1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
104 raise Exception("EAP success timed out")
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e = "WPA2-EAP-SHA256"
123 e = "WPA2/IEEE 802.1X/EAP"
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
203 logger.info("SIM full auth with pseudonym")
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
209 logger.info("SIM full auth with permanent identity")
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
216 logger.info("SIM reauth with mismatching MK")
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
280 dev[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
292 raise Exception("Network connected timed out")
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_aka(dev, apdev):
419 """WPA2-Enterprise connection using EAP-AKA"""
420 check_hlr_auc_gw_support()
421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
423 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
424 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
425 hwsim_utils.test_connectivity(dev[0], hapd)
426 eap_reauth(dev[0], "AKA")
428 logger.info("Negative test with incorrect key")
429 dev[0].request("REMOVE_NETWORK all")
430 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
431 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
434 logger.info("Invalid Milenage key")
435 dev[0].request("REMOVE_NETWORK all")
436 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
437 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
440 logger.info("Invalid Milenage key(2)")
441 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
442 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
445 logger.info("Invalid Milenage key(3)")
446 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
447 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
450 logger.info("Invalid Milenage key(4)")
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
455 logger.info("Invalid Milenage key(5)")
456 dev[0].request("REMOVE_NETWORK all")
457 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
458 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
461 logger.info("Invalid Milenage key(6)")
462 dev[0].request("REMOVE_NETWORK all")
463 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
464 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
467 logger.info("Missing key configuration")
468 dev[0].request("REMOVE_NETWORK all")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
472 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
473 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
474 check_hlr_auc_gw_support()
478 raise HwsimSkip("No sqlite3 module available")
479 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
480 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
481 params['auth_server_port'] = "1814"
482 hostapd.add_ap(apdev[0]['ifname'], params)
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
486 logger.info("AKA fast re-authentication")
487 eap_reauth(dev[0], "AKA")
489 logger.info("AKA full auth with pseudonym")
492 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
493 eap_reauth(dev[0], "AKA")
495 logger.info("AKA full auth with permanent identity")
498 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
499 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
500 eap_reauth(dev[0], "AKA")
502 logger.info("AKA reauth with mismatching MK")
505 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
506 eap_reauth(dev[0], "AKA", expect_failure=True)
507 dev[0].request("REMOVE_NETWORK all")
509 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
510 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
513 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
514 eap_reauth(dev[0], "AKA")
517 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
518 logger.info("AKA reauth with mismatching counter")
519 eap_reauth(dev[0], "AKA")
520 dev[0].request("REMOVE_NETWORK all")
522 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
523 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
526 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
527 logger.info("AKA reauth with max reauth count reached")
528 eap_reauth(dev[0], "AKA")
530 def test_ap_wpa2_eap_aka_config(dev, apdev):
531 """EAP-AKA configuration options"""
532 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
533 hostapd.add_ap(apdev[0]['ifname'], params)
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
536 anonymous_identity="2345678")
538 def test_ap_wpa2_eap_aka_ext(dev, apdev):
539 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
541 _test_ap_wpa2_eap_aka_ext(dev, apdev)
543 dev[0].request("SET external_sim 0")
545 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
546 check_hlr_auc_gw_support()
547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
548 hostapd.add_ap(apdev[0]['ifname'], params)
549 dev[0].request("SET external_sim 1")
550 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
551 identity="0232010000000000",
552 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
553 wait_connect=False, scan_freq="2412")
554 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
556 raise Exception("Network connected timed out")
558 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
560 raise Exception("Wait for external SIM processing request timed out")
562 if p[1] != "UMTS-AUTH":
563 raise Exception("Unexpected CTRL-REQ-SIM type")
564 rid = p[0].split('-')[3]
567 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
568 # This will fail during processing, but the ctrl_iface command succeeds
569 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
570 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
572 raise Exception("EAP failure not reported")
573 dev[0].request("DISCONNECT")
574 dev[0].wait_disconnected()
577 dev[0].select_network(id, freq="2412")
578 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
580 raise Exception("Wait for external SIM processing request timed out")
582 if p[1] != "UMTS-AUTH":
583 raise Exception("Unexpected CTRL-REQ-SIM type")
584 rid = p[0].split('-')[3]
585 # This will fail during UMTS auth validation
586 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
587 raise Exception("CTRL-RSP-SIM failed")
588 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
590 raise Exception("Wait for external SIM processing request timed out")
592 if p[1] != "UMTS-AUTH":
593 raise Exception("Unexpected CTRL-REQ-SIM type")
594 rid = p[0].split('-')[3]
595 # This will fail during UMTS auth validation
596 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
597 raise Exception("CTRL-RSP-SIM failed")
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
605 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
611 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
613 dev[0].select_network(id, freq="2412")
614 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
616 raise Exception("Wait for external SIM processing request timed out")
618 if p[1] != "UMTS-AUTH":
619 raise Exception("Unexpected CTRL-REQ-SIM type")
620 rid = p[0].split('-')[3]
621 # This will fail during UMTS auth validation
622 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
623 raise Exception("CTRL-RSP-SIM failed")
624 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
626 raise Exception("EAP failure not reported")
627 dev[0].request("DISCONNECT")
628 dev[0].wait_disconnected()
631 def test_ap_wpa2_eap_aka_prime(dev, apdev):
632 """WPA2-Enterprise connection using EAP-AKA'"""
633 check_hlr_auc_gw_support()
634 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
635 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
636 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
637 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
638 hwsim_utils.test_connectivity(dev[0], hapd)
639 eap_reauth(dev[0], "AKA'")
641 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
642 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
643 identity="6555444333222111@both",
644 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
645 wait_connect=False, scan_freq="2412")
646 dev[1].wait_connected(timeout=15)
648 logger.info("Negative test with incorrect key")
649 dev[0].request("REMOVE_NETWORK all")
650 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
651 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
654 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
655 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
656 check_hlr_auc_gw_support()
660 raise HwsimSkip("No sqlite3 module available")
661 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 params['auth_server_port'] = "1814"
664 hostapd.add_ap(apdev[0]['ifname'], params)
665 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
666 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
668 logger.info("AKA' fast re-authentication")
669 eap_reauth(dev[0], "AKA'")
671 logger.info("AKA' full auth with pseudonym")
674 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
675 eap_reauth(dev[0], "AKA'")
677 logger.info("AKA' full auth with permanent identity")
680 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
681 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
682 eap_reauth(dev[0], "AKA'")
684 logger.info("AKA' reauth with mismatching k_aut")
687 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
688 eap_reauth(dev[0], "AKA'", expect_failure=True)
689 dev[0].request("REMOVE_NETWORK all")
691 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
692 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
695 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
696 eap_reauth(dev[0], "AKA'")
699 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
700 logger.info("AKA' reauth with mismatching counter")
701 eap_reauth(dev[0], "AKA'")
702 dev[0].request("REMOVE_NETWORK all")
704 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
705 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
708 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
709 logger.info("AKA' reauth with max reauth count reached")
710 eap_reauth(dev[0], "AKA'")
712 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
713 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 key_mgmt = hapd.get_config()['key_mgmt']
717 if key_mgmt.split(' ')[0] != "WPA-EAP":
718 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
719 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
720 anonymous_identity="ttls", password="password",
721 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
722 hwsim_utils.test_connectivity(dev[0], hapd)
723 eap_reauth(dev[0], "TTLS")
724 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
725 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
727 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
728 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
729 check_subject_match_support(dev[0])
730 check_altsubject_match_support(dev[0])
731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
732 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
733 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
734 anonymous_identity="ttls", password="password",
735 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
736 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
737 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
738 eap_reauth(dev[0], "TTLS")
740 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
745 anonymous_identity="ttls", password="wrong",
746 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
748 eap_connect(dev[1], apdev[0], "TTLS", "user",
749 anonymous_identity="ttls", password="password",
750 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
753 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
754 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
755 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
756 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
757 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
758 anonymous_identity="ttls", password="password",
759 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
760 hwsim_utils.test_connectivity(dev[0], hapd)
761 eap_reauth(dev[0], "TTLS")
763 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
764 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
765 check_altsubject_match_support(dev[0])
766 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
