1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
92 raise Exception("EAP method selection timed out")
94 raise Exception("Unexpected EAP method")
96 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
98 raise Exception("EAP failure timed out")
99 ev = dev.wait_disconnected(timeout=10)
100 if maybe_local_error and "locally_generated=1" in ev:
102 if not local_error_report:
103 if "reason=23" not in ev:
104 raise Exception("Proper reason code for disconnection not reported")
106 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
108 raise Exception("EAP success timed out")
111 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
113 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
115 raise Exception("Association with the AP timed out")
116 status = dev.get_status()
117 if status["wpa_state"] != "COMPLETED":
118 raise Exception("Connection not completed")
120 if status["suppPortStatus"] != "Authorized":
121 raise Exception("Port not authorized")
122 if method not in status["selectedMethod"]:
123 raise Exception("Incorrect EAP method status")
125 e = "WPA2-EAP-SHA256"
127 e = "WPA2/IEEE 802.1X/EAP"
129 e = "WPA/IEEE 802.1X/EAP"
130 if status["key_mgmt"] != e:
131 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
134 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
135 dev.request("REAUTHENTICATE")
136 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
137 expect_failure=expect_failure)
139 def test_ap_wpa2_eap_sim(dev, apdev):
140 """WPA2-Enterprise connection using EAP-SIM"""
141 check_hlr_auc_gw_support()
142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
144 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 hwsim_utils.test_connectivity(dev[0], hapd)
147 eap_reauth(dev[0], "SIM")
149 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
155 logger.info("Negative test with incorrect key")
156 dev[0].request("REMOVE_NETWORK all")
157 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
158 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
161 logger.info("Invalid GSM-Milenage key")
162 dev[0].request("REMOVE_NETWORK all")
163 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
164 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
167 logger.info("Invalid GSM-Milenage key(2)")
168 dev[0].request("REMOVE_NETWORK all")
169 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
170 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
173 logger.info("Invalid GSM-Milenage key(3)")
174 dev[0].request("REMOVE_NETWORK all")
175 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
176 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
179 logger.info("Invalid GSM-Milenage key(4)")
180 dev[0].request("REMOVE_NETWORK all")
181 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
182 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
185 logger.info("Missing key configuration")
186 dev[0].request("REMOVE_NETWORK all")
187 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
191 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
192 check_hlr_auc_gw_support()
196 raise HwsimSkip("No sqlite3 module available")
197 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
198 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
199 params['auth_server_port'] = "1814"
200 hostapd.add_ap(apdev[0]['ifname'], params)
201 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
202 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
204 logger.info("SIM fast re-authentication")
205 eap_reauth(dev[0], "SIM")
207 logger.info("SIM full auth with pseudonym")
210 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
211 eap_reauth(dev[0], "SIM")
213 logger.info("SIM full auth with permanent identity")
216 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
217 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
218 eap_reauth(dev[0], "SIM")
220 logger.info("SIM reauth with mismatching MK")
223 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
224 eap_reauth(dev[0], "SIM", expect_failure=True)
225 dev[0].request("REMOVE_NETWORK all")
227 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
228 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 eap_reauth(dev[0], "SIM")
235 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
236 logger.info("SIM reauth with mismatching counter")
237 eap_reauth(dev[0], "SIM")
238 dev[0].request("REMOVE_NETWORK all")
240 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
241 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
244 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
245 logger.info("SIM reauth with max reauth count reached")
246 eap_reauth(dev[0], "SIM")
248 def test_ap_wpa2_eap_sim_config(dev, apdev):
249 """EAP-SIM configuration options"""
250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
251 hostapd.add_ap(apdev[0]['ifname'], params)
252 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
253 identity="1232010000000000",
254 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
255 phase1="sim_min_num_chal=1",
256 wait_connect=False, scan_freq="2412")
257 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
259 raise Exception("No EAP error message seen")
260 dev[0].request("REMOVE_NETWORK all")
262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263 identity="1232010000000000",
264 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265 phase1="sim_min_num_chal=4",
266 wait_connect=False, scan_freq="2412")
267 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
269 raise Exception("No EAP error message seen (2)")
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
274 phase1="sim_min_num_chal=2")
275 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
276 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
277 anonymous_identity="345678")
279 def test_ap_wpa2_eap_sim_ext(dev, apdev):
280 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
282 _test_ap_wpa2_eap_sim_ext(dev, apdev)
284 dev[0].request("SET external_sim 0")
286 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
287 check_hlr_auc_gw_support()
288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
289 hostapd.add_ap(apdev[0]['ifname'], params)
290 dev[0].request("SET external_sim 1")
291 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
292 identity="1232010000000000",
293 wait_connect=False, scan_freq="2412")
294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
296 raise Exception("Network connected timed out")
298 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
300 raise Exception("Wait for external SIM processing request timed out")
302 if p[1] != "GSM-AUTH":
303 raise Exception("Unexpected CTRL-REQ-SIM type")
304 rid = p[0].split('-')[3]
307 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
308 # This will fail during processing, but the ctrl_iface command succeeds
309 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
310 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
312 raise Exception("EAP failure not reported")
313 dev[0].request("DISCONNECT")
314 dev[0].wait_disconnected()
317 dev[0].select_network(id, freq="2412")
318 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
320 raise Exception("Wait for external SIM processing request timed out")
322 if p[1] != "GSM-AUTH":
323 raise Exception("Unexpected CTRL-REQ-SIM type")
324 rid = p[0].split('-')[3]
325 # This will fail during GSM auth validation
326 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
327 raise Exception("CTRL-RSP-SIM failed")
328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
330 raise Exception("EAP failure not reported")
331 dev[0].request("DISCONNECT")
332 dev[0].wait_disconnected()
335 dev[0].select_network(id, freq="2412")
336 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
338 raise Exception("Wait for external SIM processing request timed out")
340 if p[1] != "GSM-AUTH":
341 raise Exception("Unexpected CTRL-REQ-SIM type")
342 rid = p[0].split('-')[3]
343 # This will fail during GSM auth validation
344 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
345 raise Exception("CTRL-RSP-SIM failed")
346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
348 raise Exception("EAP failure not reported")
349 dev[0].request("DISCONNECT")
350 dev[0].wait_disconnected()
353 dev[0].select_network(id, freq="2412")
354 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
356 raise Exception("Wait for external SIM processing request timed out")
358 if p[1] != "GSM-AUTH":
359 raise Exception("Unexpected CTRL-REQ-SIM type")
360 rid = p[0].split('-')[3]
361 # This will fail during GSM auth validation
362 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
363 raise Exception("CTRL-RSP-SIM failed")
364 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
366 raise Exception("EAP failure not reported")
367 dev[0].request("DISCONNECT")
368 dev[0].wait_disconnected()
371 dev[0].select_network(id, freq="2412")
372 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
374 raise Exception("Wait for external SIM processing request timed out")
376 if p[1] != "GSM-AUTH":
377 raise Exception("Unexpected CTRL-REQ-SIM type")
378 rid = p[0].split('-')[3]
379 # This will fail during GSM auth validation
380 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
381 raise Exception("CTRL-RSP-SIM failed")
382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
384 raise Exception("EAP failure not reported")
385 dev[0].request("DISCONNECT")
386 dev[0].wait_disconnected()
389 dev[0].select_network(id, freq="2412")
390 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
392 raise Exception("Wait for external SIM processing request timed out")
394 if p[1] != "GSM-AUTH":
395 raise Exception("Unexpected CTRL-REQ-SIM type")
396 rid = p[0].split('-')[3]
397 # This will fail during GSM auth validation
398 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
399 raise Exception("CTRL-RSP-SIM failed")
400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
402 raise Exception("EAP failure not reported")
403 dev[0].request("DISCONNECT")
404 dev[0].wait_disconnected()
407 dev[0].select_network(id, freq="2412")
408 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
410 raise Exception("Wait for external SIM processing request timed out")
412 if p[1] != "GSM-AUTH":
413 raise Exception("Unexpected CTRL-REQ-SIM type")
414 rid = p[0].split('-')[3]
415 # This will fail during GSM auth validation
416 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
417 raise Exception("CTRL-RSP-SIM failed")
418 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
420 raise Exception("EAP failure not reported")
422 def test_ap_wpa2_eap_sim_oom(dev, apdev):
423 """EAP-SIM and OOM"""
424 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
425 hostapd.add_ap(apdev[0]['ifname'], params)
426 tests = [ (1, "milenage_f2345"),
427 (2, "milenage_f2345"),
428 (3, "milenage_f2345"),
429 (4, "milenage_f2345"),
430 (5, "milenage_f2345"),
431 (6, "milenage_f2345"),
432 (7, "milenage_f2345"),
433 (8, "milenage_f2345"),
434 (9, "milenage_f2345"),
435 (10, "milenage_f2345"),
436 (11, "milenage_f2345"),
437 (12, "milenage_f2345") ]
438 for count, func in tests:
439 with alloc_fail(dev[0], count, func):
440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
441 identity="1232010000000000",
442 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
443 wait_connect=False, scan_freq="2412")
444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
446 raise Exception("EAP method not selected")
447 dev[0].wait_disconnected()
448 dev[0].request("REMOVE_NETWORK all")
450 def test_ap_wpa2_eap_aka(dev, apdev):
451 """WPA2-Enterprise connection using EAP-AKA"""
452 check_hlr_auc_gw_support()
453 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
454 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
455 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
456 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
457 hwsim_utils.test_connectivity(dev[0], hapd)
458 eap_reauth(dev[0], "AKA")
460 logger.info("Negative test with incorrect key")
461 dev[0].request("REMOVE_NETWORK all")
462 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
463 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
466 logger.info("Invalid Milenage key")
467 dev[0].request("REMOVE_NETWORK all")
468 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
469 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
472 logger.info("Invalid Milenage key(2)")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
477 logger.info("Invalid Milenage key(3)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
482 logger.info("Invalid Milenage key(4)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
487 logger.info("Invalid Milenage key(5)")
488 dev[0].request("REMOVE_NETWORK all")
489 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
490 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
493 logger.info("Invalid Milenage key(6)")
494 dev[0].request("REMOVE_NETWORK all")
495 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
496 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
499 logger.info("Missing key configuration")
500 dev[0].request("REMOVE_NETWORK all")
501 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
504 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
505 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
506 check_hlr_auc_gw_support()
510 raise HwsimSkip("No sqlite3 module available")
511 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
513 params['auth_server_port'] = "1814"
514 hostapd.add_ap(apdev[0]['ifname'], params)
515 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
516 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
518 logger.info("AKA fast re-authentication")
519 eap_reauth(dev[0], "AKA")
521 logger.info("AKA full auth with pseudonym")
524 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
525 eap_reauth(dev[0], "AKA")
527 logger.info("AKA full auth with permanent identity")
530 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
531 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
532 eap_reauth(dev[0], "AKA")
534 logger.info("AKA reauth with mismatching MK")
537 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
538 eap_reauth(dev[0], "AKA", expect_failure=True)
539 dev[0].request("REMOVE_NETWORK all")
541 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
542 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 eap_reauth(dev[0], "AKA")
549 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
550 logger.info("AKA reauth with mismatching counter")
551 eap_reauth(dev[0], "AKA")
552 dev[0].request("REMOVE_NETWORK all")
554 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
558 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
559 logger.info("AKA reauth with max reauth count reached")
560 eap_reauth(dev[0], "AKA")
562 def test_ap_wpa2_eap_aka_config(dev, apdev):
563 """EAP-AKA configuration options"""
564 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
565 hostapd.add_ap(apdev[0]['ifname'], params)
566 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
567 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
568 anonymous_identity="2345678")
570 def test_ap_wpa2_eap_aka_ext(dev, apdev):
571 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
573 _test_ap_wpa2_eap_aka_ext(dev, apdev)
575 dev[0].request("SET external_sim 0")
577 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
578 check_hlr_auc_gw_support()
579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
580 hostapd.add_ap(apdev[0]['ifname'], params)
581 dev[0].request("SET external_sim 1")
582 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
583 identity="0232010000000000",
584 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
585 wait_connect=False, scan_freq="2412")
586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
588 raise Exception("Network connected timed out")
590 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
592 raise Exception("Wait for external SIM processing request timed out")
594 if p[1] != "UMTS-AUTH":
595 raise Exception("Unexpected CTRL-REQ-SIM type")
596 rid = p[0].split('-')[3]
599 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
600 # This will fail during processing, but the ctrl_iface command succeeds
601 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
604 raise Exception("EAP failure not reported")
