1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, hapd, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
121 eap=method, identity=identity,
122 wait_connect=False, scan_freq="2412", ieee80211w="1",
124 eap_check_auth(dev, method, True, sha256=sha256,
125 expect_failure=expect_failure,
126 local_error_report=local_error_report,
127 maybe_local_error=maybe_local_error)
130 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
132 raise Exception("No connection event received from hostapd")
135 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
136 expect_failure=False, local_error_report=False,
137 maybe_local_error=False):
138 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
140 raise Exception("Association and EAP start timed out")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
142 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
144 raise Exception("EAP method selection timed out")
145 if "CTRL-EVENT-EAP-FAILURE" in ev:
146 if maybe_local_error:
148 raise Exception("Could not select EAP method")
150 raise Exception("Unexpected EAP method")
152 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
154 raise Exception("EAP failure timed out")
155 ev = dev.wait_disconnected(timeout=10)
156 if maybe_local_error and "locally_generated=1" in ev:
158 if not local_error_report:
159 if "reason=23" not in ev:
160 raise Exception("Proper reason code for disconnection not reported")
162 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
164 raise Exception("EAP success timed out")
167 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
169 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
171 raise Exception("Association with the AP timed out")
172 status = dev.get_status()
173 if status["wpa_state"] != "COMPLETED":
174 raise Exception("Connection not completed")
176 if status["suppPortStatus"] != "Authorized":
177 raise Exception("Port not authorized")
178 if "selectedMethod" not in status:
179 logger.info("Status: " + str(status))
180 raise Exception("No selectedMethod in status")
181 if method not in status["selectedMethod"]:
182 raise Exception("Incorrect EAP method status")
184 e = "WPA2-EAP-SHA256"
186 e = "WPA2/IEEE 802.1X/EAP"
188 e = "WPA/IEEE 802.1X/EAP"
189 if status["key_mgmt"] != e:
190 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
193 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
194 dev.request("REAUTHENTICATE")
195 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
196 expect_failure=expect_failure)
198 def test_ap_wpa2_eap_sim(dev, apdev):
199 """WPA2-Enterprise connection using EAP-SIM"""
200 check_hlr_auc_gw_support()
201 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
202 hapd = hostapd.add_ap(apdev[0], params)
203 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
204 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
205 hwsim_utils.test_connectivity(dev[0], hapd)
206 eap_reauth(dev[0], "SIM")
208 eap_connect(dev[1], hapd, "SIM", "1232010000000001",
209 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
210 eap_connect(dev[2], hapd, "SIM", "1232010000000002",
211 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
214 logger.info("Negative test with incorrect key")
215 dev[0].request("REMOVE_NETWORK all")
216 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
217 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
220 logger.info("Invalid GSM-Milenage key")
221 dev[0].request("REMOVE_NETWORK all")
222 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
223 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
226 logger.info("Invalid GSM-Milenage key(2)")
227 dev[0].request("REMOVE_NETWORK all")
228 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
229 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
232 logger.info("Invalid GSM-Milenage key(3)")
233 dev[0].request("REMOVE_NETWORK all")
234 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
235 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
238 logger.info("Invalid GSM-Milenage key(4)")
239 dev[0].request("REMOVE_NETWORK all")
240 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
241 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
244 logger.info("Missing key configuration")
245 dev[0].request("REMOVE_NETWORK all")
246 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
249 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
250 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
251 check_hlr_auc_gw_support()
255 raise HwsimSkip("No sqlite3 module available")
256 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
258 params['auth_server_port'] = "1814"
259 hapd = hostapd.add_ap(apdev[0], params)
260 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
261 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
263 logger.info("SIM fast re-authentication")
264 eap_reauth(dev[0], "SIM")
266 logger.info("SIM full auth with pseudonym")
269 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
270 eap_reauth(dev[0], "SIM")
272 logger.info("SIM full auth with permanent identity")
275 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
276 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
279 logger.info("SIM reauth with mismatching MK")
282 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