767 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
768 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
769 anonymous_identity="ttls", password="password",
770 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
771 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
772 eap_reauth(dev[0], "TTLS")
774 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
775 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
776 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
777 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
778 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
779 anonymous_identity="ttls", password="wrong",
780 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
782 eap_connect(dev[1], apdev[0], "TTLS", "user",
783 anonymous_identity="ttls", password="password",
784 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
787 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
788 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
790 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
791 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
792 anonymous_identity="ttls", password="password",
793 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
794 domain_suffix_match="server.w1.fi")
795 hwsim_utils.test_connectivity(dev[0], hapd)
796 eap_reauth(dev[0], "TTLS")
797 dev[0].request("REMOVE_NETWORK all")
798 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
799 anonymous_identity="ttls", password="password",
800 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
803 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
804 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
808 anonymous_identity="ttls", password="wrong",
809 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
811 eap_connect(dev[1], apdev[0], "TTLS", "user",
812 anonymous_identity="ttls", password="password",
813 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
815 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
816 anonymous_identity="ttls", password="password",
817 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
820 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hostapd.add_ap(apdev[0]['ifname'], params)
824 hapd = hostapd.Hostapd(apdev[0]['ifname'])
825 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
826 anonymous_identity="ttls", password="password",
827 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
828 domain_suffix_match="server.w1.fi")
829 hwsim_utils.test_connectivity(dev[0], hapd)
830 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
831 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
832 eap_reauth(dev[0], "TTLS")
833 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
834 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
835 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
836 raise Exception("dot1xAuthEapolFramesRx did not increase")
837 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
838 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
839 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
840 raise Exception("backendAuthSuccesses did not increase")
842 logger.info("Password as hash value")
843 dev[0].request("REMOVE_NETWORK all")
844 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
845 anonymous_identity="ttls",
846 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
849 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
850 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
851 check_domain_match_full(dev[0])
852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853 hostapd.add_ap(apdev[0]['ifname'], params)
854 hapd = hostapd.Hostapd(apdev[0]['ifname'])
855 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
856 anonymous_identity="ttls", password="password",
857 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
858 domain_suffix_match="w1.fi")
859 hwsim_utils.test_connectivity(dev[0], hapd)
860 eap_reauth(dev[0], "TTLS")
862 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
864 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
865 hostapd.add_ap(apdev[0]['ifname'], params)
866 hapd = hostapd.Hostapd(apdev[0]['ifname'])
867 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
868 anonymous_identity="ttls", password="password",
869 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
870 domain_match="Server.w1.fi")
871 hwsim_utils.test_connectivity(dev[0], hapd)
872 eap_reauth(dev[0], "TTLS")
874 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
875 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
876 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
877 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
878 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
879 anonymous_identity="ttls", password="password1",
880 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
882 eap_connect(dev[1], apdev[0], "TTLS", "user",
883 anonymous_identity="ttls", password="password",
884 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
887 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
888 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
889 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
890 hostapd.add_ap(apdev[0]['ifname'], params)
891 hapd = hostapd.Hostapd(apdev[0]['ifname'])
892 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
893 anonymous_identity="ttls", password="secret-åäö-€-password",
894 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
895 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
896 anonymous_identity="ttls",
897 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
898 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
900 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
901 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
902 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
904 eap_connect(dev[0], apdev[0], "TTLS", "user",
905 anonymous_identity="ttls", password="password",
906 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
907 hwsim_utils.test_connectivity(dev[0], hapd)
908 eap_reauth(dev[0], "TTLS")
910 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
911 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
912 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
913 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
914 eap_connect(dev[0], apdev[0], "TTLS", "user",
915 anonymous_identity="ttls", password="wrong",
916 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
919 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
921 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
922 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
923 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
924 anonymous_identity="ttls", password="password",
925 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
928 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
930 params = int_eap_server_params()
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 with alloc_fail(hapd, 1, "eap_gtc_init"):
933 eap_connect(dev[0], apdev[0], "TTLS", "user",
934 anonymous_identity="ttls", password="password",
935 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
937 dev[0].request("REMOVE_NETWORK all")
939 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
940 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
941 eap="TTLS", identity="user",
942 anonymous_identity="ttls", password="password",
943 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
944 wait_connect=False, scan_freq="2412")
945 # This would eventually time out, but we can stop after having reached
946 # the allocation failure.
949 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
952 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="password",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
959 hwsim_utils.test_connectivity(dev[0], hapd)
960 eap_reauth(dev[0], "TTLS")
962 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
963 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966 eap_connect(dev[0], apdev[0], "TTLS", "user",
967 anonymous_identity="ttls", password="wrong",
968 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
971 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
972 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
973 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
980 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
982 params = int_eap_server_params()
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 with alloc_fail(hapd, 1, "eap_md5_init"):
985 eap_connect(dev[0], apdev[0], "TTLS", "user",
986 anonymous_identity="ttls", password="password",
987 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
989 dev[0].request("REMOVE_NETWORK all")
991 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
992 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993 eap="TTLS", identity="user",
994 anonymous_identity="ttls", password="password",
995 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
996 wait_connect=False, scan_freq="2412")
997 # This would eventually time out, but we can stop after having reached
998 # the allocation failure.
1001 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1004 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1006 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1007 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1008 eap_connect(dev[0], apdev[0], "TTLS", "user",
1009 anonymous_identity="ttls", password="password",
1010 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1011 hwsim_utils.test_connectivity(dev[0], hapd)
1012 eap_reauth(dev[0], "TTLS")
1014 logger.info("Negative test with incorrect password")
1015 dev[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev[0], apdev[0], "TTLS", "user",
1017 anonymous_identity="ttls", password="password1",
1018 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1019 expect_failure=True)
1021 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1022 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1028 expect_failure=True)
1030 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1032 params = int_eap_server_params()
1033 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1034 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1035 eap_connect(dev[0], apdev[0], "TTLS", "user",
1036 anonymous_identity="ttls", password="password",
1037 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1038 expect_failure=True)
1039 dev[0].request("REMOVE_NETWORK all")
1041 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1042 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1043 eap="TTLS", identity="user",
1044 anonymous_identity="ttls", password="password",
1045 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1046 wait_connect=False, scan_freq="2412")
1047 # This would eventually time out, but we can stop after having reached
1048 # the allocation failure.
1051 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1053 dev[0].request("REMOVE_NETWORK all")
1055 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1057 eap="TTLS", identity="user",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1060 wait_connect=False, scan_freq="2412")
1061 # This would eventually time out, but we can stop after having reached
1062 # the allocation failure.
1065 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1067 dev[0].request("REMOVE_NETWORK all")
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="wrong",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev[0].request("REMOVE_NETWORK all")
1083 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1085 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1086 hostapd.add_ap(apdev[0]['ifname'], params)
1087 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1088 anonymous_identity="0232010000000000@ttls",
1089 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1090 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1092 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1093 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1094 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1095 hostapd.add_ap(apdev[0]['ifname'], params)
1096 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1097 anonymous_identity="0232010000000000@peap",
1098 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1099 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1101 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1102 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1103 check_eap_capa(dev[0], "FAST")