605 dev[0].request("DISCONNECT")
606 dev[0].wait_disconnected()
609 dev[0].select_network(id, freq="2412")
610 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
612 raise Exception("Wait for external SIM processing request timed out")
614 if p[1] != "UMTS-AUTH":
615 raise Exception("Unexpected CTRL-REQ-SIM type")
616 rid = p[0].split('-')[3]
617 # This will fail during UMTS auth validation
618 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
619 raise Exception("CTRL-RSP-SIM failed")
620 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
622 raise Exception("Wait for external SIM processing request timed out")
624 if p[1] != "UMTS-AUTH":
625 raise Exception("Unexpected CTRL-REQ-SIM type")
626 rid = p[0].split('-')[3]
627 # This will fail during UMTS auth validation
628 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
629 raise Exception("CTRL-RSP-SIM failed")
630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
632 raise Exception("EAP failure not reported")
633 dev[0].request("DISCONNECT")
634 dev[0].wait_disconnected()
637 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
640 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
641 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
642 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
643 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
645 dev[0].select_network(id, freq="2412")
646 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
648 raise Exception("Wait for external SIM processing request timed out")
650 if p[1] != "UMTS-AUTH":
651 raise Exception("Unexpected CTRL-REQ-SIM type")
652 rid = p[0].split('-')[3]
653 # This will fail during UMTS auth validation
654 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
655 raise Exception("CTRL-RSP-SIM failed")
656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
658 raise Exception("EAP failure not reported")
659 dev[0].request("DISCONNECT")
660 dev[0].wait_disconnected()
663 def test_ap_wpa2_eap_aka_prime(dev, apdev):
664 """WPA2-Enterprise connection using EAP-AKA'"""
665 check_hlr_auc_gw_support()
666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
667 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
668 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
669 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
670 hwsim_utils.test_connectivity(dev[0], hapd)
671 eap_reauth(dev[0], "AKA'")
673 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
674 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
675 identity="6555444333222111@both",
676 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
677 wait_connect=False, scan_freq="2412")
678 dev[1].wait_connected(timeout=15)
680 logger.info("Negative test with incorrect key")
681 dev[0].request("REMOVE_NETWORK all")
682 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
683 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
686 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
687 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
688 check_hlr_auc_gw_support()
692 raise HwsimSkip("No sqlite3 module available")
693 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
695 params['auth_server_port'] = "1814"
696 hostapd.add_ap(apdev[0]['ifname'], params)
697 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
698 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
700 logger.info("AKA' fast re-authentication")
701 eap_reauth(dev[0], "AKA'")
703 logger.info("AKA' full auth with pseudonym")
706 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
707 eap_reauth(dev[0], "AKA'")
709 logger.info("AKA' full auth with permanent identity")
712 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
713 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
714 eap_reauth(dev[0], "AKA'")
716 logger.info("AKA' reauth with mismatching k_aut")
719 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
720 eap_reauth(dev[0], "AKA'", expect_failure=True)
721 dev[0].request("REMOVE_NETWORK all")
723 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 eap_reauth(dev[0], "AKA'")
731 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
732 logger.info("AKA' reauth with mismatching counter")
733 eap_reauth(dev[0], "AKA'")
734 dev[0].request("REMOVE_NETWORK all")
736 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
737 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
740 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
741 logger.info("AKA' reauth with max reauth count reached")
742 eap_reauth(dev[0], "AKA'")
744 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
745 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
746 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
747 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
748 key_mgmt = hapd.get_config()['key_mgmt']
749 if key_mgmt.split(' ')[0] != "WPA-EAP":
750 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
751 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
752 anonymous_identity="ttls", password="password",
753 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
754 hwsim_utils.test_connectivity(dev[0], hapd)
755 eap_reauth(dev[0], "TTLS")
756 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
757 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
759 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
760 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
761 check_subject_match_support(dev[0])
762 check_altsubject_match_support(dev[0])
763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
764 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
765 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
766 anonymous_identity="ttls", password="password",
767 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
768 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
769 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
770 eap_reauth(dev[0], "TTLS")
772 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
773 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
774 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
775 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
776 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
777 anonymous_identity="ttls", password="wrong",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
780 eap_connect(dev[1], apdev[0], "TTLS", "user",
781 anonymous_identity="ttls", password="password",
782 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
786 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
787 skip_with_fips(dev[0])
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
790 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
793 hwsim_utils.test_connectivity(dev[0], hapd)
794 eap_reauth(dev[0], "TTLS")
796 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
797 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
798 skip_with_fips(dev[0])
799 check_altsubject_match_support(dev[0])
800 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
801 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
802 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
803 anonymous_identity="ttls", password="password",
804 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
805 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
806 eap_reauth(dev[0], "TTLS")
808 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
809 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
810 skip_with_fips(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
814 anonymous_identity="ttls", password="wrong",
815 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
817 eap_connect(dev[1], apdev[0], "TTLS", "user",
818 anonymous_identity="ttls", password="password",
819 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
823 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
824 skip_with_fips(dev[0])
825 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
826 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
827 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
828 anonymous_identity="ttls", password="password",
829 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
830 domain_suffix_match="server.w1.fi")
831 hwsim_utils.test_connectivity(dev[0], hapd)
832 eap_reauth(dev[0], "TTLS")
833 dev[0].request("REMOVE_NETWORK all")
834 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
835 anonymous_identity="ttls", password="password",
836 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
840 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
841 skip_with_fips(dev[0])
842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
843 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
844 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845 anonymous_identity="ttls", password="wrong",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 eap_connect(dev[1], apdev[0], "TTLS", "user",
849 anonymous_identity="ttls", password="password",
850 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
852 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
853 anonymous_identity="ttls", password="password",
854 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
858 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
859 check_eap_capa(dev[0], "MSCHAPV2")
860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
861 hostapd.add_ap(apdev[0]['ifname'], params)
862 hapd = hostapd.Hostapd(apdev[0]['ifname'])
863 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
864 anonymous_identity="ttls", password="password",
865 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
866 domain_suffix_match="server.w1.fi")
867 hwsim_utils.test_connectivity(dev[0], hapd)
868 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
869 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
870 eap_reauth(dev[0], "TTLS")
871 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
872 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
873 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
874 raise Exception("dot1xAuthEapolFramesRx did not increase")
875 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
876 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
877 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
878 raise Exception("backendAuthSuccesses did not increase")
880 logger.info("Password as hash value")
881 dev[0].request("REMOVE_NETWORK all")
882 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
883 anonymous_identity="ttls",
884 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
887 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
889 check_domain_match_full(dev[0])
890 skip_with_fips(dev[0])
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hostapd.add_ap(apdev[0]['ifname'], params)
893 hapd = hostapd.Hostapd(apdev[0]['ifname'])
894 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
895 anonymous_identity="ttls", password="password",
896 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
897 domain_suffix_match="w1.fi")
898 hwsim_utils.test_connectivity(dev[0], hapd)
899 eap_reauth(dev[0], "TTLS")
901 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
902 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
903 skip_with_fips(dev[0])
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hostapd.add_ap(apdev[0]['ifname'], params)
906 hapd = hostapd.Hostapd(apdev[0]['ifname'])
907 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 domain_match="Server.w1.fi")
911 hwsim_utils.test_connectivity(dev[0], hapd)
912 eap_reauth(dev[0], "TTLS")
914 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
915 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
916 skip_with_fips(dev[0])
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password1",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
923 eap_connect(dev[1], apdev[0], "TTLS", "user",
924 anonymous_identity="ttls", password="password",
925 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
930 skip_with_fips(dev[0])
931 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
932 hostapd.add_ap(apdev[0]['ifname'], params)
933 hapd = hostapd.Hostapd(apdev[0]['ifname'])
934 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
935 anonymous_identity="ttls", password="secret-åäö-€-password",
936 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
937 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
938 anonymous_identity="ttls",
939 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
940 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
943 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
945 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
946 eap_connect(dev[0], apdev[0], "TTLS", "user",
947 anonymous_identity="ttls", password="password",
948 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
949 hwsim_utils.test_connectivity(dev[0], hapd)
950 eap_reauth(dev[0], "TTLS")
952 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="wrong",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
961 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
962 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
963 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
965 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
966 anonymous_identity="ttls", password="password",
967 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
970 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
971 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
972 params = int_eap_server_params()
973 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
974 with alloc_fail(hapd, 1, "eap_gtc_init"):
975 eap_connect(dev[0], apdev[0], "TTLS", "user",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
979 dev[0].request("REMOVE_NETWORK all")
981 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
983 eap="TTLS", identity="user",
984 anonymous_identity="ttls", password="password",
985 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
986 wait_connect=False, scan_freq="2412")
987 # This would eventually time out, but we can stop after having reached
988 # the allocation failure.
991 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
994 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
995 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
996 check_eap_capa(dev[0], "MD5")
997 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
998 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
999 eap_connect(dev[0], apdev[0], "TTLS", "user",
1000 anonymous_identity="ttls", password="password",
1001 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1002 hwsim_utils.test_connectivity(dev[0], hapd)
1003 eap_reauth(dev[0], "TTLS")
1005 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1006 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1007 check_eap_capa(dev[0], "MD5")
1008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1009 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1010 eap_connect(dev[0], apdev[0], "TTLS", "user",
1011 anonymous_identity="ttls", password="wrong",
1012 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1013 expect_failure=True)
1015 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1016 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1017 check_eap_capa(dev[0], "MD5")
1018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1021 anonymous_identity="ttls", password="password",
1022 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023 expect_failure=True)
1025 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1026 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1027 check_eap_capa(dev[0], "MD5")
1028 params = int_eap_server_params()
1029 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030 with alloc_fail(hapd, 1, "eap_md5_init"):
1031 eap_connect(dev[0], apdev[0], "TTLS", "user",
1032 anonymous_identity="ttls", password="password",
1033 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1034 expect_failure=True)
1035 dev[0].request("REMOVE_NETWORK all")
1037 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1038 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1039 eap="TTLS", identity="user",
1040 anonymous_identity="ttls", password="password",
1041 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1042 wait_connect=False, scan_freq="2412")
1043 # This would eventually time out, but we can stop after having reached
1044 # the allocation failure.