283 eap_reauth(dev[0], "SIM", expect_failure=True)
284 dev[0].request("REMOVE_NETWORK all")
286 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
287 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
290 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
291 eap_reauth(dev[0], "SIM")
294 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
295 logger.info("SIM reauth with mismatching counter")
296 eap_reauth(dev[0], "SIM")
297 dev[0].request("REMOVE_NETWORK all")
299 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
300 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
303 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
304 logger.info("SIM reauth with max reauth count reached")
305 eap_reauth(dev[0], "SIM")
307 def test_ap_wpa2_eap_sim_config(dev, apdev):
308 """EAP-SIM configuration options"""
309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
310 hapd = hostapd.add_ap(apdev[0], params)
311 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
312 identity="1232010000000000",
313 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
314 phase1="sim_min_num_chal=1",
315 wait_connect=False, scan_freq="2412")
316 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
318 raise Exception("No EAP error message seen")
319 dev[0].request("REMOVE_NETWORK all")
321 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
322 identity="1232010000000000",
323 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
324 phase1="sim_min_num_chal=4",
325 wait_connect=False, scan_freq="2412")
326 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
328 raise Exception("No EAP error message seen (2)")
329 dev[0].request("REMOVE_NETWORK all")
331 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
332 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
333 phase1="sim_min_num_chal=2")
334 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
335 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
336 anonymous_identity="345678")
338 def test_ap_wpa2_eap_sim_ext(dev, apdev):
339 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
341 _test_ap_wpa2_eap_sim_ext(dev, apdev)
343 dev[0].request("SET external_sim 0")
345 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
346 check_hlr_auc_gw_support()
347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
348 hostapd.add_ap(apdev[0], params)
349 dev[0].request("SET external_sim 1")
350 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
351 identity="1232010000000000",
352 wait_connect=False, scan_freq="2412")
353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
355 raise Exception("Network connected timed out")
357 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
359 raise Exception("Wait for external SIM processing request timed out")
361 if p[1] != "GSM-AUTH":
362 raise Exception("Unexpected CTRL-REQ-SIM type")
363 rid = p[0].split('-')[3]
366 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
367 # This will fail during processing, but the ctrl_iface command succeeds
368 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
371 raise Exception("EAP failure not reported")
372 dev[0].request("DISCONNECT")
373 dev[0].wait_disconnected()
376 dev[0].select_network(id, freq="2412")
377 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
379 raise Exception("Wait for external SIM processing request timed out")
381 if p[1] != "GSM-AUTH":
382 raise Exception("Unexpected CTRL-REQ-SIM type")
383 rid = p[0].split('-')[3]
384 # This will fail during GSM auth validation
385 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
386 raise Exception("CTRL-RSP-SIM failed")
387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
389 raise Exception("EAP failure not reported")
390 dev[0].request("DISCONNECT")
391 dev[0].wait_disconnected()
394 dev[0].select_network(id, freq="2412")
395 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
397 raise Exception("Wait for external SIM processing request timed out")
399 if p[1] != "GSM-AUTH":
400 raise Exception("Unexpected CTRL-REQ-SIM type")
401 rid = p[0].split('-')[3]
402 # This will fail during GSM auth validation
403 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
404 raise Exception("CTRL-RSP-SIM failed")
405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
407 raise Exception("EAP failure not reported")
408 dev[0].request("DISCONNECT")
409 dev[0].wait_disconnected()
412 dev[0].select_network(id, freq="2412")
413 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
415 raise Exception("Wait for external SIM processing request timed out")
417 if p[1] != "GSM-AUTH":
418 raise Exception("Unexpected CTRL-REQ-SIM type")
419 rid = p[0].split('-')[3]
420 # This will fail during GSM auth validation
421 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
422 raise Exception("CTRL-RSP-SIM failed")
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
425 raise Exception("EAP failure not reported")
426 dev[0].request("DISCONNECT")
427 dev[0].wait_disconnected()
430 dev[0].select_network(id, freq="2412")
431 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
433 raise Exception("Wait for external SIM processing request timed out")
435 if p[1] != "GSM-AUTH":
436 raise Exception("Unexpected CTRL-REQ-SIM type")
437 rid = p[0].split('-')[3]