1104 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1105 hostapd.add_ap(apdev[0]['ifname'], params)
1106 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1107 anonymous_identity="0232010000000000@fast",
1108 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1109 phase1="fast_provisioning=2",
1110 pac_file="blob://fast_pac_auth_aka",
1111 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1113 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1114 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1115 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1116 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1117 eap_connect(dev[0], apdev[0], "PEAP", "user",
1118 anonymous_identity="peap", password="password",
1119 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1120 hwsim_utils.test_connectivity(dev[0], hapd)
1121 eap_reauth(dev[0], "PEAP")
1122 dev[0].request("REMOVE_NETWORK all")
1123 eap_connect(dev[0], apdev[0], "PEAP", "user",
1124 anonymous_identity="peap", password="password",
1125 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1126 fragment_size="200")
1128 logger.info("Password as hash value")
1129 dev[0].request("REMOVE_NETWORK all")
1130 eap_connect(dev[0], apdev[0], "PEAP", "user",
1131 anonymous_identity="peap",
1132 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1133 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1135 logger.info("Negative test with incorrect password")
1136 dev[0].request("REMOVE_NETWORK all")
1137 eap_connect(dev[0], apdev[0], "PEAP", "user",
1138 anonymous_identity="peap", password="password1",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1140 expect_failure=True)
1142 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1146 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1147 anonymous_identity="peap", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "PEAP")
1152 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1153 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1155 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "PEAP", "user",
1157 anonymous_identity="peap", password="wrong",
1158 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1159 expect_failure=True)
1161 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1162 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1166 ca_cert="auth_serv/ca.pem",
1167 phase1="peapver=0 crypto_binding=2",
1168 phase2="auth=MSCHAPV2")
1169 hwsim_utils.test_connectivity(dev[0], hapd)
1170 eap_reauth(dev[0], "PEAP")
1172 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1173 ca_cert="auth_serv/ca.pem",
1174 phase1="peapver=0 crypto_binding=1",
1175 phase2="auth=MSCHAPV2")
1176 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1177 ca_cert="auth_serv/ca.pem",
1178 phase1="peapver=0 crypto_binding=0",
1179 phase2="auth=MSCHAPV2")
1181 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1182 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1183 params = int_eap_server_params()
1184 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1185 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1186 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1187 ca_cert="auth_serv/ca.pem",
1188 phase1="peapver=0 crypto_binding=2",
1189 phase2="auth=MSCHAPV2",
1190 expect_failure=True, local_error_report=True)
1192 def test_ap_wpa2_eap_peap_params(dev, apdev):
1193 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1195 hostapd.add_ap(apdev[0]['ifname'], params)
1196 eap_connect(dev[0], apdev[0], "PEAP", "user",
1197 anonymous_identity="peap", password="password",
1198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1199 phase1="peapver=0 peaplabel=1",
1200 expect_failure=True)
1201 dev[0].request("REMOVE_NETWORK all")
1202 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1203 ca_cert="auth_serv/ca.pem",
1204 phase1="peap_outer_success=1",
1205 phase2="auth=MSCHAPV2")
1206 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1207 ca_cert="auth_serv/ca.pem",
1208 phase1="peap_outer_success=2",
1209 phase2="auth=MSCHAPV2")
1210 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1212 anonymous_identity="peap", password="password",
1213 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1214 phase1="peapver=1 peaplabel=1",
1215 wait_connect=False, scan_freq="2412")
1216 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1218 raise Exception("No EAP success seen")
1219 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1221 raise Exception("Unexpected connection")
1223 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1226 hostapd.add_ap(apdev[0]['ifname'], params)
1227 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1228 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1229 ca_cert2="auth_serv/ca.pem",
1230 client_cert2="auth_serv/user.pem",
1231 private_key2="auth_serv/user.key")
1232 eap_reauth(dev[0], "PEAP")
1234 def test_ap_wpa2_eap_tls(dev, apdev):
1235 """WPA2-Enterprise connection using EAP-TLS"""
1236 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1237 hostapd.add_ap(apdev[0]['ifname'], params)
1238 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1239 client_cert="auth_serv/user.pem",
1240 private_key="auth_serv/user.key")
1241 eap_reauth(dev[0], "TLS")
1243 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1244 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 cert = read_pem("auth_serv/ca.pem")
1248 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1249 raise Exception("Could not set cacert blob")
1250 cert = read_pem("auth_serv/user.pem")
1251 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1252 raise Exception("Could not set usercert blob")
1253 key = read_pem("auth_serv/user.rsa-key")
1254 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1255 raise Exception("Could not set cacert blob")
1256 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1257 client_cert="blob://usercert",
1258 private_key="blob://userkey")
1260 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1261 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1263 hostapd.add_ap(apdev[0]['ifname'], params)
1264 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1265 private_key="auth_serv/user.pkcs12",
1266 private_key_passwd="whatever")
1267 dev[0].request("REMOVE_NETWORK all")
1268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1269 identity="tls user",
1270 ca_cert="auth_serv/ca.pem",
1271 private_key="auth_serv/user.pkcs12",
1272 wait_connect=False, scan_freq="2412")
1273 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1275 raise Exception("Request for private key passphrase timed out")
1276 id = ev.split(':')[0].split('-')[-1]
1277 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1278 dev[0].wait_connected(timeout=10)
1280 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1281 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1282 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1283 hostapd.add_ap(apdev[0]['ifname'], params)
1284 cert = read_pem("auth_serv/ca.pem")
1285 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1286 raise Exception("Could not set cacert blob")
1287 with open("auth_serv/user.pkcs12", "rb") as f:
1288 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1289 raise Exception("Could not set pkcs12 blob")
1290 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1291 private_key="blob://pkcs12",
1292 private_key_passwd="whatever")
1294 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1295 """WPA2-Enterprise negative test - incorrect trust root"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 cert = read_pem("auth_serv/ca-incorrect.pem")
1299 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1300 raise Exception("Could not set cacert blob")
1301 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1302 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1303 password="password", phase2="auth=MSCHAPV2",
1304 ca_cert="blob://cacert",
1305 wait_connect=False, scan_freq="2412")
1306 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1307 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1308 password="password", phase2="auth=MSCHAPV2",
1309 ca_cert="auth_serv/ca-incorrect.pem",
1310 wait_connect=False, scan_freq="2412")
1312 for dev in (dev[0], dev[1]):
1313 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1315 raise Exception("Association and EAP start timed out")
1317 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1319 raise Exception("EAP method selection timed out")
1320 if "TTLS" not in ev:
1321 raise Exception("Unexpected EAP method")
1323 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1324 "CTRL-EVENT-EAP-SUCCESS",
1325 "CTRL-EVENT-EAP-FAILURE",
1326 "CTRL-EVENT-CONNECTED",
1327 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1329 raise Exception("EAP result timed out")
1330 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1331 raise Exception("TLS certificate error not reported")
1333 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1334 "CTRL-EVENT-EAP-FAILURE",
1335 "CTRL-EVENT-CONNECTED",
1336 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1338 raise Exception("EAP result(2) timed out")
1339 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1340 raise Exception("EAP failure not reported")
1342 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1343 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1345 raise Exception("EAP result(3) timed out")
1346 if "CTRL-EVENT-DISCONNECTED" not in ev:
1347 raise Exception("Disconnection not reported")
1349 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1351 raise Exception("Network block disabling not reported")
1353 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1354 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1357 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1358 identity="pap user", anonymous_identity="ttls",
1359 password="password", phase2="auth=PAP",
1360 ca_cert="auth_serv/ca.pem",
1361 wait_connect=True, scan_freq="2412")
1362 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1363 identity="pap user", anonymous_identity="ttls",
1364 password="password", phase2="auth=PAP",
1365 ca_cert="auth_serv/ca-incorrect.pem",
1366 only_add_network=True, scan_freq="2412")
1368 dev[0].request("DISCONNECT")
1369 dev[0].wait_disconnected()
1370 dev[0].dump_monitor()
1371 dev[0].select_network(id, freq="2412")
1373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1375 raise Exception("EAP-TTLS not re-started")
1377 ev = dev[0].wait_disconnected(timeout=15)
1378 if "reason=23" not in ev:
1379 raise Exception("Proper reason code for disconnection not reported")
1381 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1382 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1385 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1386 identity="pap user", anonymous_identity="ttls",
1387 password="password", phase2="auth=PAP",
1388 wait_connect=True, scan_freq="2412")
1389 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390 identity="pap user", anonymous_identity="ttls",
1391 password="password", phase2="auth=PAP",
1392 ca_cert="auth_serv/ca-incorrect.pem",
1393 only_add_network=True, scan_freq="2412")
1395 dev[0].request("DISCONNECT")
1396 dev[0].wait_disconnected()
1397 dev[0].dump_monitor()
1398 dev[0].select_network(id, freq="2412")
1400 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1402 raise Exception("EAP-TTLS not re-started")
1404 ev = dev[0].wait_disconnected(timeout=15)
1405 if "reason=23" not in ev:
1406 raise Exception("Proper reason code for disconnection not reported")
1408 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1409 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1410 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1411 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1412 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1413 identity="pap user", anonymous_identity="ttls",
1414 password="password", phase2="auth=PAP",
1415 ca_cert="auth_serv/ca.pem",
1416 wait_connect=True, scan_freq="2412")
1417 dev[0].request("DISCONNECT")
1418 dev[0].wait_disconnected()
1419 dev[0].dump_monitor()
1420 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1421 dev[0].select_network(id, freq="2412")