1047 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1050 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1051 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1052 check_eap_capa(dev[0], "MSCHAPV2")
1053 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1054 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1055 eap_connect(dev[0], apdev[0], "TTLS", "user",
1056 anonymous_identity="ttls", password="password",
1057 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1058 hwsim_utils.test_connectivity(dev[0], hapd)
1059 eap_reauth(dev[0], "TTLS")
1061 logger.info("Negative test with incorrect password")
1062 dev[0].request("REMOVE_NETWORK all")
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password1",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1068 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1069 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1070 check_eap_capa(dev[0], "MSCHAPV2")
1071 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1072 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1073 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1074 anonymous_identity="ttls", password="password",
1075 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076 expect_failure=True)
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1079 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1080 check_eap_capa(dev[0], "MSCHAPV2")
1081 params = int_eap_server_params()
1082 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1084 eap_connect(dev[0], apdev[0], "TTLS", "user",
1085 anonymous_identity="ttls", password="password",
1086 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1087 expect_failure=True)
1088 dev[0].request("REMOVE_NETWORK all")
1090 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1091 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1092 eap="TTLS", identity="user",
1093 anonymous_identity="ttls", password="password",
1094 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1095 wait_connect=False, scan_freq="2412")
1096 # This would eventually time out, but we can stop after having reached
1097 # the allocation failure.
1100 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1102 dev[0].request("REMOVE_NETWORK all")
1104 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1105 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1106 eap="TTLS", identity="user",
1107 anonymous_identity="ttls", password="password",
1108 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1109 wait_connect=False, scan_freq="2412")
1110 # This would eventually time out, but we can stop after having reached
1111 # the allocation failure.
1114 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1116 dev[0].request("REMOVE_NETWORK all")
1118 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1119 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1120 eap="TTLS", identity="user",
1121 anonymous_identity="ttls", password="wrong",
1122 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1123 wait_connect=False, scan_freq="2412")
1124 # This would eventually time out, but we can stop after having reached
1125 # the allocation failure.
1128 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1130 dev[0].request("REMOVE_NETWORK all")
1132 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1133 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1134 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1135 hostapd.add_ap(apdev[0]['ifname'], params)
1136 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1137 anonymous_identity="0232010000000000@ttls",
1138 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1139 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1141 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1146 anonymous_identity="0232010000000000@peap",
1147 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1150 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1152 check_eap_capa(dev[0], "FAST")
1153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154 hostapd.add_ap(apdev[0]['ifname'], params)
1155 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1156 anonymous_identity="0232010000000000@fast",
1157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158 phase1="fast_provisioning=2",
1159 pac_file="blob://fast_pac_auth_aka",
1160 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1162 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1163 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1164 check_eap_capa(dev[0], "MSCHAPV2")
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1167 eap_connect(dev[0], apdev[0], "PEAP", "user",
1168 anonymous_identity="peap", password="password",
1169 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1170 hwsim_utils.test_connectivity(dev[0], hapd)
1171 eap_reauth(dev[0], "PEAP")
1172 dev[0].request("REMOVE_NETWORK all")
1173 eap_connect(dev[0], apdev[0], "PEAP", "user",
1174 anonymous_identity="peap", password="password",
1175 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1176 fragment_size="200")
1178 logger.info("Password as hash value")
1179 dev[0].request("REMOVE_NETWORK all")
1180 eap_connect(dev[0], apdev[0], "PEAP", "user",
1181 anonymous_identity="peap",
1182 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1183 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1185 logger.info("Negative test with incorrect password")
1186 dev[0].request("REMOVE_NETWORK all")
1187 eap_connect(dev[0], apdev[0], "PEAP", "user",
1188 anonymous_identity="peap", password="password1",
1189 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1190 expect_failure=True)
1192 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1193 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1194 check_eap_capa(dev[0], "MSCHAPV2")
1195 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1196 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1197 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1198 anonymous_identity="peap", password="password",
1199 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1200 hwsim_utils.test_connectivity(dev[0], hapd)
1201 eap_reauth(dev[0], "PEAP")
1203 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1205 check_eap_capa(dev[0], "MSCHAPV2")
1206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1208 eap_connect(dev[0], apdev[0], "PEAP", "user",
1209 anonymous_identity="peap", password="wrong",
1210 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1211 expect_failure=True)
1213 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1214 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1215 check_eap_capa(dev[0], "MSCHAPV2")
1216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1219 ca_cert="auth_serv/ca.pem",
1220 phase1="peapver=0 crypto_binding=2",
1221 phase2="auth=MSCHAPV2")
1222 hwsim_utils.test_connectivity(dev[0], hapd)
1223 eap_reauth(dev[0], "PEAP")
1225 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1226 ca_cert="auth_serv/ca.pem",
1227 phase1="peapver=0 crypto_binding=1",
1228 phase2="auth=MSCHAPV2")
1229 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1230 ca_cert="auth_serv/ca.pem",
1231 phase1="peapver=0 crypto_binding=0",
1232 phase2="auth=MSCHAPV2")
1234 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1236 check_eap_capa(dev[0], "MSCHAPV2")
1237 params = int_eap_server_params()
1238 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1239 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1240 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1241 ca_cert="auth_serv/ca.pem",
1242 phase1="peapver=0 crypto_binding=2",
1243 phase2="auth=MSCHAPV2",
1244 expect_failure=True, local_error_report=True)
1246 def test_ap_wpa2_eap_peap_params(dev, apdev):
1247 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1248 check_eap_capa(dev[0], "MSCHAPV2")
1249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1250 hostapd.add_ap(apdev[0]['ifname'], params)
1251 eap_connect(dev[0], apdev[0], "PEAP", "user",
1252 anonymous_identity="peap", password="password",
1253 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1254 phase1="peapver=0 peaplabel=1",
1255 expect_failure=True)
1256 dev[0].request("REMOVE_NETWORK all")
1257 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1258 ca_cert="auth_serv/ca.pem",
1259 phase1="peap_outer_success=1",
1260 phase2="auth=MSCHAPV2")
1261 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1262 ca_cert="auth_serv/ca.pem",
1263 phase1="peap_outer_success=2",
1264 phase2="auth=MSCHAPV2")
1265 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1267 anonymous_identity="peap", password="password",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1269 phase1="peapver=1 peaplabel=1",
1270 wait_connect=False, scan_freq="2412")
1271 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1273 raise Exception("No EAP success seen")
1274 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1276 raise Exception("Unexpected connection")
1278 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1279 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1281 hostapd.add_ap(apdev[0]['ifname'], params)
1282 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1283 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1284 ca_cert2="auth_serv/ca.pem",
1285 client_cert2="auth_serv/user.pem",
1286 private_key2="auth_serv/user.key")
1287 eap_reauth(dev[0], "PEAP")
1289 def test_ap_wpa2_eap_tls(dev, apdev):
1290 """WPA2-Enterprise connection using EAP-TLS"""
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hostapd.add_ap(apdev[0]['ifname'], params)
1293 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1294 client_cert="auth_serv/user.pem",
1295 private_key="auth_serv/user.key")
1296 eap_reauth(dev[0], "TLS")
1298 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1300 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1301 hostapd.add_ap(apdev[0]['ifname'], params)
1302 cert = read_pem("auth_serv/ca.pem")
1303 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1304 raise Exception("Could not set cacert blob")
1305 cert = read_pem("auth_serv/user.pem")
1306 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1307 raise Exception("Could not set usercert blob")
1308 key = read_pem("auth_serv/user.rsa-key")
1309 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1310 raise Exception("Could not set cacert blob")
1311 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1312 client_cert="blob://usercert",
1313 private_key="blob://userkey")
1315 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1317 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1318 hostapd.add_ap(apdev[0]['ifname'], params)
1319 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1320 private_key="auth_serv/user.pkcs12",
1321 private_key_passwd="whatever")
1322 dev[0].request("REMOVE_NETWORK all")
1323 dev[0].wait_disconnected()
1325 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1326 identity="tls user",
1327 ca_cert="auth_serv/ca.pem",
1328 private_key="auth_serv/user.pkcs12",
1329 wait_connect=False, scan_freq="2412")
1330 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1332 raise Exception("Request for private key passphrase timed out")
1333 id = ev.split(':')[0].split('-')[-1]
1334 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1335 dev[0].wait_connected(timeout=10)
1336 dev[0].request("REMOVE_NETWORK all")
1337 dev[0].wait_disconnected()
1339 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1340 private_key="auth_serv/user2.pkcs12",
1341 private_key_passwd="whatever")
1342 dev[0].request("REMOVE_NETWORK all")
1343 dev[0].wait_disconnected()
1345 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1346 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1348 hostapd.add_ap(apdev[0]['ifname'], params)
1349 cert = read_pem("auth_serv/ca.pem")
1350 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1351 raise Exception("Could not set cacert blob")
1352 with open("auth_serv/user.pkcs12", "rb") as f:
1353 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1354 raise Exception("Could not set pkcs12 blob")
1355 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1356 private_key="blob://pkcs12",
1357 private_key_passwd="whatever")
1359 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1360 """WPA2-Enterprise negative test - incorrect trust root"""
1361 check_eap_capa(dev[0], "MSCHAPV2")
1362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1363 hostapd.add_ap(apdev[0]['ifname'], params)
1364 cert = read_pem("auth_serv/ca-incorrect.pem")
1365 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1366 raise Exception("Could not set cacert blob")
1367 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1368 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1369 password="password", phase2="auth=MSCHAPV2",
1370 ca_cert="blob://cacert",
1371 wait_connect=False, scan_freq="2412")
1372 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1373 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1374 password="password", phase2="auth=MSCHAPV2",
1375 ca_cert="auth_serv/ca-incorrect.pem",
1376 wait_connect=False, scan_freq="2412")
1378 for dev in (dev[0], dev[1]):
1379 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1381 raise Exception("Association and EAP start timed out")
1383 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1385 raise Exception("EAP method selection timed out")
1386 if "TTLS" not in ev:
1387 raise Exception("Unexpected EAP method")
1389 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1390 "CTRL-EVENT-EAP-SUCCESS",
1391 "CTRL-EVENT-EAP-FAILURE",
1392 "CTRL-EVENT-CONNECTED",
1393 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1395 raise Exception("EAP result timed out")
1396 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1397 raise Exception("TLS certificate error not reported")
1399 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1400 "CTRL-EVENT-EAP-FAILURE",
1401 "CTRL-EVENT-CONNECTED",
1402 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1404 raise Exception("EAP result(2) timed out")
1405 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1406 raise Exception("EAP failure not reported")
1408 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1409 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1411 raise Exception("EAP result(3) timed out")
1412 if "CTRL-EVENT-DISCONNECTED" not in ev:
1413 raise Exception("Disconnection not reported")
1415 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1417 raise Exception("Network block disabling not reported")
1419 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1423 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1424 identity="pap user", anonymous_identity="ttls",
1425 password="password", phase2="auth=PAP",
1426 ca_cert="auth_serv/ca.pem",
1427 wait_connect=True, scan_freq="2412")
1428 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1429 identity="pap user", anonymous_identity="ttls",
1430 password="password", phase2="auth=PAP",
1431 ca_cert="auth_serv/ca-incorrect.pem",
1432 only_add_network=True, scan_freq="2412")
1434 dev[0].request("DISCONNECT")
1435 dev[0].wait_disconnected()
1436 dev[0].dump_monitor()
1437 dev[0].select_network(id, freq="2412")
1439 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1441 raise Exception("EAP-TTLS not re-started")
1443 ev = dev[0].wait_disconnected(timeout=15)
1444 if "reason=23" not in ev:
1445 raise Exception("Proper reason code for disconnection not reported")
1447 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1448 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1451 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1452 identity="pap user", anonymous_identity="ttls",
1453 password="password", phase2="auth=PAP",
1454 wait_connect=True, scan_freq="2412")
1455 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1456 identity="pap user", anonymous_identity="ttls",
1457 password="password", phase2="auth=PAP",
1458 ca_cert="auth_serv/ca-incorrect.pem",
1459 only_add_network=True, scan_freq="2412")
1461 dev[0].request("DISCONNECT")
1462 dev[0].wait_disconnected()
1463 dev[0].dump_monitor()
1464 dev[0].select_network(id, freq="2412")
1466 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1468 raise Exception("EAP-TTLS not re-started")
1470 ev = dev[0].wait_disconnected(timeout=15)
1471 if "reason=23" not in ev:
1472 raise Exception("Proper reason code for disconnection not reported")
1474 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1475 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1476 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1477 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1478 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1479 identity="pap user", anonymous_identity="ttls",
1480 password="password", phase2="auth=PAP",
1481 ca_cert="auth_serv/ca.pem",
1482 wait_connect=True, scan_freq="2412")
1483 dev[0].request("DISCONNECT")
1484 dev[0].wait_disconnected()
1485 dev[0].dump_monitor()
1486 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1487 dev[0].select_network(id, freq="2412")
1489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1491 raise Exception("EAP-TTLS not re-started")
1493 ev = dev[0].wait_disconnected(timeout=15)
1494 if "reason=23" not in ev:
1495 raise Exception("Proper reason code for disconnection not reported")
1497 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1498 """WPA2-Enterprise negative test - domain suffix mismatch"""
1499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1500 hostapd.add_ap(apdev[0]['ifname'], params)
1501 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1502 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1503 password="password", phase2="auth=MSCHAPV2",
1504 ca_cert="auth_serv/ca.pem",
1505 domain_suffix_match="incorrect.example.com",
1506 wait_connect=False, scan_freq="2412")
1508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1510 raise Exception("Association and EAP start timed out")
1512 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1514 raise Exception("EAP method selection timed out")
1515 if "TTLS" not in ev:
1516 raise Exception("Unexpected EAP method")
1518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1519 "CTRL-EVENT-EAP-SUCCESS",
1520 "CTRL-EVENT-EAP-FAILURE",
1521 "CTRL-EVENT-CONNECTED",
1522 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1524 raise Exception("EAP result timed out")
1525 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1526 raise Exception("TLS certificate error not reported")
1527 if "Domain suffix mismatch" not in ev:
1528 raise Exception("Domain suffix mismatch not reported")
1530 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1531 "CTRL-EVENT-EAP-FAILURE",
1532 "CTRL-EVENT-CONNECTED",
1533 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1535 raise Exception("EAP result(2) timed out")
1536 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1537 raise Exception("EAP failure not reported")
1539 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1540 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1542 raise Exception("EAP result(3) timed out")
1543 if "CTRL-EVENT-DISCONNECTED" not in ev:
1544 raise Exception("Disconnection not reported")
1546 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1548 raise Exception("Network block disabling not reported")
1550 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1551 """WPA2-Enterprise negative test - domain mismatch"""
1552 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1553 hostapd.add_ap(apdev[0]['ifname'], params)
1554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1555 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1556 password="password", phase2="auth=MSCHAPV2",
1557 ca_cert="auth_serv/ca.pem",
1558 domain_match="w1.fi",
1559 wait_connect=False, scan_freq="2412")
1561 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1563 raise Exception("Association and EAP start timed out")
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1567 raise Exception("EAP method selection timed out")
1568 if "TTLS" not in ev:
1569 raise Exception("Unexpected EAP method")
1571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1572 "CTRL-EVENT-EAP-SUCCESS",
1573 "CTRL-EVENT-EAP-FAILURE",
1574 "CTRL-EVENT-CONNECTED",
1575 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1577 raise Exception("EAP result timed out")
1578 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1579 raise Exception("TLS certificate error not reported")
1580 if "Domain mismatch" not in ev:
1581 raise Exception("Domain mismatch not reported")
1583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1584 "CTRL-EVENT-EAP-FAILURE",
1585 "CTRL-EVENT-CONNECTED",
1586 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1588 raise Exception("EAP result(2) timed out")
1589 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1590 raise Exception("EAP failure not reported")
1592 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1593 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1595 raise Exception("EAP result(3) timed out")
1596 if "CTRL-EVENT-DISCONNECTED" not in ev:
1597 raise Exception("Disconnection not reported")
1599 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1601 raise Exception("Network block disabling not reported")
1603 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1604 """WPA2-Enterprise negative test - subject mismatch"""
1605 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1606 hostapd.add_ap(apdev[0]['ifname'], params)
1607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1608 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1609 password="password", phase2="auth=MSCHAPV2",
1610 ca_cert="auth_serv/ca.pem",
1611 subject_match="/C=FI/O=w1.fi/CN=example.com",
1612 wait_connect=False, scan_freq="2412")
1614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1616 raise Exception("Association and EAP start timed out")
1618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1619 "EAP: Failed to initialize EAP method"], timeout=10)
1621 raise Exception("EAP method selection timed out")
1622 if "EAP: Failed to initialize EAP method" in ev:
1623 tls = dev[0].request("GET tls_library")
1624 if tls.startswith("OpenSSL"):
1625 raise Exception("Failed to select EAP method")
1626 logger.info("subject_match not supported - connection failed, so test succeeded")
1628 if "TTLS" not in ev:
1629 raise Exception("Unexpected EAP method")
1631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1632 "CTRL-EVENT-EAP-SUCCESS",
1633 "CTRL-EVENT-EAP-FAILURE",
1634 "CTRL-EVENT-CONNECTED",
1635 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1637 raise Exception("EAP result timed out")
1638 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1639 raise Exception("TLS certificate error not reported")
1640 if "Subject mismatch" not in ev:
1641 raise Exception("Subject mismatch not reported")
1643 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1644 "CTRL-EVENT-EAP-FAILURE",
1645 "CTRL-EVENT-CONNECTED",
1646 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1648 raise Exception("EAP result(2) timed out")
1649 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1650 raise Exception("EAP failure not reported")
1652 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1653 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1655 raise Exception("EAP result(3) timed out")
1656 if "CTRL-EVENT-DISCONNECTED" not in ev:
1657 raise Exception("Disconnection not reported")
1659 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1661 raise Exception("Network block disabling not reported")
1663 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1664 """WPA2-Enterprise negative test - altsubject mismatch"""
1665 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1666 hostapd.add_ap(apdev[0]['ifname'], params)
1668 tests = [ "incorrect.example.com",
1669 "DNS:incorrect.example.com",
1673 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1675 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1676 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1677 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1678 password="password", phase2="auth=MSCHAPV2",
1679 ca_cert="auth_serv/ca.pem",
1680 altsubject_match=match,
1681 wait_connect=False, scan_freq="2412")
1683 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1685 raise Exception("Association and EAP start timed out")
1687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1688 "EAP: Failed to initialize EAP method"], timeout=10)
1690 raise Exception("EAP method selection timed out")
1691 if "EAP: Failed to initialize EAP method" in ev:
1692 tls = dev[0].request("GET tls_library")
1693 if tls.startswith("OpenSSL"):
1694 raise Exception("Failed to select EAP method")
1695 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1697 if "TTLS" not in ev:
1698 raise Exception("Unexpected EAP method")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1701 "CTRL-EVENT-EAP-SUCCESS",
1702 "CTRL-EVENT-EAP-FAILURE",
1703 "CTRL-EVENT-CONNECTED",
1704 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1706 raise Exception("EAP result timed out")
1707 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1708 raise Exception("TLS certificate error not reported")
1709 if "AltSubject mismatch" not in ev:
1710 raise Exception("altsubject mismatch not reported")
1712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1713 "CTRL-EVENT-EAP-FAILURE",
1714 "CTRL-EVENT-CONNECTED",
1715 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1717 raise Exception("EAP result(2) timed out")
1718 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1719 raise Exception("EAP failure not reported")
1721 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1722 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1724 raise Exception("EAP result(3) timed out")
1725 if "CTRL-EVENT-DISCONNECTED" not in ev:
1726 raise Exception("Disconnection not reported")
1728 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1730 raise Exception("Network block disabling not reported")
1732 dev[0].request("REMOVE_NETWORK all")
1734 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1735 """WPA2-Enterprise connection using UNAUTH-TLS"""
1736 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1737 hostapd.add_ap(apdev[0]['ifname'], params)
1738 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1739 ca_cert="auth_serv/ca.pem")
1740 eap_reauth(dev[0], "UNAUTH-TLS")
1742 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1743 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1744 check_cert_probe_support(dev[0])
1745 skip_with_fips(dev[0])
1746 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1747 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1748 hostapd.add_ap(apdev[0]['ifname'], params)
1749 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1750 identity="probe", ca_cert="probe://",
1751 wait_connect=False, scan_freq="2412")
1752 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1754 raise Exception("Association and EAP start timed out")
1755 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1757 raise Exception("No peer server certificate event seen")
1758 if "hash=" + srv_cert_hash not in ev:
1759 raise Exception("Expected server certificate hash not reported")
1760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1762 raise Exception("EAP result timed out")
1763 if "Server certificate chain probe" not in ev:
1764 raise Exception("Server certificate probe not reported")
1765 dev[0].wait_disconnected(timeout=10)
1766 dev[0].request("REMOVE_NETWORK all")
1768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1769 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1770 password="password", phase2="auth=MSCHAPV2",
1771 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1772 wait_connect=False, scan_freq="2412")
1773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1775 raise Exception("Association and EAP start timed out")
1776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1778 raise Exception("EAP result timed out")
1779 if "Server certificate mismatch" not in ev:
1780 raise Exception("Server certificate mismatch not reported")
1781 dev[0].wait_disconnected(timeout=10)
1782 dev[0].request("REMOVE_NETWORK all")
1784 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1785 anonymous_identity="ttls", password="password",
1786 ca_cert="hash://server/sha256/" + srv_cert_hash,
1787 phase2="auth=MSCHAPV2")
1789 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1790 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1794 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1795 password="password", phase2="auth=MSCHAPV2",
1796 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1797 wait_connect=False, scan_freq="2412")
1798 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1799 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1800 password="password", phase2="auth=MSCHAPV2",
1801 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1802 wait_connect=False, scan_freq="2412")
1803 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1804 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1805 password="password", phase2="auth=MSCHAPV2",
1806 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1807 wait_connect=False, scan_freq="2412")
1808 for i in range(0, 3):
1809 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1811 raise Exception("Association and EAP start timed out")
1812 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1814 raise Exception("Did not report EAP method initialization failure")
1816 def test_ap_wpa2_eap_pwd(dev, apdev):
1817 """WPA2-Enterprise connection using EAP-pwd"""
1818 check_eap_capa(dev[0], "PWD")
1819 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1820 hostapd.add_ap(apdev[0]['ifname'], params)
1821 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1822 eap_reauth(dev[0], "PWD")
1823 dev[0].request("REMOVE_NETWORK all")
1825 eap_connect(dev[1], apdev[0], "PWD",
1826 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1827 password="secret password",
1830 logger.info("Negative test with incorrect password")
1831 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1832 expect_failure=True, local_error_report=True)
1834 eap_connect(dev[0], apdev[0], "PWD",
1835 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1836 password="secret password",
1839 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1840 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1841 check_eap_capa(dev[0], "PWD")
1842 skip_with_fips(dev[0])
1843 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1844 hostapd.add_ap(apdev[0]['ifname'], params)