438 # This will fail during GSM auth validation
439 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
440 raise Exception("CTRL-RSP-SIM failed")
441 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
443 raise Exception("EAP failure not reported")
444 dev[0].request("DISCONNECT")
445 dev[0].wait_disconnected()
448 dev[0].select_network(id, freq="2412")
449 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
451 raise Exception("Wait for external SIM processing request timed out")
453 if p[1] != "GSM-AUTH":
454 raise Exception("Unexpected CTRL-REQ-SIM type")
455 rid = p[0].split('-')[3]
456 # This will fail during GSM auth validation
457 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
458 raise Exception("CTRL-RSP-SIM failed")
459 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
461 raise Exception("EAP failure not reported")
462 dev[0].request("DISCONNECT")
463 dev[0].wait_disconnected()
466 dev[0].select_network(id, freq="2412")
467 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
469 raise Exception("Wait for external SIM processing request timed out")
471 if p[1] != "GSM-AUTH":
472 raise Exception("Unexpected CTRL-REQ-SIM type")
473 rid = p[0].split('-')[3]
474 # This will fail during GSM auth validation
475 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
476 raise Exception("CTRL-RSP-SIM failed")
477 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
479 raise Exception("EAP failure not reported")
481 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
482 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
484 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
486 dev[0].request("SET external_sim 0")
488 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
489 check_hlr_auc_gw_support()
490 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
491 hostapd.add_ap(apdev[0], params)
492 dev[0].request("SET external_sim 1")
493 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
494 identity="1232010000000000",
495 wait_connect=False, scan_freq="2412")
497 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
499 raise Exception("Wait for external SIM processing request timed out")
501 if p[1] != "GSM-AUTH":
502 raise Exception("Unexpected CTRL-REQ-SIM type")
503 rid = p[0].split('-')[3]
504 rand = p[2].split(' ')[0]
506 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
508 "auth_serv/hlr_auc_gw.milenage_db",
509 "GSM-AUTH-REQ 232010000000000 " + rand])
510 if "GSM-AUTH-RESP" not in res:
511 raise Exception("Unexpected hlr_auc_gw response")
512 resp = res.split(' ')[2].rstrip()
514 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
515 dev[0].wait_connected(timeout=15)
516 dev[0].request("DISCONNECT")
517 dev[0].wait_disconnected()
519 # Replace SIM, but forget to drop the previous pseudonym identity
520 dev[0].set_network_quoted(id, "identity", "1232010000000009")
521 dev[0].select_network(id, freq="2412")
523 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
525 raise Exception("Wait for external SIM processing request timed out")
527 if p[1] != "GSM-AUTH":
528 raise Exception("Unexpected CTRL-REQ-SIM type")
529 rid = p[0].split('-')[3]
530 rand = p[2].split(' ')[0]
532 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
534 "auth_serv/hlr_auc_gw.milenage_db",
535 "GSM-AUTH-REQ 232010000000009 " + rand])
536 if "GSM-AUTH-RESP" not in res:
537 raise Exception("Unexpected hlr_auc_gw response")
538 resp = res.split(' ')[2].rstrip()
540 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
543 raise Exception("EAP-Failure not reported")
544 dev[0].request("DISCONNECT")
545 dev[0].wait_disconnected()
547 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
548 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
550 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
552 dev[0].request("SET external_sim 0")
554 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
555 check_hlr_auc_gw_support()
556 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
557 hostapd.add_ap(apdev[0], params)
558 dev[0].request("SET external_sim 1")
559 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
560 identity="1232010000000000",
561 wait_connect=False, scan_freq="2412")
563 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
565 raise Exception("Wait for external SIM processing request timed out")
567 if p[1] != "GSM-AUTH":
568 raise Exception("Unexpected CTRL-REQ-SIM type")
569 rid = p[0].split('-')[3]
570 rand = p[2].split(' ')[0]
572 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
574 "auth_serv/hlr_auc_gw.milenage_db",
575 "GSM-AUTH-REQ 232010000000000 " + rand])
576 if "GSM-AUTH-RESP" not in res:
577 raise Exception("Unexpected hlr_auc_gw response")
578 resp = res.split(' ')[2].rstrip()
580 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
581 dev[0].wait_connected(timeout=15)
582 dev[0].request("DISCONNECT")
583 dev[0].wait_disconnected()
585 # Replace SIM and drop the previous pseudonym identity
586 dev[0].set_network_quoted(id, "identity", "1232010000000009")
587 dev[0].set_network(id, "anonymous_identity", "NULL")
588 dev[0].select_network(id, freq="2412")
590 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
592 raise Exception("Wait for external SIM processing request timed out")