1423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1425 raise Exception("EAP-TTLS not re-started")
1427 ev = dev[0].wait_disconnected(timeout=15)
1428 if "reason=23" not in ev:
1429 raise Exception("Proper reason code for disconnection not reported")
1431 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1432 """WPA2-Enterprise negative test - domain suffix mismatch"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hostapd.add_ap(apdev[0]['ifname'], params)
1435 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1436 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1437 password="password", phase2="auth=MSCHAPV2",
1438 ca_cert="auth_serv/ca.pem",
1439 domain_suffix_match="incorrect.example.com",
1440 wait_connect=False, scan_freq="2412")
1442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1444 raise Exception("Association and EAP start timed out")
1446 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1448 raise Exception("EAP method selection timed out")
1449 if "TTLS" not in ev:
1450 raise Exception("Unexpected EAP method")
1452 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1453 "CTRL-EVENT-EAP-SUCCESS",
1454 "CTRL-EVENT-EAP-FAILURE",
1455 "CTRL-EVENT-CONNECTED",
1456 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1458 raise Exception("EAP result timed out")
1459 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1460 raise Exception("TLS certificate error not reported")
1461 if "Domain suffix mismatch" not in ev:
1462 raise Exception("Domain suffix mismatch not reported")
1464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1465 "CTRL-EVENT-EAP-FAILURE",
1466 "CTRL-EVENT-CONNECTED",
1467 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1469 raise Exception("EAP result(2) timed out")
1470 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1471 raise Exception("EAP failure not reported")
1473 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1474 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1476 raise Exception("EAP result(3) timed out")
1477 if "CTRL-EVENT-DISCONNECTED" not in ev:
1478 raise Exception("Disconnection not reported")
1480 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1482 raise Exception("Network block disabling not reported")
1484 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1485 """WPA2-Enterprise negative test - domain mismatch"""
1486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1487 hostapd.add_ap(apdev[0]['ifname'], params)
1488 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1489 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1490 password="password", phase2="auth=MSCHAPV2",
1491 ca_cert="auth_serv/ca.pem",
1492 domain_match="w1.fi",
1493 wait_connect=False, scan_freq="2412")
1495 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1497 raise Exception("Association and EAP start timed out")
1499 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1501 raise Exception("EAP method selection timed out")
1502 if "TTLS" not in ev:
1503 raise Exception("Unexpected EAP method")
1505 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1506 "CTRL-EVENT-EAP-SUCCESS",
1507 "CTRL-EVENT-EAP-FAILURE",
1508 "CTRL-EVENT-CONNECTED",
1509 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1511 raise Exception("EAP result timed out")
1512 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1513 raise Exception("TLS certificate error not reported")
1514 if "Domain mismatch" not in ev:
1515 raise Exception("Domain mismatch not reported")
1517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1518 "CTRL-EVENT-EAP-FAILURE",
1519 "CTRL-EVENT-CONNECTED",
1520 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1522 raise Exception("EAP result(2) timed out")
1523 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1524 raise Exception("EAP failure not reported")
1526 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1527 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1529 raise Exception("EAP result(3) timed out")
1530 if "CTRL-EVENT-DISCONNECTED" not in ev:
1531 raise Exception("Disconnection not reported")
1533 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1535 raise Exception("Network block disabling not reported")
1537 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1538 """WPA2-Enterprise negative test - subject mismatch"""
1539 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1540 hostapd.add_ap(apdev[0]['ifname'], params)
1541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1542 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1543 password="password", phase2="auth=MSCHAPV2",
1544 ca_cert="auth_serv/ca.pem",
1545 subject_match="/C=FI/O=w1.fi/CN=example.com",
1546 wait_connect=False, scan_freq="2412")
1548 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1550 raise Exception("Association and EAP start timed out")
1552 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1553 "EAP: Failed to initialize EAP method"], timeout=10)
1555 raise Exception("EAP method selection timed out")
1556 if "EAP: Failed to initialize EAP method" in ev:
1557 tls = dev[0].request("GET tls_library")
1558 if tls.startswith("OpenSSL"):
1559 raise Exception("Failed to select EAP method")
1560 logger.info("subject_match not supported - connection failed, so test succeeded")
1562 if "TTLS" not in ev:
1563 raise Exception("Unexpected EAP method")
1565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1566 "CTRL-EVENT-EAP-SUCCESS",
1567 "CTRL-EVENT-EAP-FAILURE",
1568 "CTRL-EVENT-CONNECTED",
1569 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1571 raise Exception("EAP result timed out")
1572 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1573 raise Exception("TLS certificate error not reported")
1574 if "Subject mismatch" not in ev:
1575 raise Exception("Subject mismatch not reported")
1577 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1578 "CTRL-EVENT-EAP-FAILURE",
1579 "CTRL-EVENT-CONNECTED",
1580 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1582 raise Exception("EAP result(2) timed out")
1583 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1584 raise Exception("EAP failure not reported")
1586 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1587 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1589 raise Exception("EAP result(3) timed out")
1590 if "CTRL-EVENT-DISCONNECTED" not in ev:
1591 raise Exception("Disconnection not reported")
1593 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1595 raise Exception("Network block disabling not reported")
1597 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1598 """WPA2-Enterprise negative test - altsubject mismatch"""
1599 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1600 hostapd.add_ap(apdev[0]['ifname'], params)
1602 tests = [ "incorrect.example.com",
1603 "DNS:incorrect.example.com",
1607 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1609 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1610 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1611 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1612 password="password", phase2="auth=MSCHAPV2",
1613 ca_cert="auth_serv/ca.pem",
1614 altsubject_match=match,
1615 wait_connect=False, scan_freq="2412")
1617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1619 raise Exception("Association and EAP start timed out")
1621 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1622 "EAP: Failed to initialize EAP method"], timeout=10)
1624 raise Exception("EAP method selection timed out")
1625 if "EAP: Failed to initialize EAP method" in ev:
1626 tls = dev[0].request("GET tls_library")
1627 if tls.startswith("OpenSSL"):
1628 raise Exception("Failed to select EAP method")
1629 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1631 if "TTLS" not in ev:
1632 raise Exception("Unexpected EAP method")
1634 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1635 "CTRL-EVENT-EAP-SUCCESS",
1636 "CTRL-EVENT-EAP-FAILURE",
1637 "CTRL-EVENT-CONNECTED",
1638 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1640 raise Exception("EAP result timed out")
1641 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1642 raise Exception("TLS certificate error not reported")
1643 if "AltSubject mismatch" not in ev:
1644 raise Exception("altsubject mismatch not reported")
1646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1647 "CTRL-EVENT-EAP-FAILURE",
1648 "CTRL-EVENT-CONNECTED",
1649 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1651 raise Exception("EAP result(2) timed out")
1652 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1653 raise Exception("EAP failure not reported")
1655 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1656 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1658 raise Exception("EAP result(3) timed out")
1659 if "CTRL-EVENT-DISCONNECTED" not in ev:
1660 raise Exception("Disconnection not reported")
1662 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1664 raise Exception("Network block disabling not reported")
1666 dev[0].request("REMOVE_NETWORK all")
1668 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1669 """WPA2-Enterprise connection using UNAUTH-TLS"""
1670 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1671 hostapd.add_ap(apdev[0]['ifname'], params)
1672 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1673 ca_cert="auth_serv/ca.pem")
1674 eap_reauth(dev[0], "UNAUTH-TLS")
1676 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1677 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1678 check_cert_probe_support(dev[0])
1679 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1680 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1681 hostapd.add_ap(apdev[0]['ifname'], params)
1682 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1683 identity="probe", ca_cert="probe://",
1684 wait_connect=False, scan_freq="2412")
1685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1687 raise Exception("Association and EAP start timed out")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1690 raise Exception("No peer server certificate event seen")
1691 if "hash=" + srv_cert_hash not in ev:
1692 raise Exception("Expected server certificate hash not reported")
1693 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1695 raise Exception("EAP result timed out")
1696 if "Server certificate chain probe" not in ev:
1697 raise Exception("Server certificate probe not reported")
1698 dev[0].wait_disconnected(timeout=10)
1699 dev[0].request("REMOVE_NETWORK all")
1701 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1702 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1703 password="password", phase2="auth=MSCHAPV2",
1704 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1705 wait_connect=False, scan_freq="2412")
1706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1708 raise Exception("Association and EAP start timed out")
1709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1711 raise Exception("EAP result timed out")
1712 if "Server certificate mismatch" not in ev:
1713 raise Exception("Server certificate mismatch not reported")
1714 dev[0].wait_disconnected(timeout=10)
1715 dev[0].request("REMOVE_NETWORK all")
1717 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1718 anonymous_identity="ttls", password="password",
1719 ca_cert="hash://server/sha256/" + srv_cert_hash,
1720 phase2="auth=MSCHAPV2")
1722 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1723 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1724 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1725 hostapd.add_ap(apdev[0]['ifname'], params)
1726 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1727 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1728 password="password", phase2="auth=MSCHAPV2",
1729 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1730 wait_connect=False, scan_freq="2412")
1731 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1732 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1733 password="password", phase2="auth=MSCHAPV2",
1734 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1735 wait_connect=False, scan_freq="2412")
1736 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1737 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1738 password="password", phase2="auth=MSCHAPV2",