1845 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1846 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1847 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1848 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1849 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1850 expect_failure=True, local_error_report=True)
1852 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1853 """WPA2-Enterprise connection using various EAP-pwd groups"""
1854 check_eap_capa(dev[0], "PWD")
1855 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1856 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1857 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1858 for i in [ 19, 20, 21, 25, 26 ]:
1859 params['pwd_group'] = str(i)
1860 hostapd.add_ap(apdev[0]['ifname'], params)
1861 dev[0].request("REMOVE_NETWORK all")
1862 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1864 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1865 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1866 check_eap_capa(dev[0], "PWD")
1867 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1868 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1869 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1870 params['pwd_group'] = "0"
1871 hostapd.add_ap(apdev[0]['ifname'], params)
1872 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1873 identity="pwd user", password="secret password",
1874 scan_freq="2412", wait_connect=False)
1875 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1877 raise Exception("Timeout on EAP failure report")
1879 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1880 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1881 check_eap_capa(dev[0], "PWD")
1882 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1883 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1884 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1885 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1886 "pwd_group": "19", "fragment_size": "40" }
1887 hostapd.add_ap(apdev[0]['ifname'], params)
1888 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1890 def test_ap_wpa2_eap_gpsk(dev, apdev):
1891 """WPA2-Enterprise connection using EAP-GPSK"""
1892 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1893 hostapd.add_ap(apdev[0]['ifname'], params)
1894 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1895 password="abcdefghijklmnop0123456789abcdef")
1896 eap_reauth(dev[0], "GPSK")
1898 logger.info("Test forced algorithm selection")
1899 for phase1 in [ "cipher=1", "cipher=2" ]:
1900 dev[0].set_network_quoted(id, "phase1", phase1)
1901 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1903 raise Exception("EAP success timed out")
1904 dev[0].wait_connected(timeout=10)
1906 logger.info("Test failed algorithm negotiation")
1907 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1908 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1910 raise Exception("EAP failure timed out")
1912 logger.info("Negative test with incorrect password")
1913 dev[0].request("REMOVE_NETWORK all")
1914 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1915 password="ffcdefghijklmnop0123456789abcdef",
1916 expect_failure=True)
1918 def test_ap_wpa2_eap_sake(dev, apdev):
1919 """WPA2-Enterprise connection using EAP-SAKE"""
1920 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1921 hostapd.add_ap(apdev[0]['ifname'], params)
1922 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1923 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1924 eap_reauth(dev[0], "SAKE")
1926 logger.info("Negative test with incorrect password")
1927 dev[0].request("REMOVE_NETWORK all")
1928 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1929 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1930 expect_failure=True)
1932 def test_ap_wpa2_eap_eke(dev, apdev):
1933 """WPA2-Enterprise connection using EAP-EKE"""
1934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1935 hostapd.add_ap(apdev[0]['ifname'], params)
1936 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1937 eap_reauth(dev[0], "EKE")
1939 logger.info("Test forced algorithm selection")
1940 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1941 "dhgroup=4 encr=1 prf=2 mac=2",
1942 "dhgroup=3 encr=1 prf=2 mac=2",
1943 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1944 dev[0].set_network_quoted(id, "phase1", phase1)
1945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1947 raise Exception("EAP success timed out")
1948 dev[0].wait_connected(timeout=10)
1950 logger.info("Test failed algorithm negotiation")
1951 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1954 raise Exception("EAP failure timed out")
1956 logger.info("Negative test with incorrect password")
1957 dev[0].request("REMOVE_NETWORK all")
1958 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1959 expect_failure=True)
1961 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1962 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1963 params = int_eap_server_params()
1964 params['server_id'] = 'example.server@w1.fi'
1965 hostapd.add_ap(apdev[0]['ifname'], params)
1966 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1968 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1969 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1970 params = int_eap_server_params()
1971 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1972 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1974 for count,func in [ (1, "eap_eke_build_commit"),
1975 (2, "eap_eke_build_commit"),
1976 (3, "eap_eke_build_commit"),
1977 (1, "eap_eke_build_confirm"),
1978 (2, "eap_eke_build_confirm"),
1979 (1, "eap_eke_process_commit"),
1980 (2, "eap_eke_process_commit"),
1981 (1, "eap_eke_process_confirm"),
1982 (1, "eap_eke_process_identity"),
1983 (2, "eap_eke_process_identity"),
1984 (3, "eap_eke_process_identity"),
1985 (4, "eap_eke_process_identity") ]:
1986 with alloc_fail(hapd, count, func):
1987 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1988 expect_failure=True)
1989 dev[0].request("REMOVE_NETWORK all")
1991 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1992 (1, "eap_eke_get_session_id", "hello"),
1993 (1, "eap_eke_getKey", "hello"),
1994 (1, "eap_eke_build_msg", "hello"),
1995 (1, "eap_eke_build_failure", "wrong"),
1996 (1, "eap_eke_build_identity", "hello"),
1997 (2, "eap_eke_build_identity", "hello") ]:
1998 with alloc_fail(hapd, count, func):
1999 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2000 eap="EKE", identity="eke user", password=pw,
2001 wait_connect=False, scan_freq="2412")
2002 # This would eventually time out, but we can stop after having
2003 # reached the allocation failure.
2006 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2008 dev[0].request("REMOVE_NETWORK all")
2010 for count in range(1, 1000):
2012 with alloc_fail(hapd, count, "eap_server_sm_step"):
2013 dev[0].connect("test-wpa2-eap",
2014 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2015 eap="EKE", identity="eke user", password=pw,
2016 wait_connect=False, scan_freq="2412")
2017 # This would eventually time out, but we can stop after having
2018 # reached the allocation failure.
2021 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2023 dev[0].request("REMOVE_NETWORK all")
2024 except Exception, e:
2025 if str(e) == "Allocation failure did not trigger":
2027 raise Exception("Too few allocation failures")
2028 logger.info("%d allocation failures tested" % (count - 1))
2032 def test_ap_wpa2_eap_ikev2(dev, apdev):
2033 """WPA2-Enterprise connection using EAP-IKEv2"""
2034 check_eap_capa(dev[0], "IKEV2")
2035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2036 hostapd.add_ap(apdev[0]['ifname'], params)
2037 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2038 password="ike password")
2039 eap_reauth(dev[0], "IKEV2")
2040 dev[0].request("REMOVE_NETWORK all")
2041 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2042 password="ike password", fragment_size="50")
2044 logger.info("Negative test with incorrect password")
2045 dev[0].request("REMOVE_NETWORK all")
2046 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2047 password="ike-password", expect_failure=True)
2049 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2050 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2051 check_eap_capa(dev[0], "IKEV2")
2052 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2053 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2054 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2055 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2056 "fragment_size": "50" }
2057 hostapd.add_ap(apdev[0]['ifname'], params)
2058 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2059 password="ike password")
2060 eap_reauth(dev[0], "IKEV2")
2062 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2063 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2064 check_eap_capa(dev[0], "IKEV2")
2065 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2066 hostapd.add_ap(apdev[0]['ifname'], params)
2068 tests = [ (1, "dh_init"),
2070 (1, "dh_derive_shared") ]
2071 for count, func in tests:
2072 with alloc_fail(dev[0], count, func):
2073 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2074 identity="ikev2 user", password="ike password",
2075 wait_connect=False, scan_freq="2412")
2076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2078 raise Exception("EAP method not selected")
2080 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2083 dev[0].request("REMOVE_NETWORK all")
2085 tests = [ (1, "os_get_random;dh_init") ]
2086 for count, func in tests:
2087 with fail_test(dev[0], count, func):
2088 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2089 identity="ikev2 user", password="ike password",
2090 wait_connect=False, scan_freq="2412")
2091 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2093 raise Exception("EAP method not selected")
2095 if "0:" in dev[0].request("GET_FAIL"):
2098 dev[0].request("REMOVE_NETWORK all")
2100 def test_ap_wpa2_eap_pax(dev, apdev):
2101 """WPA2-Enterprise connection using EAP-PAX"""
2102 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2103 hostapd.add_ap(apdev[0]['ifname'], params)
2104 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2105 password_hex="0123456789abcdef0123456789abcdef")
2106 eap_reauth(dev[0], "PAX")
2108 logger.info("Negative test with incorrect password")
2109 dev[0].request("REMOVE_NETWORK all")
2110 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2111 password_hex="ff23456789abcdef0123456789abcdef",
2112 expect_failure=True)
2114 def test_ap_wpa2_eap_psk(dev, apdev):
2115 """WPA2-Enterprise connection using EAP-PSK"""
2116 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2117 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2118 params["ieee80211w"] = "2"
2119 hostapd.add_ap(apdev[0]['ifname'], params)
2120 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2121 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2122 eap_reauth(dev[0], "PSK", sha256=True)
2123 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2124 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2126 bss = dev[0].get_bss(apdev[0]['bssid'])
2127 if 'flags' not in bss:
2128 raise Exception("Could not get BSS flags from BSS table")
2129 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2130 raise Exception("Unexpected BSS flags: " + bss['flags'])
2132 logger.info("Negative test with incorrect password")
2133 dev[0].request("REMOVE_NETWORK all")
2134 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2135 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2136 expect_failure=True)
2138 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2139 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2140 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2141 hostapd.add_ap(apdev[0]['ifname'], params)
2142 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2143 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2144 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2145 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2146 (1, "=aes_128_eax_encrypt"),
2147 (1, "omac1_aes_vector"),
2148 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2149 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2150 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2151 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2152 (1, "=aes_128_eax_decrypt") ]
2153 for count, func in tests:
2154 with alloc_fail(dev[0], count, func):
2155 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2156 identity="psk.user@example.com",
2157 password_hex="0123456789abcdef0123456789abcdef",
2158 wait_connect=False, scan_freq="2412")
2159 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2161 raise Exception("EAP method not selected")
2163 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2166 dev[0].request("REMOVE_NETWORK all")
2168 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2169 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2170 identity="psk.user@example.com",
2171 password_hex="0123456789abcdef0123456789abcdef",
2172 wait_connect=False, scan_freq="2412")
2173 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2175 raise Exception("EAP method failure not reported")
2176 dev[0].request("REMOVE_NETWORK all")
2178 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2179 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2180 check_eap_capa(dev[0], "MSCHAPV2")
2181 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2182 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2183 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2184 identity="user", password="password", phase2="auth=MSCHAPV2",
2185 ca_cert="auth_serv/ca.pem", wait_connect=False,
2187 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2188 hwsim_utils.test_connectivity(dev[0], hapd)
2189 eap_reauth(dev[0], "PEAP", rsn=False)
2190 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2191 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2192 status = dev[0].get_status(extra="VERBOSE")
2193 if 'portControl' not in status:
2194 raise Exception("portControl missing from STATUS-VERBOSE")
2195 if status['portControl'] != 'Auto':
2196 raise Exception("Unexpected portControl value: " + status['portControl'])
2197 if 'eap_session_id' not in status:
2198 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2199 if not status['eap_session_id'].startswith("19"):
2200 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2202 def test_ap_wpa2_eap_interactive(dev, apdev):
2203 """WPA2-Enterprise connection using interactive identity/password entry"""
2204 check_eap_capa(dev[0], "MSCHAPV2")
2205 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2206 hostapd.add_ap(apdev[0]['ifname'], params)
2207 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2209 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2210 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2212 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2213 "TTLS", "ttls", None, "auth=MSCHAPV2",
2214 "DOMAIN\mschapv2 user", "password"),
2215 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2216 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2217 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2218 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2219 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2220 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2221 ("Connection with dynamic PEAP/EAP-GTC password entry",
2222 "PEAP", None, "user", "auth=GTC", None, "password") ]