594 if p[1] != "GSM-AUTH":
595 raise Exception("Unexpected CTRL-REQ-SIM type")
596 rid = p[0].split('-')[3]
597 rand = p[2].split(' ')[0]
599 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
601 "auth_serv/hlr_auc_gw.milenage_db",
602 "GSM-AUTH-REQ 232010000000009 " + rand])
603 if "GSM-AUTH-RESP" not in res:
604 raise Exception("Unexpected hlr_auc_gw response")
605 resp = res.split(' ')[2].rstrip()
607 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
608 dev[0].wait_connected()
609 dev[0].request("DISCONNECT")
610 dev[0].wait_disconnected()
612 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
613 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
615 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
617 dev[0].request("SET external_sim 0")
619 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
620 check_hlr_auc_gw_support()
621 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
622 hostapd.add_ap(apdev[0], params)
623 dev[0].request("SET external_sim 1")
624 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
625 wait_connect=False, scan_freq="2412")
627 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
629 raise Exception("Request for identity timed out")
630 rid = ev.split(':')[0].split('-')[-1]
631 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
633 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
635 raise Exception("Wait for external SIM processing request timed out")
637 if p[1] != "GSM-AUTH":
638 raise Exception("Unexpected CTRL-REQ-SIM type")
639 rid = p[0].split('-')[3]
640 rand = p[2].split(' ')[0]
642 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
644 "auth_serv/hlr_auc_gw.milenage_db",
645 "GSM-AUTH-REQ 232010000000000 " + rand])
646 if "GSM-AUTH-RESP" not in res:
647 raise Exception("Unexpected hlr_auc_gw response")
648 resp = res.split(' ')[2].rstrip()
650 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
651 dev[0].wait_connected(timeout=15)
652 dev[0].request("DISCONNECT")
653 dev[0].wait_disconnected()
655 # Replace SIM and drop the previous permanent and pseudonym identities
656 dev[0].set_network(id, "identity", "NULL")
657 dev[0].set_network(id, "anonymous_identity", "NULL")
658 dev[0].select_network(id, freq="2412")
660 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
662 raise Exception("Request for identity timed out")
663 rid = ev.split(':')[0].split('-')[-1]
664 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "GSM-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 rand = p[2].split(' ')[0]
675 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
677 "auth_serv/hlr_auc_gw.milenage_db",
678 "GSM-AUTH-REQ 232010000000009 " + rand])
679 if "GSM-AUTH-RESP" not in res:
680 raise Exception("Unexpected hlr_auc_gw response")
681 resp = res.split(' ')[2].rstrip()
683 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
684 dev[0].wait_connected()
685 dev[0].request("DISCONNECT")
686 dev[0].wait_disconnected()
688 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
689 """EAP-SIM with external GSM auth and auth failing"""
691 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
693 dev[0].request("SET external_sim 0")
695 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
696 check_hlr_auc_gw_support()
697 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
698 hostapd.add_ap(apdev[0], params)
699 dev[0].request("SET external_sim 1")
700 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
701 identity="1232010000000000",
702 wait_connect=False, scan_freq="2412")
704 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
706 raise Exception("Wait for external SIM processing request timed out")
708 rid = p[0].split('-')[3]
709 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
710 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
712 raise Exception("EAP failure not reported")
713 dev[0].request("REMOVE_NETWORK all")
714 dev[0].wait_disconnected()
716 def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
717 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
719 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
721 dev[0].request("SET external_sim 0")
723 def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
724 check_hlr_auc_gw_support()
725 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
726 hostapd.add_ap(apdev[0], params)
727 dev[0].request("SET external_sim 1")
728 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
729 identity="1232010000000000",
730 wait_connect=False, scan_freq="2412")
732 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
734 raise Exception("Wait for external SIM processing request timed out")
736 if p[1] != "GSM-AUTH":
737 raise Exception("Unexpected CTRL-REQ-SIM type")
738 rid = p[0].split('-')[3]
739 rand = p[2].split(' ')[0]
741 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
743 "auth_serv/hlr_auc_gw.milenage_db",
744 "GSM-AUTH-REQ 232010000000000 " + rand])
745 if "GSM-AUTH-RESP" not in res:
746 raise Exception("Unexpected hlr_auc_gw response")
747 resp = res.split(' ')[2].rstrip()
749 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
750 dev[0].wait_connected(timeout=15)
752 # Verify that EAP-SIM Reauthentication can be used after a profile change
753 # that does not affect EAP parameters.