1739 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1740 wait_connect=False, scan_freq="2412")
1741 for i in range(0, 3):
1742 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1744 raise Exception("Association and EAP start timed out")
1745 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1747 raise Exception("Did not report EAP method initialization failure")
1749 def test_ap_wpa2_eap_pwd(dev, apdev):
1750 """WPA2-Enterprise connection using EAP-pwd"""
1751 check_eap_capa(dev[0], "PWD")
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1755 eap_reauth(dev[0], "PWD")
1756 dev[0].request("REMOVE_NETWORK all")
1758 eap_connect(dev[1], apdev[0], "PWD",
1759 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1760 password="secret password",
1763 logger.info("Negative test with incorrect password")
1764 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1765 expect_failure=True, local_error_report=True)
1767 eap_connect(dev[0], apdev[0], "PWD",
1768 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1769 password="secret password",
1772 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1773 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1774 check_eap_capa(dev[0], "PWD")
1775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1776 hostapd.add_ap(apdev[0]['ifname'], params)
1777 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1778 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1779 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1780 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1781 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1782 expect_failure=True, local_error_report=True)
1784 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1785 """WPA2-Enterprise connection using various EAP-pwd groups"""
1786 check_eap_capa(dev[0], "PWD")
1787 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1788 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1789 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1790 for i in [ 19, 20, 21, 25, 26 ]:
1791 params['pwd_group'] = str(i)
1792 hostapd.add_ap(apdev[0]['ifname'], params)
1793 dev[0].request("REMOVE_NETWORK all")
1794 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1796 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1797 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1798 check_eap_capa(dev[0], "PWD")
1799 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1800 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1801 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1802 params['pwd_group'] = "0"
1803 hostapd.add_ap(apdev[0]['ifname'], params)
1804 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1805 identity="pwd user", password="secret password",
1806 scan_freq="2412", wait_connect=False)
1807 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1809 raise Exception("Timeout on EAP failure report")
1811 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1812 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1813 check_eap_capa(dev[0], "PWD")
1814 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1815 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1816 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1817 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1818 "pwd_group": "19", "fragment_size": "40" }
1819 hostapd.add_ap(apdev[0]['ifname'], params)
1820 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1822 def test_ap_wpa2_eap_gpsk(dev, apdev):
1823 """WPA2-Enterprise connection using EAP-GPSK"""
1824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1825 hostapd.add_ap(apdev[0]['ifname'], params)
1826 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1827 password="abcdefghijklmnop0123456789abcdef")
1828 eap_reauth(dev[0], "GPSK")
1830 logger.info("Test forced algorithm selection")
1831 for phase1 in [ "cipher=1", "cipher=2" ]:
1832 dev[0].set_network_quoted(id, "phase1", phase1)
1833 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1835 raise Exception("EAP success timed out")
1836 dev[0].wait_connected(timeout=10)
1838 logger.info("Test failed algorithm negotiation")
1839 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1840 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1842 raise Exception("EAP failure timed out")
1844 logger.info("Negative test with incorrect password")
1845 dev[0].request("REMOVE_NETWORK all")
1846 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1847 password="ffcdefghijklmnop0123456789abcdef",
1848 expect_failure=True)
1850 def test_ap_wpa2_eap_sake(dev, apdev):
1851 """WPA2-Enterprise connection using EAP-SAKE"""
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 hostapd.add_ap(apdev[0]['ifname'], params)
1854 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1855 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1856 eap_reauth(dev[0], "SAKE")
1858 logger.info("Negative test with incorrect password")
1859 dev[0].request("REMOVE_NETWORK all")
1860 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1861 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1862 expect_failure=True)
1864 def test_ap_wpa2_eap_eke(dev, apdev):
1865 """WPA2-Enterprise connection using EAP-EKE"""
1866 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1867 hostapd.add_ap(apdev[0]['ifname'], params)
1868 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1869 eap_reauth(dev[0], "EKE")
1871 logger.info("Test forced algorithm selection")
1872 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1873 "dhgroup=4 encr=1 prf=2 mac=2",
1874 "dhgroup=3 encr=1 prf=2 mac=2",
1875 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1876 dev[0].set_network_quoted(id, "phase1", phase1)
1877 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1879 raise Exception("EAP success timed out")
1880 dev[0].wait_connected(timeout=10)
1882 logger.info("Test failed algorithm negotiation")
1883 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1884 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1886 raise Exception("EAP failure timed out")
1888 logger.info("Negative test with incorrect password")
1889 dev[0].request("REMOVE_NETWORK all")
1890 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1891 expect_failure=True)
1893 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1894 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1895 params = int_eap_server_params()
1896 params['server_id'] = 'example.server@w1.fi'
1897 hostapd.add_ap(apdev[0]['ifname'], params)
1898 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1900 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1901 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1902 params = int_eap_server_params()
1903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1904 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1906 for count,func in [ (1, "eap_eke_build_commit"),
1907 (2, "eap_eke_build_commit"),
1908 (3, "eap_eke_build_commit"),
1909 (1, "eap_eke_build_confirm"),
1910 (2, "eap_eke_build_confirm"),
1911 (1, "eap_eke_process_commit"),
1912 (2, "eap_eke_process_commit"),
1913 (1, "eap_eke_process_confirm"),
1914 (1, "eap_eke_process_identity"),
1915 (2, "eap_eke_process_identity"),
1916 (3, "eap_eke_process_identity"),
1917 (4, "eap_eke_process_identity") ]:
1918 with alloc_fail(hapd, count, func):
1919 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1920 expect_failure=True)
1921 dev[0].request("REMOVE_NETWORK all")
1923 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1924 (1, "eap_eke_get_session_id", "hello"),
1925 (1, "eap_eke_getKey", "hello"),
1926 (1, "eap_eke_build_msg", "hello"),
1927 (1, "eap_eke_build_failure", "wrong"),
1928 (1, "eap_eke_build_identity", "hello"),
1929 (2, "eap_eke_build_identity", "hello") ]:
1930 with alloc_fail(hapd, count, func):
1931 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1932 eap="EKE", identity="eke user", password=pw,
1933 wait_connect=False, scan_freq="2412")
1934 # This would eventually time out, but we can stop after having
1935 # reached the allocation failure.
1938 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1940 dev[0].request("REMOVE_NETWORK all")
1942 for count in range(1, 1000):
1944 with alloc_fail(hapd, count, "eap_server_sm_step"):
1945 dev[0].connect("test-wpa2-eap",
1946 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1947 eap="EKE", identity="eke user", password=pw,
1948 wait_connect=False, scan_freq="2412")
1949 # This would eventually time out, but we can stop after having
1950 # reached the allocation failure.
1953 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1955 dev[0].request("REMOVE_NETWORK all")
1956 except Exception, e:
1957 if str(e) == "Allocation failure did not trigger":
1959 raise Exception("Too few allocation failures")
1960 logger.info("%d allocation failures tested" % (count - 1))
1964 def test_ap_wpa2_eap_ikev2(dev, apdev):
1965 """WPA2-Enterprise connection using EAP-IKEv2"""
1966 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1967 hostapd.add_ap(apdev[0]['ifname'], params)
1968 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1969 password="ike password")
1970 eap_reauth(dev[0], "IKEV2")
1971 dev[0].request("REMOVE_NETWORK all")
1972 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1973 password="ike password", fragment_size="50")
1975 logger.info("Negative test with incorrect password")
1976 dev[0].request("REMOVE_NETWORK all")
1977 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1978 password="ike-password", expect_failure=True)
1980 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1981 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1983 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1984 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1985 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1986 "fragment_size": "50" }
1987 hostapd.add_ap(apdev[0]['ifname'], params)
1988 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1989 password="ike password")
1990 eap_reauth(dev[0], "IKEV2")
1992 def test_ap_wpa2_eap_pax(dev, apdev):
1993 """WPA2-Enterprise connection using EAP-PAX"""
1994 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1995 hostapd.add_ap(apdev[0]['ifname'], params)
1996 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1997 password_hex="0123456789abcdef0123456789abcdef")
1998 eap_reauth(dev[0], "PAX")
2000 logger.info("Negative test with incorrect password")
2001 dev[0].request("REMOVE_NETWORK all")
2002 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2003 password_hex="ff23456789abcdef0123456789abcdef",
2004 expect_failure=True)
2006 def test_ap_wpa2_eap_psk(dev, apdev):
2007 """WPA2-Enterprise connection using EAP-PSK"""
2008 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2009 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2010 params["ieee80211w"] = "2"
2011 hostapd.add_ap(apdev[0]['ifname'], params)
2012 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2013 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2014 eap_reauth(dev[0], "PSK", sha256=True)
2015 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2016 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2018 bss = dev[0].get_bss(apdev[0]['bssid'])
2019 if 'flags' not in bss:
2020 raise Exception("Could not get BSS flags from BSS table")
2021 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2022 raise Exception("Unexpected BSS flags: " + bss['flags'])
2024 logger.info("Negative test with incorrect password")
2025 dev[0].request("REMOVE_NETWORK all")
2026 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2027 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2028 expect_failure=True)
2030 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2031 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2032 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2033 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2034 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2035 identity="user", password="password", phase2="auth=MSCHAPV2",
2036 ca_cert="auth_serv/ca.pem", wait_connect=False,
2038 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2039 hwsim_utils.test_connectivity(dev[0], hapd)
2040 eap_reauth(dev[0], "PEAP", rsn=False)
2041 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2042 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2043 status = dev[0].get_status(extra="VERBOSE")