2223 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2225 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2226 anonymous_identity=anon, identity=identity,
2227 ca_cert="auth_serv/ca.pem", phase2=phase2,
2228 wait_connect=False, scan_freq="2412")
2230 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2232 raise Exception("Request for identity timed out")
2233 id = ev.split(':')[0].split('-')[-1]
2234 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2235 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2237 raise Exception("Request for password timed out")
2238 id = ev.split(':')[0].split('-')[-1]
2239 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2240 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2241 dev[0].wait_connected(timeout=10)
2242 dev[0].request("REMOVE_NETWORK all")
2244 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2245 """WPA2-Enterprise connection using EAP vendor test"""
2246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2247 hostapd.add_ap(apdev[0]['ifname'], params)
2248 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2249 eap_reauth(dev[0], "VENDOR-TEST")
2250 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2253 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2254 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2255 check_eap_capa(dev[0], "FAST")
2256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2257 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2258 eap_connect(dev[0], apdev[0], "FAST", "user",
2259 anonymous_identity="FAST", password="password",
2260 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2261 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2262 hwsim_utils.test_connectivity(dev[0], hapd)
2263 res = eap_reauth(dev[0], "FAST")
2264 if res['tls_session_reused'] != '1':
2265 raise Exception("EAP-FAST could not use PAC session ticket")
2267 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2268 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2269 check_eap_capa(dev[0], "FAST")
2270 pac_file = os.path.join(params['logdir'], "fast.pac")
2271 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2272 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2273 hostapd.add_ap(apdev[0]['ifname'], params)
2276 eap_connect(dev[0], apdev[0], "FAST", "user",
2277 anonymous_identity="FAST", password="password",
2278 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2279 phase1="fast_provisioning=1", pac_file=pac_file)
2280 with open(pac_file, "r") as f:
2282 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2283 raise Exception("PAC file header missing")
2284 if "PAC-Key=" not in data:
2285 raise Exception("PAC-Key missing from PAC file")
2286 dev[0].request("REMOVE_NETWORK all")
2287 eap_connect(dev[0], apdev[0], "FAST", "user",
2288 anonymous_identity="FAST", password="password",
2289 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2292 eap_connect(dev[1], apdev[0], "FAST", "user",
2293 anonymous_identity="FAST", password="password",
2294 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2295 phase1="fast_provisioning=1 fast_pac_format=binary",
2297 dev[1].request("REMOVE_NETWORK all")
2298 eap_connect(dev[1], apdev[0], "FAST", "user",
2299 anonymous_identity="FAST", password="password",
2300 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2301 phase1="fast_pac_format=binary",
2309 os.remove(pac_file2)
2313 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2314 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2315 check_eap_capa(dev[0], "FAST")
2316 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2317 hostapd.add_ap(apdev[0]['ifname'], params)
2318 eap_connect(dev[0], apdev[0], "FAST", "user",
2319 anonymous_identity="FAST", password="password",
2320 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2321 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2322 pac_file="blob://fast_pac_bin")
2323 res = eap_reauth(dev[0], "FAST")
2324 if res['tls_session_reused'] != '1':
2325 raise Exception("EAP-FAST could not use PAC session ticket")
2327 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2328 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2329 check_eap_capa(dev[0], "FAST")
2330 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2331 hostapd.add_ap(apdev[0]['ifname'], params)
2333 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2334 identity="user", anonymous_identity="FAST",
2335 password="password",
2336 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2337 pac_file="blob://fast_pac_not_in_use",
2338 wait_connect=False, scan_freq="2412")
2339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2341 raise Exception("Timeout on EAP failure report")
2342 dev[0].request("REMOVE_NETWORK all")
2344 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2345 identity="user", anonymous_identity="FAST",
2346 password="password",
2347 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2348 wait_connect=False, scan_freq="2412")
2349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2351 raise Exception("Timeout on EAP failure report")
2353 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2354 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2355 check_eap_capa(dev[0], "FAST")
2356 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2357 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2358 eap_connect(dev[0], apdev[0], "FAST", "user",
2359 anonymous_identity="FAST", password="password",
2360 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2361 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2362 hwsim_utils.test_connectivity(dev[0], hapd)
2363 res = eap_reauth(dev[0], "FAST")
2364 if res['tls_session_reused'] != '1':
2365 raise Exception("EAP-FAST could not use PAC session ticket")
2367 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2368 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2369 check_eap_capa(dev[0], "FAST")
2370 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2371 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2372 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2373 anonymous_identity="FAST", password="password",
2374 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2375 phase1="fast_provisioning=2",
2376 pac_file="blob://fast_pac_auth")
2377 dev[0].set_network_quoted(id, "identity", "user2")
2378 dev[0].wait_disconnected()
2379 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2381 raise Exception("EAP-FAST not started")
2382 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2384 raise Exception("EAP failure not reported")
2385 dev[0].wait_disconnected()
2387 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2388 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2389 check_eap_capa(dev[0], "FAST")
2390 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2391 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2392 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2393 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2394 identity="user", anonymous_identity="FAST",
2395 password="password", ca_cert="auth_serv/ca.pem",
2397 phase1="fast_provisioning=2",
2398 pac_file="blob://fast_pac_auth",
2399 wait_connect=False, scan_freq="2412")
2400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2402 raise Exception("EAP failure not reported")
2403 dev[0].request("DISCONNECT")
2405 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2406 """EAP-FAST/MSCHAPv2 and server OOM"""
2407 check_eap_capa(dev[0], "FAST")
2409 params = int_eap_server_params()
2410 params['dh_file'] = 'auth_serv/dh.conf'
2411 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2412 params['eap_fast_a_id'] = '1011'
2413 params['eap_fast_a_id_info'] = 'another test server'
2414 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2416 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2417 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2418 anonymous_identity="FAST", password="password",
2419 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2420 phase1="fast_provisioning=1",
2421 pac_file="blob://fast_pac",
2422 expect_failure=True)
2423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2425 raise Exception("No EAP failure reported")
2426 dev[0].wait_disconnected()
2427 dev[0].request("DISCONNECT")
2429 dev[0].select_network(id, freq="2412")
2431 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2432 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2434 hostapd.add_ap(apdev[0]['ifname'], params)
2435 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2436 private_key="auth_serv/user.pkcs12",
2437 private_key_passwd="whatever", ocsp=2)
2439 def int_eap_server_params():
2440 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2441 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2442 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2443 "ca_cert": "auth_serv/ca.pem",
2444 "server_cert": "auth_serv/server.pem",
2445 "private_key": "auth_serv/server.key" }
2448 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2449 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2450 params = int_eap_server_params()
2451 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2452 hostapd.add_ap(apdev[0]['ifname'], params)
2453 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2454 identity="tls user", ca_cert="auth_serv/ca.pem",
2455 private_key="auth_serv/user.pkcs12",
2456 private_key_passwd="whatever", ocsp=2,
2457 wait_connect=False, scan_freq="2412")
2460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2462 raise Exception("Timeout on EAP status")
2463 if 'bad certificate status response' in ev:
2467 raise Exception("Unexpected number of EAP status messages")
2469 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2471 raise Exception("Timeout on EAP failure report")
2473 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2474 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2475 params = int_eap_server_params()
2476 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2477 hostapd.add_ap(apdev[0]['ifname'], params)
2478 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2479 identity="tls user", ca_cert="auth_serv/ca.pem",
2480 private_key="auth_serv/user.pkcs12",
2481 private_key_passwd="whatever", ocsp=2,
2482 wait_connect=False, scan_freq="2412")
2485 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2487 raise Exception("Timeout on EAP status")
2488 if 'bad certificate status response' in ev:
2492 raise Exception("Unexpected number of EAP status messages")
2494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2496 raise Exception("Timeout on EAP failure report")
2498 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2499 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2500 params = int_eap_server_params()
2501 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2502 hostapd.add_ap(apdev[0]['ifname'], params)
2503 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2504 identity="tls user", ca_cert="auth_serv/ca.pem",
2505 private_key="auth_serv/user.pkcs12",
2506 private_key_passwd="whatever", ocsp=2,
2507 wait_connect=False, scan_freq="2412")
2510 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2512 raise Exception("Timeout on EAP status")
2513 if 'bad certificate status response' in ev:
2517 raise Exception("Unexpected number of EAP status messages")
2519 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2521 raise Exception("Timeout on EAP failure report")
2523 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2524 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2525 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2526 if not os.path.exists(ocsp):
2527 raise HwsimSkip("No OCSP response available")
2528 params = int_eap_server_params()
2529 params["ocsp_stapling_response"] = ocsp
2530 hostapd.add_ap(apdev[0]['ifname'], params)
2531 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2532 identity="pap user", ca_cert="auth_serv/ca.pem",
2533 anonymous_identity="ttls", password="password",
2534 phase2="auth=PAP", ocsp=2,
2535 wait_connect=False, scan_freq="2412")
2538 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2540 raise Exception("Timeout on EAP status")
2541 if 'bad certificate status response' in ev:
2543 if 'certificate revoked' in ev:
2547 raise Exception("Unexpected number of EAP status messages")
2549 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2551 raise Exception("Timeout on EAP failure report")
2553 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2554 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2555 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2556 if not os.path.exists(ocsp):
2557 raise HwsimSkip("No OCSP response available")
2558 params = int_eap_server_params()
2559 params["ocsp_stapling_response"] = ocsp
2560 hostapd.add_ap(apdev[0]['ifname'], params)
2561 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2562 identity="pap user", ca_cert="auth_serv/ca.pem",
2563 anonymous_identity="ttls", password="password",
2564 phase2="auth=PAP", ocsp=2,
2565 wait_connect=False, scan_freq="2412")
2568 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2570 raise Exception("Timeout on EAP status")
2571 if 'bad certificate status response' in ev:
2575 raise Exception("Unexpected number of EAP status messages")
2577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2579 raise Exception("Timeout on EAP failure report")
2581 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2582 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2583 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2584 if not os.path.exists(ocsp):
2585 raise HwsimSkip("No OCSP response available")
2586 params = int_eap_server_params()
2587 params["ocsp_stapling_response"] = ocsp
2588 hostapd.add_ap(apdev[0]['ifname'], params)
2589 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2590 identity="pap user", ca_cert="auth_serv/ca.pem",
2591 anonymous_identity="ttls", password="password",
2592 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2594 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2595 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2596 params = int_eap_server_params()
2597 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2598 params["private_key"] = "auth_serv/server-no-dnsname.key"
2599 hostapd.add_ap(apdev[0]['ifname'], params)
2600 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2601 identity="tls user", ca_cert="auth_serv/ca.pem",
2602 private_key="auth_serv/user.pkcs12",
2603 private_key_passwd="whatever",
2604 domain_suffix_match="server3.w1.fi",
2607 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2608 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2609 params = int_eap_server_params()
2610 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2611 params["private_key"] = "auth_serv/server-no-dnsname.key"
2612 hostapd.add_ap(apdev[0]['ifname'], params)
2613 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2614 identity="tls user", ca_cert="auth_serv/ca.pem",
2615 private_key="auth_serv/user.pkcs12",
2616 private_key_passwd="whatever",
2617 domain_match="server3.w1.fi",
2620 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2621 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2622 check_domain_match_full(dev[0])
2623 params = int_eap_server_params()
2624 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2625 params["private_key"] = "auth_serv/server-no-dnsname.key"