754 dev[0].set_network(id, "bssid", "any")
755 eap_reauth(dev[0], "SIM")
757 def test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
758 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
760 _test_ap_wpa2_eap_sim_no_change_set(dev, apdev)
762 dev[0].request("SET external_sim 0")
764 def _test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
765 check_hlr_auc_gw_support()
766 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
767 hostapd.add_ap(apdev[0], params)
768 dev[0].request("SET external_sim 1")
769 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
770 identity="1232010000000000",
771 wait_connect=False, scan_freq="2412")
773 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
775 raise Exception("Wait for external SIM processing request timed out")
777 if p[1] != "GSM-AUTH":
778 raise Exception("Unexpected CTRL-REQ-SIM type")
779 rid = p[0].split('-')[3]
780 rand = p[2].split(' ')[0]
782 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
784 "auth_serv/hlr_auc_gw.milenage_db",
785 "GSM-AUTH-REQ 232010000000000 " + rand])
786 if "GSM-AUTH-RESP" not in res:
787 raise Exception("Unexpected hlr_auc_gw response")
788 resp = res.split(' ')[2].rstrip()
790 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
791 dev[0].wait_connected(timeout=15)
793 # Verify that EAP-SIM Reauthentication can be used after network profile
794 # SET_NETWORK commands that do not actually change previously set
796 dev[0].set_network(id, "key_mgmt", "WPA-EAP")
797 dev[0].set_network(id, "eap", "SIM")
798 dev[0].set_network_quoted(id, "identity", "1232010000000000")
799 dev[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
800 eap_reauth(dev[0], "SIM")
802 def test_ap_wpa2_eap_sim_oom(dev, apdev):
803 """EAP-SIM and OOM"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hostapd.add_ap(apdev[0], params)
806 tests = [ (1, "milenage_f2345"),
807 (2, "milenage_f2345"),
808 (3, "milenage_f2345"),
809 (4, "milenage_f2345"),
810 (5, "milenage_f2345"),
811 (6, "milenage_f2345"),
812 (7, "milenage_f2345"),
813 (8, "milenage_f2345"),
814 (9, "milenage_f2345"),
815 (10, "milenage_f2345"),
816 (11, "milenage_f2345"),
817 (12, "milenage_f2345") ]
818 for count, func in tests:
819 with fail_test(dev[0], count, func):
820 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
821 identity="1232010000000000",
822 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
823 wait_connect=False, scan_freq="2412")
824 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
826 raise Exception("EAP method not selected")
827 dev[0].wait_disconnected()
828 dev[0].request("REMOVE_NETWORK all")
830 def test_ap_wpa2_eap_aka(dev, apdev):
831 """WPA2-Enterprise connection using EAP-AKA"""
832 check_hlr_auc_gw_support()
833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
834 hapd = hostapd.add_ap(apdev[0], params)
835 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
836 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
837 hwsim_utils.test_connectivity(dev[0], hapd)
838 eap_reauth(dev[0], "AKA")
840 logger.info("Negative test with incorrect key")
841 dev[0].request("REMOVE_NETWORK all")
842 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
843 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
846 logger.info("Invalid Milenage key")
847 dev[0].request("REMOVE_NETWORK all")
848 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
849 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
852 logger.info("Invalid Milenage key(2)")
853 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
854 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
857 logger.info("Invalid Milenage key(3)")
858 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
859 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
862 logger.info("Invalid Milenage key(4)")
863 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
864 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
867 logger.info("Invalid Milenage key(5)")
868 dev[0].request("REMOVE_NETWORK all")
869 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
870 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
873 logger.info("Invalid Milenage key(6)")
874 dev[0].request("REMOVE_NETWORK all")
875 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
876 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
879 logger.info("Missing key configuration")
880 dev[0].request("REMOVE_NETWORK all")
881 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
884 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
885 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
886 check_hlr_auc_gw_support()
890 raise HwsimSkip("No sqlite3 module available")
891 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
892 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
893 params['auth_server_port'] = "1814"
894 hapd = hostapd.add_ap(apdev[0], params)
895 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
896 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
898 logger.info("AKA fast re-authentication")
899 eap_reauth(dev[0], "AKA")
901 logger.info("AKA full auth with pseudonym")
904 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
905 eap_reauth(dev[0], "AKA")
907 logger.info("AKA full auth with permanent identity")
910 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
911 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
912 eap_reauth(dev[0], "AKA")
914 logger.info("AKA reauth with mismatching MK")
917 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
918 eap_reauth(dev[0], "AKA", expect_failure=True)
919 dev[0].request("REMOVE_NETWORK all")
921 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
922 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
925 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
926 eap_reauth(dev[0], "AKA")
929 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
930 logger.info("AKA reauth with mismatching counter")
931 eap_reauth(dev[0], "AKA")
932 dev[0].request("REMOVE_NETWORK all")
934 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
935 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
938 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
939 logger.info("AKA reauth with max reauth count reached")
940 eap_reauth(dev[0], "AKA")
942 def test_ap_wpa2_eap_aka_config(dev, apdev):
943 """EAP-AKA configuration options"""
944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
945 hapd = hostapd.add_ap(apdev[0], params)
946 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
947 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
948 anonymous_identity="2345678")