2044 if 'portControl' not in status:
2045 raise Exception("portControl missing from STATUS-VERBOSE")
2046 if status['portControl'] != 'Auto':
2047 raise Exception("Unexpected portControl value: " + status['portControl'])
2048 if 'eap_session_id' not in status:
2049 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2050 if not status['eap_session_id'].startswith("19"):
2051 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2053 def test_ap_wpa2_eap_interactive(dev, apdev):
2054 """WPA2-Enterprise connection using interactive identity/password entry"""
2055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2056 hostapd.add_ap(apdev[0]['ifname'], params)
2057 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2059 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2060 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2062 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2063 "TTLS", "ttls", None, "auth=MSCHAPV2",
2064 "DOMAIN\mschapv2 user", "password"),
2065 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2066 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2067 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2068 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2069 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2070 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2071 ("Connection with dynamic PEAP/EAP-GTC password entry",
2072 "PEAP", None, "user", "auth=GTC", None, "password") ]
2073 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2075 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2076 anonymous_identity=anon, identity=identity,
2077 ca_cert="auth_serv/ca.pem", phase2=phase2,
2078 wait_connect=False, scan_freq="2412")
2080 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2082 raise Exception("Request for identity timed out")
2083 id = ev.split(':')[0].split('-')[-1]
2084 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2085 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2087 raise Exception("Request for password timed out")
2088 id = ev.split(':')[0].split('-')[-1]
2089 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2090 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2091 dev[0].wait_connected(timeout=10)
2092 dev[0].request("REMOVE_NETWORK all")
2094 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2095 """WPA2-Enterprise connection using EAP vendor test"""
2096 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2097 hostapd.add_ap(apdev[0]['ifname'], params)
2098 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2099 eap_reauth(dev[0], "VENDOR-TEST")
2100 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2103 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2104 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2105 check_eap_capa(dev[0], "FAST")
2106 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2107 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2108 eap_connect(dev[0], apdev[0], "FAST", "user",
2109 anonymous_identity="FAST", password="password",
2110 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2111 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2112 hwsim_utils.test_connectivity(dev[0], hapd)
2113 res = eap_reauth(dev[0], "FAST")
2114 if res['tls_session_reused'] != '1':
2115 raise Exception("EAP-FAST could not use PAC session ticket")
2117 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2118 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2119 check_eap_capa(dev[0], "FAST")
2120 pac_file = os.path.join(params['logdir'], "fast.pac")
2121 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2123 hostapd.add_ap(apdev[0]['ifname'], params)
2126 eap_connect(dev[0], apdev[0], "FAST", "user",
2127 anonymous_identity="FAST", password="password",
2128 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2129 phase1="fast_provisioning=1", pac_file=pac_file)
2130 with open(pac_file, "r") as f:
2132 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2133 raise Exception("PAC file header missing")
2134 if "PAC-Key=" not in data:
2135 raise Exception("PAC-Key missing from PAC file")
2136 dev[0].request("REMOVE_NETWORK all")
2137 eap_connect(dev[0], apdev[0], "FAST", "user",
2138 anonymous_identity="FAST", password="password",
2139 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2142 eap_connect(dev[1], apdev[0], "FAST", "user",
2143 anonymous_identity="FAST", password="password",
2144 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2145 phase1="fast_provisioning=1 fast_pac_format=binary",
2147 dev[1].request("REMOVE_NETWORK all")
2148 eap_connect(dev[1], apdev[0], "FAST", "user",
2149 anonymous_identity="FAST", password="password",
2150 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2151 phase1="fast_pac_format=binary",
2159 os.remove(pac_file2)
2163 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2164 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2165 check_eap_capa(dev[0], "FAST")
2166 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2167 hostapd.add_ap(apdev[0]['ifname'], params)
2168 eap_connect(dev[0], apdev[0], "FAST", "user",
2169 anonymous_identity="FAST", password="password",
2170 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2171 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2172 pac_file="blob://fast_pac_bin")
2173 res = eap_reauth(dev[0], "FAST")
2174 if res['tls_session_reused'] != '1':
2175 raise Exception("EAP-FAST could not use PAC session ticket")
2177 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2178 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2179 check_eap_capa(dev[0], "FAST")
2180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2181 hostapd.add_ap(apdev[0]['ifname'], params)
2183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2184 identity="user", anonymous_identity="FAST",
2185 password="password",
2186 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2187 pac_file="blob://fast_pac_not_in_use",
2188 wait_connect=False, scan_freq="2412")
2189 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2191 raise Exception("Timeout on EAP failure report")
2192 dev[0].request("REMOVE_NETWORK all")
2194 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2195 identity="user", anonymous_identity="FAST",
2196 password="password",
2197 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2198 wait_connect=False, scan_freq="2412")
2199 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2201 raise Exception("Timeout on EAP failure report")
2203 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2204 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2205 check_eap_capa(dev[0], "FAST")
2206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2208 eap_connect(dev[0], apdev[0], "FAST", "user",
2209 anonymous_identity="FAST", password="password",
2210 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2211 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2212 hwsim_utils.test_connectivity(dev[0], hapd)
2213 res = eap_reauth(dev[0], "FAST")
2214 if res['tls_session_reused'] != '1':
2215 raise Exception("EAP-FAST could not use PAC session ticket")
2217 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2218 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2219 check_eap_capa(dev[0], "FAST")
2220 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2221 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2222 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2223 anonymous_identity="FAST", password="password",
2224 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2225 phase1="fast_provisioning=2",
2226 pac_file="blob://fast_pac_auth")
2227 dev[0].set_network_quoted(id, "identity", "user2")
2228 dev[0].wait_disconnected()
2229 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2231 raise Exception("EAP-FAST not started")
2232 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2234 raise Exception("EAP failure not reported")
2235 dev[0].wait_disconnected()
2237 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2238 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2239 check_eap_capa(dev[0], "FAST")
2240 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2241 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2242 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2243 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2244 identity="user", anonymous_identity="FAST",
2245 password="password", ca_cert="auth_serv/ca.pem",
2247 phase1="fast_provisioning=2",
2248 pac_file="blob://fast_pac_auth",
2249 wait_connect=False, scan_freq="2412")
2250 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2252 raise Exception("EAP failure not reported")
2253 dev[0].request("DISCONNECT")
2255 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2256 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2258 hostapd.add_ap(apdev[0]['ifname'], params)
2259 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2260 private_key="auth_serv/user.pkcs12",
2261 private_key_passwd="whatever", ocsp=2)
2263 def int_eap_server_params():
2264 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2265 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2266 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2267 "ca_cert": "auth_serv/ca.pem",
2268 "server_cert": "auth_serv/server.pem",
2269 "private_key": "auth_serv/server.key" }
2272 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2273 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2274 params = int_eap_server_params()
2275 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2276 hostapd.add_ap(apdev[0]['ifname'], params)
2277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2278 identity="tls user", ca_cert="auth_serv/ca.pem",
2279 private_key="auth_serv/user.pkcs12",
2280 private_key_passwd="whatever", ocsp=2,
2281 wait_connect=False, scan_freq="2412")
2284 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2286 raise Exception("Timeout on EAP status")
2287 if 'bad certificate status response' in ev:
2291 raise Exception("Unexpected number of EAP status messages")
2293 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2295 raise Exception("Timeout on EAP failure report")
2297 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2298 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2299 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2300 if not os.path.exists(ocsp):
2301 raise HwsimSkip("No OCSP response available")
2302 params = int_eap_server_params()
2303 params["ocsp_stapling_response"] = ocsp
2304 hostapd.add_ap(apdev[0]['ifname'], params)
2305 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2306 identity="pap user", ca_cert="auth_serv/ca.pem",
2307 anonymous_identity="ttls", password="password",
2308 phase2="auth=PAP", ocsp=2,
2309 wait_connect=False, scan_freq="2412")
2312 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2314 raise Exception("Timeout on EAP status")
2315 if 'bad certificate status response' in ev:
2317 if 'certificate revoked' in ev:
2321 raise Exception("Unexpected number of EAP status messages")
2323 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2325 raise Exception("Timeout on EAP failure report")
2327 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2328 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2329 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2330 if not os.path.exists(ocsp):
2331 raise HwsimSkip("No OCSP response available")
2332 params = int_eap_server_params()
2333 params["ocsp_stapling_response"] = ocsp
2334 hostapd.add_ap(apdev[0]['ifname'], params)
2335 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2336 identity="pap user", ca_cert="auth_serv/ca.pem",
2337 anonymous_identity="ttls", password="password",
2338 phase2="auth=PAP", ocsp=2,
2339 wait_connect=False, scan_freq="2412")
2342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2344 raise Exception("Timeout on EAP status")
2345 if 'bad certificate status response' in ev:
2349 raise Exception("Unexpected number of EAP status messages")
2351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2353 raise Exception("Timeout on EAP failure report")
2355 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2356 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2357 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2358 if not os.path.exists(ocsp):