2626 hostapd.add_ap(apdev[0]['ifname'], params)
2627 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2628 identity="tls user", ca_cert="auth_serv/ca.pem",
2629 private_key="auth_serv/user.pkcs12",
2630 private_key_passwd="whatever",
2631 domain_suffix_match="w1.fi",
2634 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2635 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2636 params = int_eap_server_params()
2637 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2638 params["private_key"] = "auth_serv/server-no-dnsname.key"
2639 hostapd.add_ap(apdev[0]['ifname'], params)
2640 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2641 identity="tls user", ca_cert="auth_serv/ca.pem",
2642 private_key="auth_serv/user.pkcs12",
2643 private_key_passwd="whatever",
2644 domain_suffix_match="example.com",
2647 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2648 identity="tls user", ca_cert="auth_serv/ca.pem",
2649 private_key="auth_serv/user.pkcs12",
2650 private_key_passwd="whatever",
2651 domain_suffix_match="erver3.w1.fi",
2654 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2656 raise Exception("Timeout on EAP failure report")
2657 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2659 raise Exception("Timeout on EAP failure report (2)")
2661 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2662 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2663 params = int_eap_server_params()
2664 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2665 params["private_key"] = "auth_serv/server-no-dnsname.key"
2666 hostapd.add_ap(apdev[0]['ifname'], params)
2667 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2668 identity="tls user", ca_cert="auth_serv/ca.pem",
2669 private_key="auth_serv/user.pkcs12",
2670 private_key_passwd="whatever",
2671 domain_match="example.com",
2674 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2675 identity="tls user", ca_cert="auth_serv/ca.pem",
2676 private_key="auth_serv/user.pkcs12",
2677 private_key_passwd="whatever",
2678 domain_match="w1.fi",
2681 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2683 raise Exception("Timeout on EAP failure report")
2684 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2686 raise Exception("Timeout on EAP failure report (2)")
2688 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2689 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2690 skip_with_fips(dev[0])
2691 params = int_eap_server_params()
2692 params["server_cert"] = "auth_serv/server-expired.pem"
2693 params["private_key"] = "auth_serv/server-expired.key"
2694 hostapd.add_ap(apdev[0]['ifname'], params)
2695 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2696 identity="mschap user", password="password",
2697 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2702 raise Exception("Timeout on EAP certificate error report")
2703 if "reason=4" not in ev or "certificate has expired" not in ev:
2704 raise Exception("Unexpected failure reason: " + ev)
2705 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2707 raise Exception("Timeout on EAP failure report")
2709 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2710 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2711 skip_with_fips(dev[0])
2712 params = int_eap_server_params()
2713 params["server_cert"] = "auth_serv/server-expired.pem"
2714 params["private_key"] = "auth_serv/server-expired.key"
2715 hostapd.add_ap(apdev[0]['ifname'], params)
2716 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2717 identity="mschap user", password="password",
2718 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2719 phase1="tls_disable_time_checks=1",
2722 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2723 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2724 skip_with_fips(dev[0])
2725 params = int_eap_server_params()
2726 params["server_cert"] = "auth_serv/server-long-duration.pem"
2727 params["private_key"] = "auth_serv/server-long-duration.key"
2728 hostapd.add_ap(apdev[0]['ifname'], params)
2729 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2730 identity="mschap user", password="password",
2731 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2734 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2735 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2736 skip_with_fips(dev[0])
2737 params = int_eap_server_params()
2738 params["server_cert"] = "auth_serv/server-eku-client.pem"
2739 params["private_key"] = "auth_serv/server-eku-client.key"
2740 hostapd.add_ap(apdev[0]['ifname'], params)
2741 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2742 identity="mschap user", password="password",
2743 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2746 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2748 raise Exception("Timeout on EAP failure report")
2750 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2751 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2752 skip_with_fips(dev[0])
2753 params = int_eap_server_params()
2754 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2755 params["private_key"] = "auth_serv/server-eku-client-server.key"
2756 hostapd.add_ap(apdev[0]['ifname'], params)
2757 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2758 identity="mschap user", password="password",
2759 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2762 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2763 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2764 skip_with_fips(dev[0])
2765 params = int_eap_server_params()
2766 del params["server_cert"]
2767 params["private_key"] = "auth_serv/server.pkcs12"
2768 hostapd.add_ap(apdev[0]['ifname'], params)
2769 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2770 identity="mschap user", password="password",
2771 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2774 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2775 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2776 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2777 hostapd.add_ap(apdev[0]['ifname'], params)
2778 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2779 anonymous_identity="ttls", password="password",
2780 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2781 dh_file="auth_serv/dh.conf")
2783 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2784 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2785 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2786 hostapd.add_ap(apdev[0]['ifname'], params)
2787 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2788 anonymous_identity="ttls", password="password",
2789 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2790 dh_file="auth_serv/dsaparam.pem")
2792 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2793 """EAP-TTLS and DH params file not found"""
2794 skip_with_fips(dev[0])
2795 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2796 hostapd.add_ap(apdev[0]['ifname'], params)
2797 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2798 identity="mschap user", password="password",
2799 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2800 dh_file="auth_serv/dh-no-such-file.conf",
2801 scan_freq="2412", wait_connect=False)
2802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2804 raise Exception("EAP failure timed out")
2805 dev[0].request("REMOVE_NETWORK all")
2806 dev[0].wait_disconnected()
2808 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2809 """EAP-TTLS and invalid DH params file"""
2810 skip_with_fips(dev[0])
2811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2812 hostapd.add_ap(apdev[0]['ifname'], params)
2813 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2814 identity="mschap user", password="password",
2815 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2816 dh_file="auth_serv/ca.pem",
2817 scan_freq="2412", wait_connect=False)
2818 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2820 raise Exception("EAP failure timed out")
2821 dev[0].request("REMOVE_NETWORK all")
2822 dev[0].wait_disconnected()
2824 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2825 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2826 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2827 hostapd.add_ap(apdev[0]['ifname'], params)
2828 dh = read_pem("auth_serv/dh2.conf")
2829 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2830 raise Exception("Could not set dhparams blob")
2831 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2832 anonymous_identity="ttls", password="password",
2833 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2834 dh_file="blob://dhparams")
2836 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2837 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2838 params = int_eap_server_params()
2839 params["dh_file"] = "auth_serv/dh2.conf"
2840 hostapd.add_ap(apdev[0]['ifname'], params)
2841 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2842 anonymous_identity="ttls", password="password",
2843 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2845 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2846 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2847 params = int_eap_server_params()
2848 params["dh_file"] = "auth_serv/dsaparam.pem"
2849 hostapd.add_ap(apdev[0]['ifname'], params)
2850 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2851 anonymous_identity="ttls", password="password",
2852 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2854 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2855 """EAP-TLS server and dhparams file not found"""
2856 params = int_eap_server_params()
2857 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2858 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2859 if "FAIL" not in hapd.request("ENABLE"):
2860 raise Exception("Invalid configuration accepted")
2862 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2863 """EAP-TLS server and invalid dhparams file"""
2864 params = int_eap_server_params()
2865 params["dh_file"] = "auth_serv/ca.pem"
2866 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2867 if "FAIL" not in hapd.request("ENABLE"):
2868 raise Exception("Invalid configuration accepted")
2870 def test_ap_wpa2_eap_reauth(dev, apdev):
2871 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2872 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2873 params['eap_reauth_period'] = '2'
2874 hostapd.add_ap(apdev[0]['ifname'], params)
2875 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2876 password_hex="0123456789abcdef0123456789abcdef")
2877 logger.info("Wait for reauthentication")
2878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2880 raise Exception("Timeout on reauthentication")
2881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2883 raise Exception("Timeout on reauthentication")
2884 for i in range(0, 20):
2885 state = dev[0].get_status_field("wpa_state")
2886 if state == "COMPLETED":
2889 if state != "COMPLETED":
2890 raise Exception("Reauthentication did not complete")
2892 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2893 """Optional displayable message in EAP Request-Identity"""
2894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2895 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2896 hostapd.add_ap(apdev[0]['ifname'], params)
2897 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2898 password_hex="0123456789abcdef0123456789abcdef")
2900 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2901 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2902 check_hlr_auc_gw_support()
2903 params = int_eap_server_params()
2904 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2905 params['eap_sim_aka_result_ind'] = "1"
2906 hostapd.add_ap(apdev[0]['ifname'], params)
2908 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2909 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2910 phase1="result_ind=1")
2911 eap_reauth(dev[0], "SIM")
2912 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2913 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2915 dev[0].request("REMOVE_NETWORK all")
2916 dev[1].request("REMOVE_NETWORK all")
2918 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2919 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2920 phase1="result_ind=1")
2921 eap_reauth(dev[0], "AKA")
2922 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2923 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2925 dev[0].request("REMOVE_NETWORK all")
2926 dev[1].request("REMOVE_NETWORK all")
2928 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2929 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2930 phase1="result_ind=1")
2931 eap_reauth(dev[0], "AKA'")
2932 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2933 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2935 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2936 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2937 skip_with_fips(dev[0])
2938 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2939 hostapd.add_ap(apdev[0]['ifname'], params)
2940 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2941 eap="TTLS", identity="mschap user",
2942 wait_connect=False, scan_freq="2412", ieee80211w="1",
2943 anonymous_identity="ttls", password="password",
2944 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2946 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2948 raise Exception("EAP roundtrip limit not reached")
2950 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2951 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2952 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2953 hostapd.add_ap(apdev[0]['ifname'], params)
2954 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2955 eap="PSK", identity="vendor-test",
2956 password_hex="ff23456789abcdef0123456789abcdef",
2960 for i in range(0, 5):
2961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2963 raise Exception("Association and EAP start timed out")
2964 if "refuse proposed method" in ev:
2968 raise Exception("Unexpected EAP status: " + ev)
2970 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2972 raise Exception("EAP failure timed out")
2974 def test_ap_wpa2_eap_sql(dev, apdev, params):
2975 """WPA2-Enterprise connection using SQLite for user DB"""
2976 skip_with_fips(dev[0])
2980 raise HwsimSkip("No sqlite3 module available")
2981 dbfile = os.path.join(params['logdir'], "eap-user.db")
2986 con = sqlite3.connect(dbfile)
2989 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2990 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2991 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2992 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2993 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2994 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2995 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2996 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2999 params = int_eap_server_params()
3000 params["eap_user_file"] = "sqlite:" + dbfile
3001 hostapd.add_ap(apdev[0]['ifname'], params)
3002 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3003 anonymous_identity="ttls", password="password",
3004 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3005 dev[0].request("REMOVE_NETWORK all")
3006 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3007 anonymous_identity="ttls", password="password",
3008 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3009 dev[1].request("REMOVE_NETWORK all")