950 def test_ap_wpa2_eap_aka_ext(dev, apdev):
951 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
953 _test_ap_wpa2_eap_aka_ext(dev, apdev)
955 dev[0].request("SET external_sim 0")
957 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
958 check_hlr_auc_gw_support()
959 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
960 hostapd.add_ap(apdev[0], params)
961 dev[0].request("SET external_sim 1")
962 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
963 identity="0232010000000000",
964 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
965 wait_connect=False, scan_freq="2412")
966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
968 raise Exception("Network connected timed out")
970 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
972 raise Exception("Wait for external SIM processing request timed out")
974 if p[1] != "UMTS-AUTH":
975 raise Exception("Unexpected CTRL-REQ-SIM type")
976 rid = p[0].split('-')[3]
979 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
980 # This will fail during processing, but the ctrl_iface command succeeds
981 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
982 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
984 raise Exception("EAP failure not reported")
985 dev[0].request("DISCONNECT")
986 dev[0].wait_disconnected()
988 dev[0].dump_monitor()
990 dev[0].select_network(id, freq="2412")
991 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
993 raise Exception("Wait for external SIM processing request timed out")
995 if p[1] != "UMTS-AUTH":
996 raise Exception("Unexpected CTRL-REQ-SIM type")
997 rid = p[0].split('-')[3]
998 # This will fail during UMTS auth validation
999 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1000 raise Exception("CTRL-RSP-SIM failed")
1001 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1003 raise Exception("Wait for external SIM processing request timed out")
1004 p = ev.split(':', 2)
1005 if p[1] != "UMTS-AUTH":
1006 raise Exception("Unexpected CTRL-REQ-SIM type")
1007 rid = p[0].split('-')[3]
1008 # This will fail during UMTS auth validation
1009 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
1010 raise Exception("CTRL-RSP-SIM failed")
1011 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1013 raise Exception("EAP failure not reported")
1014 dev[0].request("DISCONNECT")
1015 dev[0].wait_disconnected()
1017 dev[0].dump_monitor()
1019 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1021 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1022 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1023 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1024 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1025 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1027 dev[0].select_network(id, freq="2412")
1028 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1030 raise Exception("Wait for external SIM processing request timed out")
1031 p = ev.split(':', 2)
1032 if p[1] != "UMTS-AUTH":
1033 raise Exception("Unexpected CTRL-REQ-SIM type")
1034 rid = p[0].split('-')[3]
1035 # This will fail during UMTS auth validation
1036 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
1037 raise Exception("CTRL-RSP-SIM failed")
1038 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1040 raise Exception("EAP failure not reported")
1041 dev[0].request("DISCONNECT")
1042 dev[0].wait_disconnected()
1044 dev[0].dump_monitor()
1046 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1047 """EAP-AKA with external UMTS auth and auth failing"""
1049 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1051 dev[0].request("SET external_sim 0")
1053 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1054 check_hlr_auc_gw_support()
1055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1056 hostapd.add_ap(apdev[0], params)
1057 dev[0].request("SET external_sim 1")
1058 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1059 identity="0232010000000000",
1060 wait_connect=False, scan_freq="2412")
1062 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1064 raise Exception("Wait for external SIM processing request timed out")
1065 p = ev.split(':', 2)
1066 rid = p[0].split('-')[3]
1067 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1068 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1070 raise Exception("EAP failure not reported")
1071 dev[0].request("REMOVE_NETWORK all")
1072 dev[0].wait_disconnected()
1074 def test_ap_wpa2_eap_aka_prime(dev, apdev):
1075 """WPA2-Enterprise connection using EAP-AKA'"""
1076 check_hlr_auc_gw_support()
1077 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1078 hapd = hostapd.add_ap(apdev[0], params)
1079 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1080 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1081 hwsim_utils.test_connectivity(dev[0], hapd)
1082 eap_reauth(dev[0], "AKA'")
1084 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1085 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1086 identity="6555444333222111@both",
1087 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1088 wait_connect=False, scan_freq="2412")
1089 dev[1].wait_connected(timeout=15)
1091 logger.info("Negative test with incorrect key")
1092 dev[0].request("REMOVE_NETWORK all")
1093 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1094 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1095 expect_failure=True)
1097 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1098 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1099 check_hlr_auc_gw_support()
1103 raise HwsimSkip("No sqlite3 module available")
1104 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1105 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1106 params['auth_server_port'] = "1814"
1107 hapd = hostapd.add_ap(apdev[0], params)
1108 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1109 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1111 logger.info("AKA' fast re-authentication")
1112 eap_reauth(dev[0], "AKA'")
1114 logger.info("AKA' full auth with pseudonym")
1117 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1118 eap_reauth(dev[0], "AKA'")
1120 logger.info("AKA' full auth with permanent identity")
1123 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1124 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1125 eap_reauth(dev[0], "AKA'")
1127 logger.info("AKA' reauth with mismatching k_aut")
1130 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1131 eap_reauth(dev[0], "AKA'", expect_failure=True)
1132 dev[0].request("REMOVE_NETWORK all")