2359 raise HwsimSkip("No OCSP response available")
2360 params = int_eap_server_params()
2361 params["ocsp_stapling_response"] = ocsp
2362 hostapd.add_ap(apdev[0]['ifname'], params)
2363 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2364 identity="pap user", ca_cert="auth_serv/ca.pem",
2365 anonymous_identity="ttls", password="password",
2366 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2368 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2369 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2370 params = int_eap_server_params()
2371 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2372 params["private_key"] = "auth_serv/server-no-dnsname.key"
2373 hostapd.add_ap(apdev[0]['ifname'], params)
2374 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2375 identity="tls user", ca_cert="auth_serv/ca.pem",
2376 private_key="auth_serv/user.pkcs12",
2377 private_key_passwd="whatever",
2378 domain_suffix_match="server3.w1.fi",
2381 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2382 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2383 params = int_eap_server_params()
2384 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2385 params["private_key"] = "auth_serv/server-no-dnsname.key"
2386 hostapd.add_ap(apdev[0]['ifname'], params)
2387 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2388 identity="tls user", ca_cert="auth_serv/ca.pem",
2389 private_key="auth_serv/user.pkcs12",
2390 private_key_passwd="whatever",
2391 domain_match="server3.w1.fi",
2394 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2395 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2396 check_domain_match_full(dev[0])
2397 params = int_eap_server_params()
2398 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2399 params["private_key"] = "auth_serv/server-no-dnsname.key"
2400 hostapd.add_ap(apdev[0]['ifname'], params)
2401 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2402 identity="tls user", ca_cert="auth_serv/ca.pem",
2403 private_key="auth_serv/user.pkcs12",
2404 private_key_passwd="whatever",
2405 domain_suffix_match="w1.fi",
2408 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2409 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2410 params = int_eap_server_params()
2411 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2412 params["private_key"] = "auth_serv/server-no-dnsname.key"
2413 hostapd.add_ap(apdev[0]['ifname'], params)
2414 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2415 identity="tls user", ca_cert="auth_serv/ca.pem",
2416 private_key="auth_serv/user.pkcs12",
2417 private_key_passwd="whatever",
2418 domain_suffix_match="example.com",
2421 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2422 identity="tls user", ca_cert="auth_serv/ca.pem",
2423 private_key="auth_serv/user.pkcs12",
2424 private_key_passwd="whatever",
2425 domain_suffix_match="erver3.w1.fi",
2428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2430 raise Exception("Timeout on EAP failure report")
2431 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2433 raise Exception("Timeout on EAP failure report (2)")
2435 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2436 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2437 params = int_eap_server_params()
2438 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2439 params["private_key"] = "auth_serv/server-no-dnsname.key"
2440 hostapd.add_ap(apdev[0]['ifname'], params)
2441 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2442 identity="tls user", ca_cert="auth_serv/ca.pem",
2443 private_key="auth_serv/user.pkcs12",
2444 private_key_passwd="whatever",
2445 domain_match="example.com",
2448 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2449 identity="tls user", ca_cert="auth_serv/ca.pem",
2450 private_key="auth_serv/user.pkcs12",
2451 private_key_passwd="whatever",
2452 domain_match="w1.fi",
2455 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2457 raise Exception("Timeout on EAP failure report")
2458 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2460 raise Exception("Timeout on EAP failure report (2)")
2462 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2463 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2464 params = int_eap_server_params()
2465 params["server_cert"] = "auth_serv/server-expired.pem"
2466 params["private_key"] = "auth_serv/server-expired.key"
2467 hostapd.add_ap(apdev[0]['ifname'], params)
2468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2469 identity="mschap user", password="password",
2470 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2473 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2475 raise Exception("Timeout on EAP certificate error report")
2476 if "reason=4" not in ev or "certificate has expired" not in ev:
2477 raise Exception("Unexpected failure reason: " + ev)
2478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2480 raise Exception("Timeout on EAP failure report")
2482 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2483 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2484 params = int_eap_server_params()
2485 params["server_cert"] = "auth_serv/server-expired.pem"
2486 params["private_key"] = "auth_serv/server-expired.key"
2487 hostapd.add_ap(apdev[0]['ifname'], params)
2488 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2489 identity="mschap user", password="password",
2490 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2491 phase1="tls_disable_time_checks=1",
2494 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2495 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2496 params = int_eap_server_params()
2497 params["server_cert"] = "auth_serv/server-long-duration.pem"
2498 params["private_key"] = "auth_serv/server-long-duration.key"
2499 hostapd.add_ap(apdev[0]['ifname'], params)
2500 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2501 identity="mschap user", password="password",
2502 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2505 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2506 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2507 params = int_eap_server_params()
2508 params["server_cert"] = "auth_serv/server-eku-client.pem"
2509 params["private_key"] = "auth_serv/server-eku-client.key"
2510 hostapd.add_ap(apdev[0]['ifname'], params)
2511 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2512 identity="mschap user", password="password",
2513 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2516 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2518 raise Exception("Timeout on EAP failure report")
2520 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2521 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2522 params = int_eap_server_params()
2523 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2524 params["private_key"] = "auth_serv/server-eku-client-server.key"
2525 hostapd.add_ap(apdev[0]['ifname'], params)
2526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2527 identity="mschap user", password="password",
2528 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2531 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2532 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2533 params = int_eap_server_params()
2534 del params["server_cert"]
2535 params["private_key"] = "auth_serv/server.pkcs12"
2536 hostapd.add_ap(apdev[0]['ifname'], params)
2537 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2538 identity="mschap user", password="password",
2539 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2542 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2543 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2544 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2545 hostapd.add_ap(apdev[0]['ifname'], params)
2546 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2547 anonymous_identity="ttls", password="password",
2548 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2549 dh_file="auth_serv/dh.conf")
2551 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2552 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2553 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2554 hostapd.add_ap(apdev[0]['ifname'], params)
2555 dh = read_pem("auth_serv/dh2.conf")
2556 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2557 raise Exception("Could not set dhparams blob")
2558 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2559 anonymous_identity="ttls", password="password",
2560 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2561 dh_file="blob://dhparams")
2563 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2564 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2565 params = int_eap_server_params()
2566 params["dh_file"] = "auth_serv/dh2.conf"
2567 hostapd.add_ap(apdev[0]['ifname'], params)
2568 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2569 anonymous_identity="ttls", password="password",
2570 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2572 def test_ap_wpa2_eap_reauth(dev, apdev):
2573 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2574 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2575 params['eap_reauth_period'] = '2'
2576 hostapd.add_ap(apdev[0]['ifname'], params)
2577 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2578 password_hex="0123456789abcdef0123456789abcdef")
2579 logger.info("Wait for reauthentication")
2580 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2582 raise Exception("Timeout on reauthentication")
2583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2585 raise Exception("Timeout on reauthentication")
2586 for i in range(0, 20):
2587 state = dev[0].get_status_field("wpa_state")
2588 if state == "COMPLETED":
2591 if state != "COMPLETED":
2592 raise Exception("Reauthentication did not complete")
2594 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2595 """Optional displayable message in EAP Request-Identity"""
2596 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2597 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2598 hostapd.add_ap(apdev[0]['ifname'], params)
2599 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2600 password_hex="0123456789abcdef0123456789abcdef")
2602 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2603 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2604 check_hlr_auc_gw_support()
2605 params = int_eap_server_params()
2606 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2607 params['eap_sim_aka_result_ind'] = "1"
2608 hostapd.add_ap(apdev[0]['ifname'], params)
2610 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2611 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2612 phase1="result_ind=1")
2613 eap_reauth(dev[0], "SIM")
2614 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2615 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2617 dev[0].request("REMOVE_NETWORK all")
2618 dev[1].request("REMOVE_NETWORK all")
2620 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2621 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2622 phase1="result_ind=1")
2623 eap_reauth(dev[0], "AKA")
2624 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2625 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2627 dev[0].request("REMOVE_NETWORK all")
2628 dev[1].request("REMOVE_NETWORK all")
2630 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2631 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2632 phase1="result_ind=1")
2633 eap_reauth(dev[0], "AKA'")
2634 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2635 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2637 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2638 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2640 hostapd.add_ap(apdev[0]['ifname'], params)
2641 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2642 eap="TTLS", identity="mschap user",
2643 wait_connect=False, scan_freq="2412", ieee80211w="1",
2644 anonymous_identity="ttls", password="password",
2645 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2647 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2649 raise Exception("EAP roundtrip limit not reached")
2651 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2652 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2653 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2654 hostapd.add_ap(apdev[0]['ifname'], params)
2655 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2656 eap="PSK", identity="vendor-test",