3010 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3011 anonymous_identity="ttls", password="password",
3012 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3013 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3014 anonymous_identity="ttls", password="password",
3015 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3019 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3020 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3021 params = int_eap_server_params()
3022 hostapd.add_ap(apdev[0]['ifname'], params)
3023 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3024 identity="\x80", password="password", wait_connect=False)
3025 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3026 identity="a\x80", password="password", wait_connect=False)
3027 for i in range(0, 2):
3028 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3030 raise Exception("Association and EAP start timed out")
3031 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3033 raise Exception("EAP method selection timed out")
3035 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3036 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3037 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3038 hostapd.add_ap(apdev[0]['ifname'], params)
3039 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3040 identity="\x80", password="password", wait_connect=False)
3041 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3042 identity="a\x80", password="password", wait_connect=False)
3043 for i in range(0, 2):
3044 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3046 raise Exception("Association and EAP start timed out")
3047 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3049 raise Exception("EAP method selection timed out")
3051 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3052 """OpenSSL cipher suite configuration on wpa_supplicant"""
3053 tls = dev[0].request("GET tls_library")
3054 if not tls.startswith("OpenSSL"):
3055 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3056 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3057 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3058 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3059 anonymous_identity="ttls", password="password",
3060 openssl_ciphers="AES128",
3061 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3062 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3063 anonymous_identity="ttls", password="password",
3064 openssl_ciphers="EXPORT",
3065 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3066 expect_failure=True, maybe_local_error=True)
3067 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3068 identity="pap user", anonymous_identity="ttls",
3069 password="password",
3070 openssl_ciphers="FOO",
3071 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3073 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3075 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3076 dev[2].request("DISCONNECT")
3078 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3079 """OpenSSL cipher suite configuration on hostapd"""
3080 tls = dev[0].request("GET tls_library")
3081 if not tls.startswith("OpenSSL"):
3082 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3083 params = int_eap_server_params()
3084 params['openssl_ciphers'] = "AES256"
3085 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3086 tls = hapd.request("GET tls_library")
3087 if not tls.startswith("OpenSSL"):
3088 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3089 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3090 anonymous_identity="ttls", password="password",
3091 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3092 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3093 anonymous_identity="ttls", password="password",
3094 openssl_ciphers="AES128",
3095 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3096 expect_failure=True)
3097 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3098 anonymous_identity="ttls", password="password",
3099 openssl_ciphers="HIGH:!ADH",
3100 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3102 params['openssl_ciphers'] = "FOO"
3103 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3104 if "FAIL" not in hapd2.request("ENABLE"):
3105 raise Exception("Invalid openssl_ciphers value accepted")
3107 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3108 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3109 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3110 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3111 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3112 pid = find_wpas_process(dev[0])
3113 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3114 anonymous_identity="ttls", password=password,
3115 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3117 buf = read_process_memory(pid, password)
3119 dev[0].request("DISCONNECT")
3120 dev[0].wait_disconnected()
3128 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3129 for l in f.readlines():
3130 if "EAP-TTLS: Derived key - hexdump" in l:
3131 val = l.strip().split(':')[3].replace(' ', '')
3132 msk = binascii.unhexlify(val)
3133 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3134 val = l.strip().split(':')[3].replace(' ', '')
3135 emsk = binascii.unhexlify(val)
3136 if "WPA: PMK - hexdump" in l:
3137 val = l.strip().split(':')[3].replace(' ', '')
3138 pmk = binascii.unhexlify(val)
3139 if "WPA: PTK - hexdump" in l:
3140 val = l.strip().split(':')[3].replace(' ', '')
3141 ptk = binascii.unhexlify(val)
3142 if "WPA: Group Key - hexdump" in l:
3143 val = l.strip().split(':')[3].replace(' ', '')
3144 gtk = binascii.unhexlify(val)
3145 if not msk or not emsk or not pmk or not ptk or not gtk:
3146 raise Exception("Could not find keys from debug log")
3148 raise Exception("Unexpected GTK length")
3154 fname = os.path.join(params['logdir'],
3155 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3157 logger.info("Checking keys in memory while associated")
3158 get_key_locations(buf, password, "Password")
3159 get_key_locations(buf, pmk, "PMK")
3160 get_key_locations(buf, msk, "MSK")
3161 get_key_locations(buf, emsk, "EMSK")
3162 if password not in buf:
3163 raise HwsimSkip("Password not found while associated")
3165 raise HwsimSkip("PMK not found while associated")
3167 raise Exception("KCK not found while associated")
3169 raise Exception("KEK not found while associated")
3171 raise Exception("TK found from memory")
3173 raise Exception("GTK found from memory")
3175 logger.info("Checking keys in memory after disassociation")
3176 buf = read_process_memory(pid, password)
3178 # Note: Password is still present in network configuration
3179 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3181 get_key_locations(buf, password, "Password")
3182 get_key_locations(buf, pmk, "PMK")
3183 get_key_locations(buf, msk, "MSK")
3184 get_key_locations(buf, emsk, "EMSK")
3185 verify_not_present(buf, kck, fname, "KCK")
3186 verify_not_present(buf, kek, fname, "KEK")
3187 verify_not_present(buf, tk, fname, "TK")
3188 verify_not_present(buf, gtk, fname, "GTK")
3190 dev[0].request("PMKSA_FLUSH")
3191 dev[0].set_network_quoted(id, "identity", "foo")
3192 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3193 buf = read_process_memory(pid, password)
3194 get_key_locations(buf, password, "Password")
3195 get_key_locations(buf, pmk, "PMK")
3196 get_key_locations(buf, msk, "MSK")
3197 get_key_locations(buf, emsk, "EMSK")
3198 verify_not_present(buf, pmk, fname, "PMK")
3200 dev[0].request("REMOVE_NETWORK all")
3202 logger.info("Checking keys in memory after network profile removal")
3203 buf = read_process_memory(pid, password)
3205 get_key_locations(buf, password, "Password")
3206 get_key_locations(buf, pmk, "PMK")
3207 get_key_locations(buf, msk, "MSK")
3208 get_key_locations(buf, emsk, "EMSK")
3209 verify_not_present(buf, password, fname, "password")
3210 verify_not_present(buf, pmk, fname, "PMK")
3211 verify_not_present(buf, kck, fname, "KCK")
3212 verify_not_present(buf, kek, fname, "KEK")
3213 verify_not_present(buf, tk, fname, "TK")
3214 verify_not_present(buf, gtk, fname, "GTK")
3215 verify_not_present(buf, msk, fname, "MSK")
3216 verify_not_present(buf, emsk, fname, "EMSK")
3218 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3219 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3220 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3221 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3222 bssid = apdev[0]['bssid']
3223 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3224 anonymous_identity="ttls", password="password",
3225 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3227 # Send unexpected WEP EAPOL-Key; this gets dropped
3228 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3230 raise Exception("EAPOL_RX to wpa_supplicant failed")
3232 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3233 """WPA2-EAP and wpas interface in a bridge"""
3237 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3239 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3240 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3241 subprocess.call(['brctl', 'delbr', br_ifname])
3242 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3244 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3246 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3250 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3251 subprocess.call(['brctl', 'addbr', br_ifname])
3252 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3253 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3254 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3255 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3256 wpas.interface_add(ifname, br_ifname=br_ifname)
3258 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3259 password_hex="0123456789abcdef0123456789abcdef")
3260 eap_reauth(wpas, "PAX")
3261 # Try again as a regression test for packet socket workaround
3262 eap_reauth(wpas, "PAX")
3263 wpas.request("DISCONNECT")
3264 wpas.wait_disconnected()
3265 wpas.request("RECONNECT")
3266 wpas.wait_connected()
3268 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3269 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3270 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3271 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3272 key_mgmt = hapd.get_config()['key_mgmt']
3273 if key_mgmt.split(' ')[0] != "WPA-EAP":
3274 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3275 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3276 anonymous_identity="ttls", password="password",
3277 ca_cert="auth_serv/ca.pem",
3278 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3279 eap_reauth(dev[0], "TTLS")
3281 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3282 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3284 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3285 key_mgmt = hapd.get_config()['key_mgmt']
3286 if key_mgmt.split(' ')[0] != "WPA-EAP":
3287 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3288 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3289 anonymous_identity="ttls", password="password",
3290 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3292 eap_reauth(dev[0], "TTLS")
3294 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3295 """EAP-TLS and server checking CRL"""
3296 params = int_eap_server_params()
3297 params['check_crl'] = '1'
3298 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3300 # check_crl=1 and no CRL available --> reject connection
3301 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3302 client_cert="auth_serv/user.pem",
3303 private_key="auth_serv/user.key", expect_failure=True)
3304 dev[0].request("REMOVE_NETWORK all")
3307 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3310 # check_crl=1 and valid CRL --> accept
3311 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3312 client_cert="auth_serv/user.pem",
3313 private_key="auth_serv/user.key")
3314 dev[0].request("REMOVE_NETWORK all")
3317 hapd.set("check_crl", "2")
3320 # check_crl=2 and valid CRL --> accept
3321 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3322 client_cert="auth_serv/user.pem",
3323 private_key="auth_serv/user.key")
3324 dev[0].request("REMOVE_NETWORK all")
3326 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3327 """EAP-TLS and OOM"""
3328 check_subject_match_support(dev[0])
3329 check_altsubject_match_support(dev[0])
3330 check_domain_match_full(dev[0])
3332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3333 hostapd.add_ap(apdev[0]['ifname'], params)
3335 tests = [ (1, "tls_connection_set_subject_match"),
3336 (2, "tls_connection_set_subject_match"),
3337 (3, "tls_connection_set_subject_match"),
3338 (4, "tls_connection_set_subject_match") ]
3339 for count, func in tests:
3340 with alloc_fail(dev[0], count, func):
3341 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3342 identity="tls user", ca_cert="auth_serv/ca.pem",
3343 client_cert="auth_serv/user.pem",
3344 private_key="auth_serv/user.key",
3345 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3346 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3347 domain_suffix_match="server.w1.fi",
3348 domain_match="server.w1.fi",
3349 wait_connect=False, scan_freq="2412")
3350 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3351 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3353 raise Exception("No passphrase request")
3354 dev[0].request("REMOVE_NETWORK all")
3355 dev[0].wait_disconnected()
3357 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3358 """WPA2-Enterprise connection using MAC ACL"""
3359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3360 params["macaddr_acl"] = "2"
3361 hostapd.add_ap(apdev[0]['ifname'], params)
3362 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3363 client_cert="auth_serv/user.pem",
3364 private_key="auth_serv/user.key")
3366 def test_ap_wpa2_eap_oom(dev, apdev):
3367 """EAP server and OOM"""
3368 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3369 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3370 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3372 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3373 # The first attempt fails, but STA will send EAPOL-Start to retry and
3375 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3376 identity="tls user", ca_cert="auth_serv/ca.pem",
3377 client_cert="auth_serv/user.pem",
3378 private_key="auth_serv/user.key",
3381 def check_tls_ver(dev, ap, phase1, expected):
3382 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3383 client_cert="auth_serv/user.pem",
3384 private_key="auth_serv/user.key",
3386 ver = dev.get_status_field("eap_tls_version")
3388 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3390 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3391 """EAP-TLS and TLS version configuration"""
3392 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3393 hostapd.add_ap(apdev[0]['ifname'], params)
3395 tls = dev[0].request("GET tls_library")
3396 if tls.startswith("OpenSSL"):
3397 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3398 check_tls_ver(dev[0], apdev[0],
3399 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3401 check_tls_ver(dev[1], apdev[0],
3402 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3403 check_tls_ver(dev[2], apdev[0],
3404 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")