1134 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1135 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1138 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1139 eap_reauth(dev[0], "AKA'")
1142 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1143 logger.info("AKA' reauth with mismatching counter")
1144 eap_reauth(dev[0], "AKA'")
1145 dev[0].request("REMOVE_NETWORK all")
1147 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
1148 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1151 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1152 logger.info("AKA' reauth with max reauth count reached")
1153 eap_reauth(dev[0], "AKA'")
1155 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1156 """EAP-AKA' with external UMTS auth and auth failing"""
1158 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1160 dev[0].request("SET external_sim 0")
1162 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1163 check_hlr_auc_gw_support()
1164 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1165 hostapd.add_ap(apdev[0], params)
1166 dev[0].request("SET external_sim 1")
1167 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1168 identity="6555444333222111",
1169 wait_connect=False, scan_freq="2412")
1171 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1173 raise Exception("Wait for external SIM processing request timed out")
1174 p = ev.split(':', 2)
1175 rid = p[0].split('-')[3]
1176 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1177 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1179 raise Exception("EAP failure not reported")
1180 dev[0].request("REMOVE_NETWORK all")
1181 dev[0].wait_disconnected()
1183 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1184 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1185 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1186 hapd = hostapd.add_ap(apdev[0], params)
1187 key_mgmt = hapd.get_config()['key_mgmt']
1188 if key_mgmt.split(' ')[0] != "WPA-EAP":
1189 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1190 eap_connect(dev[0], hapd, "TTLS", "pap user",
1191 anonymous_identity="ttls", password="password",
1192 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1193 hwsim_utils.test_connectivity(dev[0], hapd)
1194 eap_reauth(dev[0], "TTLS")
1195 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1196 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1198 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1199 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1200 check_subject_match_support(dev[0])
1201 check_altsubject_match_support(dev[0])
1202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1203 hapd = hostapd.add_ap(apdev[0], params)
1204 eap_connect(dev[0], hapd, "TTLS", "pap user",
1205 anonymous_identity="ttls", password="password",
1206 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1207 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1208 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1209 eap_reauth(dev[0], "TTLS")
1211 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1212 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1213 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1214 hapd = hostapd.add_ap(apdev[0], params)
1215 eap_connect(dev[0], hapd, "TTLS", "pap user",
1216 anonymous_identity="ttls", password="wrong",
1217 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1218 expect_failure=True)
1219 eap_connect(dev[1], hapd, "TTLS", "user",
1220 anonymous_identity="ttls", password="password",
1221 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1222 expect_failure=True)
1224 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1225 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1226 skip_with_fips(dev[0])
1227 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1228 hapd = hostapd.add_ap(apdev[0], params)
1229 eap_connect(dev[0], hapd, "TTLS", "chap user",
1230 anonymous_identity="ttls", password="password",
1231 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1232 hwsim_utils.test_connectivity(dev[0], hapd)
1233 eap_reauth(dev[0], "TTLS")
1235 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1236 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1237 skip_with_fips(dev[0])
1238 check_altsubject_match_support(dev[0])
1239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1240 hapd = hostapd.add_ap(apdev[0], params)
1241 eap_connect(dev[0], hapd, "TTLS", "chap user",
1242 anonymous_identity="ttls", password="password",
1243 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1244 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1245 eap_reauth(dev[0], "TTLS")
1247 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1248 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1249 skip_with_fips(dev[0])
1250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1251 hapd = hostapd.add_ap(apdev[0], params)
1252 eap_connect(dev[0], hapd, "TTLS", "chap user",
1253 anonymous_identity="ttls", password="wrong",
1254 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1255 expect_failure=True)
1256 eap_connect(dev[1], hapd, "TTLS", "user",
1257 anonymous_identity="ttls", password="password",
1258 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1259 expect_failure=True)
1261 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1262 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1263 skip_with_fips(dev[0])
1264 check_domain_suffix_match(dev[0])
1265 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1266 hapd = hostapd.add_ap(apdev[0], params)
1267 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1268 anonymous_identity="ttls", password="password",
1269 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1270 domain_suffix_match="server.w1.fi")
1271 hwsim_utils.test_connectivity(dev[0], hapd)
1272 eap_reauth(dev[0], "TTLS")
1273 dev[0].request("REMOVE_NETWORK all")
1274 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1275 anonymous_identity="ttls", password="password",
1276 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1277 fragment_size="200")
1278 dev[0].request("REMOVE_NETWORK all")
1279 dev[0].wait_disconnected()
1280 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1281 anonymous_identity="ttls",
1282 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1283 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1285 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1286 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1287 skip_with_fips(dev[0])
1288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1289 hapd = hostapd.add_ap(apdev[0], params)
1290 eap_connect(dev[0], hapd, "TTLS", "mschap user",