2657 password_hex="ff23456789abcdef0123456789abcdef",
2661 for i in range(0, 5):
2662 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2664 raise Exception("Association and EAP start timed out")
2665 if "refuse proposed method" in ev:
2669 raise Exception("Unexpected EAP status: " + ev)
2671 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2673 raise Exception("EAP failure timed out")
2675 def test_ap_wpa2_eap_sql(dev, apdev, params):
2676 """WPA2-Enterprise connection using SQLite for user DB"""
2680 raise HwsimSkip("No sqlite3 module available")
2681 dbfile = os.path.join(params['logdir'], "eap-user.db")
2686 con = sqlite3.connect(dbfile)
2689 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2690 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2691 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2692 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2693 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2694 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2695 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2696 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2699 params = int_eap_server_params()
2700 params["eap_user_file"] = "sqlite:" + dbfile
2701 hostapd.add_ap(apdev[0]['ifname'], params)
2702 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2703 anonymous_identity="ttls", password="password",
2704 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2705 dev[0].request("REMOVE_NETWORK all")
2706 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2707 anonymous_identity="ttls", password="password",
2708 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2709 dev[1].request("REMOVE_NETWORK all")
2710 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2711 anonymous_identity="ttls", password="password",
2712 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2713 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2714 anonymous_identity="ttls", password="password",
2715 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2719 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2720 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2721 params = int_eap_server_params()
2722 hostapd.add_ap(apdev[0]['ifname'], params)
2723 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2724 identity="\x80", password="password", wait_connect=False)
2725 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2726 identity="a\x80", password="password", wait_connect=False)
2727 for i in range(0, 2):
2728 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2730 raise Exception("Association and EAP start timed out")
2731 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2733 raise Exception("EAP method selection timed out")
2735 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2736 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2737 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2738 hostapd.add_ap(apdev[0]['ifname'], params)
2739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2740 identity="\x80", password="password", wait_connect=False)
2741 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2742 identity="a\x80", password="password", wait_connect=False)
2743 for i in range(0, 2):
2744 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2746 raise Exception("Association and EAP start timed out")
2747 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2749 raise Exception("EAP method selection timed out")
2751 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2752 """OpenSSL cipher suite configuration on wpa_supplicant"""
2753 tls = dev[0].request("GET tls_library")
2754 if not tls.startswith("OpenSSL"):
2755 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2756 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2757 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2758 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2759 anonymous_identity="ttls", password="password",
2760 openssl_ciphers="AES128",
2761 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2762 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2763 anonymous_identity="ttls", password="password",
2764 openssl_ciphers="EXPORT",
2765 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2766 expect_failure=True)
2768 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2769 """OpenSSL cipher suite configuration on hostapd"""
2770 tls = dev[0].request("GET tls_library")
2771 if not tls.startswith("OpenSSL"):
2772 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2773 params = int_eap_server_params()
2774 params['openssl_ciphers'] = "AES256"
2775 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2776 tls = hapd.request("GET tls_library")
2777 if not tls.startswith("OpenSSL"):
2778 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2779 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2780 anonymous_identity="ttls", password="password",
2781 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2782 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2783 anonymous_identity="ttls", password="password",
2784 openssl_ciphers="AES128",
2785 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2786 expect_failure=True)
2787 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2788 anonymous_identity="ttls", password="password",
2789 openssl_ciphers="HIGH:!ADH",
2790 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2792 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2793 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2794 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2795 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2796 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2797 pid = find_wpas_process(dev[0])
2798 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2799 anonymous_identity="ttls", password=password,
2800 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2802 buf = read_process_memory(pid, password)
2804 dev[0].request("DISCONNECT")
2805 dev[0].wait_disconnected()
2813 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2814 for l in f.readlines():
2815 if "EAP-TTLS: Derived key - hexdump" in l:
2816 val = l.strip().split(':')[3].replace(' ', '')
2817 msk = binascii.unhexlify(val)
2818 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2819 val = l.strip().split(':')[3].replace(' ', '')
2820 emsk = binascii.unhexlify(val)
2821 if "WPA: PMK - hexdump" in l:
2822 val = l.strip().split(':')[3].replace(' ', '')
2823 pmk = binascii.unhexlify(val)
2824 if "WPA: PTK - hexdump" in l:
2825 val = l.strip().split(':')[3].replace(' ', '')
2826 ptk = binascii.unhexlify(val)
2827 if "WPA: Group Key - hexdump" in l:
2828 val = l.strip().split(':')[3].replace(' ', '')
2829 gtk = binascii.unhexlify(val)
2830 if not msk or not emsk or not pmk or not ptk or not gtk:
2831 raise Exception("Could not find keys from debug log")
2833 raise Exception("Unexpected GTK length")
2839 fname = os.path.join(params['logdir'],
2840 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2842 logger.info("Checking keys in memory while associated")
2843 get_key_locations(buf, password, "Password")
2844 get_key_locations(buf, pmk, "PMK")
2845 get_key_locations(buf, msk, "MSK")
2846 get_key_locations(buf, emsk, "EMSK")
2847 if password not in buf:
2848 raise HwsimSkip("Password not found while associated")
2850 raise HwsimSkip("PMK not found while associated")
2852 raise Exception("KCK not found while associated")
2854 raise Exception("KEK not found while associated")
2856 raise Exception("TK found from memory")
2858 raise Exception("GTK found from memory")
2860 logger.info("Checking keys in memory after disassociation")
2861 buf = read_process_memory(pid, password)
2863 # Note: Password is still present in network configuration
2864 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2866 get_key_locations(buf, password, "Password")
2867 get_key_locations(buf, pmk, "PMK")
2868 get_key_locations(buf, msk, "MSK")
2869 get_key_locations(buf, emsk, "EMSK")
2870 verify_not_present(buf, kck, fname, "KCK")
2871 verify_not_present(buf, kek, fname, "KEK")
2872 verify_not_present(buf, tk, fname, "TK")
2873 verify_not_present(buf, gtk, fname, "GTK")
2875 dev[0].request("PMKSA_FLUSH")
2876 dev[0].set_network_quoted(id, "identity", "foo")
2877 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2878 buf = read_process_memory(pid, password)
2879 get_key_locations(buf, password, "Password")
2880 get_key_locations(buf, pmk, "PMK")
2881 get_key_locations(buf, msk, "MSK")
2882 get_key_locations(buf, emsk, "EMSK")
2883 verify_not_present(buf, pmk, fname, "PMK")
2885 dev[0].request("REMOVE_NETWORK all")
2887 logger.info("Checking keys in memory after network profile removal")
2888 buf = read_process_memory(pid, password)
2890 get_key_locations(buf, password, "Password")
2891 get_key_locations(buf, pmk, "PMK")
2892 get_key_locations(buf, msk, "MSK")
2893 get_key_locations(buf, emsk, "EMSK")
2894 verify_not_present(buf, password, fname, "password")
2895 verify_not_present(buf, pmk, fname, "PMK")
2896 verify_not_present(buf, kck, fname, "KCK")
2897 verify_not_present(buf, kek, fname, "KEK")
2898 verify_not_present(buf, tk, fname, "TK")
2899 verify_not_present(buf, gtk, fname, "GTK")
2900 verify_not_present(buf, msk, fname, "MSK")
2901 verify_not_present(buf, emsk, fname, "EMSK")
2903 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
2904 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
2905 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2906 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2907 bssid = apdev[0]['bssid']
2908 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2909 anonymous_identity="ttls", password="password",
2910 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2912 # Send unexpected WEP EAPOL-Key; this gets dropped
2913 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
2915 raise Exception("EAPOL_RX to wpa_supplicant failed")
2917 def test_ap_wpa2_eap_in_bridge(dev, apdev):
2918 """WPA2-EAP and wpas interface in a bridge"""
2922 _test_ap_wpa2_eap_in_bridge(dev, apdev)
2924 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
2925 subprocess.call(['brctl', 'delif', br_ifname, ifname])
2926 subprocess.call(['brctl', 'delbr', br_ifname])
2927 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
2929 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
2930 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2935 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
2936 subprocess.call(['brctl', 'addbr', br_ifname])
2937 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
2938 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
2939 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
2940 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
2941 wpas.interface_add(ifname, br_ifname=br_ifname)
2943 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
2944 password_hex="0123456789abcdef0123456789abcdef")
2945 eap_reauth(wpas, "PAX")
2946 # Try again as a regression test for packet socket workaround
2947 eap_reauth(wpas, "PAX")
2948 wpas.request("DISCONNECT")
2949 wpas.wait_disconnected()
2950 wpas.request("RECONNECT")
2951 wpas.wait_connected()
2953 def test_ap_wpa2_eap_session_ticket(dev, apdev):
2954 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
2955 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2956 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2957 key_mgmt = hapd.get_config()['key_mgmt']
2958 if key_mgmt.split(' ')[0] != "WPA-EAP":
2959 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
2960 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2961 anonymous_identity="ttls", password="password",
2962 ca_cert="auth_serv/ca.pem",
2963 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
2964 eap_reauth(dev[0], "TTLS")
2966 def test_ap_wpa2_eap_no_workaround(dev, apdev):
2967 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
2968 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2970 key_mgmt = hapd.get_config()['key_mgmt']
2971 if key_mgmt.split(' ')[0] != "WPA-EAP":
2972 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
2973 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2974 anonymous_identity="ttls", password="password",
2975 ca_cert="auth_serv/ca.pem", eap_workaround='0',
2977 eap_reauth(dev[0], "TTLS")