "30140100000fac040100000fac040100000fac01cc00"),
4452 ("Group management cipher included in assoc req RSN IE",
4453 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4454 for title, ie in tests:
4456 set_test_assoc_ie(dev[0], ie)
4457 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4458 eap="GPSK", identity="gpsk user",
4459 password="abcdefghijklmnop0123456789abcdef",
4461 dev[0].request("REMOVE_NETWORK all")
4462 dev[0].wait_disconnected()
4464 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4465 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4466 for title, ie, status in tests:
4468 set_test_assoc_ie(dev[0], ie)
4469 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4470 identity="gpsk user",
4471 password="abcdefghijklmnop0123456789abcdef",
4472 scan_freq="2412", wait_connect=False)
4473 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4475 raise Exception("Association rejection not reported")
4476 if "status_code=" + str(status) not in ev:
4477 raise Exception("Unexpected status code: " + ev)
4478 dev[0].request("REMOVE_NETWORK all")
4479 dev[0].dump_monitor()
4481 tests = [ ("Management frame protection not enabled",
4482 "30140100000fac040100000fac040100000fac010000", 31),
4483 ("Unsupported management group cipher",
4484 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4485 for title, ie, status in tests:
4487 set_test_assoc_ie(dev[0], ie)
4488 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4489 eap="GPSK", identity="gpsk user",
4490 password="abcdefghijklmnop0123456789abcdef",
4491 scan_freq="2412", wait_connect=False)
4492 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4494 raise Exception("Association rejection not reported")
4495 if "status_code=" + str(status) not in ev:
4496 raise Exception("Unexpected status code: " + ev)
4497 dev[0].request("REMOVE_NETWORK all")
4498 dev[0].dump_monitor()
4500 def test_eap_tls_ext_cert_check(dev, apdev):
4501 """EAP-TLS and external server certification validation"""
4502 # With internal server certificate chain validation
4503 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4504 identity="tls user",
4505 ca_cert="auth_serv/ca.pem",
4506 client_cert="auth_serv/user.pem",
4507 private_key="auth_serv/user.key",
4508 phase1="tls_ext_cert_check=1", scan_freq="2412",
4509 only_add_network=True)
4510 run_ext_cert_check(dev, apdev, id)
4512 def test_eap_ttls_ext_cert_check(dev, apdev):
4513 """EAP-TTLS and external server certification validation"""
4514 # Without internal server certificate chain validation
4515 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4516 identity="pap user", anonymous_identity="ttls",
4517 password="password", phase2="auth=PAP",
4518 phase1="tls_ext_cert_check=1", scan_freq="2412",
4519 only_add_network=True)
4520 run_ext_cert_check(dev, apdev, id)
4522 def test_eap_peap_ext_cert_check(dev, apdev):
4523 """EAP-PEAP and external server certification validation"""
4524 # With internal server certificate chain validation
4525 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4526 identity="user", anonymous_identity="peap",
4527 ca_cert="auth_serv/ca.pem",
4528 password="password", phase2="auth=MSCHAPV2",
4529 phase1="tls_ext_cert_check=1", scan_freq="2412",
4530 only_add_network=True)
4531 run_ext_cert_check(dev, apdev, id)
4533 def test_eap_fast_ext_cert_check(dev, apdev):
4534 """EAP-FAST and external server certification validation"""
4535 check_eap_capa(dev[0], "FAST")
4536 # With internal server certificate chain validation
4537 dev[0].request("SET blob fast_pac_auth_ext ")
4538 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4539 identity="user", anonymous_identity="FAST",
4540 ca_cert="auth_serv/ca.pem",
4541 password="password", phase2="auth=GTC",
4542 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4543 pac_file="blob://fast_pac_auth_ext",
4545 only_add_network=True)
4546 run_ext_cert_check(dev, apdev, id)
4548 def run_ext_cert_check(dev, apdev, net_id):
4549 check_ext_cert_check_support(dev[0])
4550 if not openssl_imported:
4551 raise HwsimSkip("OpenSSL python method not available")
4553 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4554 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4556 dev[0].select_network(net_id)
4559 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4560 "CTRL-REQ-EXT_CERT_CHECK",
4561 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4563 raise Exception("No peer server certificate event seen")
4564 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4567 vals = ev.split(' ')
4569 if v.startswith("depth="):
4570 depth = int(v.split('=')[1])
4571 elif v.startswith("cert="):
4572 cert = v.split('=')[1]
4573 if depth is not None and cert:
4574 certs[depth] = binascii.unhexlify(cert)
4575 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4576 raise Exception("Unexpected EAP-Success")
4577 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4578 id = ev.split(':')[0].split('-')[-1]
4581 raise Exception("Server certificate not received")
4583 raise Exception("Server certificate issuer not received")
4585 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4587 cn = cert.get_subject().commonName
4588 logger.info("Server certificate CN=" + cn)
4590 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4592 icn = issuer.get_subject().commonName
4593 logger.info("Issuer certificate CN=" + icn)
4595 if cn != "server.w1.fi":
4596 raise Exception("Unexpected server certificate CN: " + cn)
4597 if icn != "Root CA":
4598 raise Exception("Unexpected server certificate issuer CN: " + icn)
4600 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4602 raise Exception("Unexpected EAP-Success before external check result indication")
4604 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4605 dev[0].wait_connected()
4607 dev[0].request("DISCONNECT")
4608 dev[0].wait_disconnected()
4609 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4610 raise Exception("PMKSA_FLUSH failed")
4611 dev[0].request("SET blob fast_pac_auth_ext ")
4612 dev[0].request("RECONNECT")
4614 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4616 raise Exception("No peer server certificate event seen (2)")
4617 id = ev.split(':')[0].split('-')[-1]
4618 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4621 raise Exception("EAP-Failure not reported")
4622 dev[0].request("REMOVE_NETWORK all")
4623 dev[0].wait_disconnected()