1291 anonymous_identity="ttls", password="wrong",
1292 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1293 expect_failure=True)
1294 eap_connect(dev[1], hapd, "TTLS", "user",
1295 anonymous_identity="ttls", password="password",
1296 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1297 expect_failure=True)
1298 eap_connect(dev[2], hapd, "TTLS", "no such user",
1299 anonymous_identity="ttls", password="password",
1300 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1301 expect_failure=True)
1303 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1304 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1305 check_domain_suffix_match(dev[0])
1306 check_eap_capa(dev[0], "MSCHAPV2")
1307 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1308 hapd = hostapd.add_ap(apdev[0], params)
1309 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1310 anonymous_identity="ttls", password="password",
1311 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1312 domain_suffix_match="server.w1.fi")
1313 hwsim_utils.test_connectivity(dev[0], hapd)
1314 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1315 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1316 eap_reauth(dev[0], "TTLS")
1317 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1318 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1319 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1320 raise Exception("dot1xAuthEapolFramesRx did not increase")
1321 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1322 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1323 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1324 raise Exception("backendAuthSuccesses did not increase")
1326 logger.info("Password as hash value")
1327 dev[0].request("REMOVE_NETWORK all")
1328 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1329 anonymous_identity="ttls",
1330 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1331 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1333 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1334 """EAP-TTLS with invalid phase2 parameter values"""
1335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1336 hostapd.add_ap(apdev[0], params)
1337 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1338 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1339 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1341 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1342 identity="DOMAIN\mschapv2 user",
1343 anonymous_identity="ttls", password="password",
1344 ca_cert="auth_serv/ca.pem", phase2=t,
1345 wait_connect=False, scan_freq="2412")
1346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1347 if ev is None or "method=21" not in ev:
1348 raise Exception("EAP-TTLS not started")
1349 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1350 "CTRL-EVENT-CONNECTED"], timeout=5)
1351 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1352 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1353 dev[0].request("REMOVE_NETWORK all")
1354 dev[0].wait_disconnected()
1355 dev[0].dump_monitor()
1357 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1358 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1359 check_domain_match_full(dev[0])
1360 skip_with_fips(dev[0])
1361 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1362 hapd = hostapd.add_ap(apdev[0], params)
1363 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1364 anonymous_identity="ttls", password="password",
1365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1366 domain_suffix_match="w1.fi")
1367 hwsim_utils.test_connectivity(dev[0], hapd)
1368 eap_reauth(dev[0], "TTLS")
1370 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1371 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1372 check_domain_match(dev[0])
1373 skip_with_fips(dev[0])
1374 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1375 hapd = hostapd.add_ap(apdev[0], params)
1376 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1377 anonymous_identity="ttls", password="password",
1378 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1379 domain_match="Server.w1.fi")
1380 hwsim_utils.test_connectivity(dev[0], hapd)
1381 eap_reauth(dev[0], "TTLS")
1383 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1384 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1385 skip_with_fips(dev[0])
1386 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1387 hapd = hostapd.add_ap(apdev[0], params)
1388 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
1389 anonymous_identity="ttls", password="password1",
1390 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1391 expect_failure=True)
1392 eap_connect(dev[1], hapd, "TTLS", "user",
1393 anonymous_identity="ttls", password="password",
1394 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1395 expect_failure=True)
1397 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1398 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1399 skip_with_fips(dev[0])
1400 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1401 hapd = hostapd.add_ap(apdev[0], params)
1402 eap_connect(dev[0], hapd, "TTLS", "utf8-user-hash",
1403 anonymous_identity="ttls", password="secret-åäö-€-password",
1404 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1405 eap_connect(dev[1], hapd, "TTLS", "utf8-user",
1406 anonymous_identity="ttls",
1407 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1408 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1409 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1410 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1411 eap="TTLS", identity="utf8-user-hash",
1412 anonymous_identity="ttls", password_hex=p,
1413 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1414 wait_connect=False, scan_freq="2412")
1415 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1417 raise Exception("No failure reported")
1418 dev[2].request("REMOVE_NETWORK all")
1419 dev[2].wait_disconnected()
1421 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1422 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1423 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1424 hapd = hostapd.add_ap(apdev[0], params)
1425 eap_connect(dev[0], hapd, "TTLS", "user",
1426 anonymous_identity="ttls", password="password",
1427 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1428 hwsim_utils.test_connectivity(dev[0], hapd)
1429 eap_reauth(dev[0], "TTLS")
1431 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1432 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hapd = hostapd.add_ap(apdev[0], params)
1435 eap_connect(dev[0], hapd, "TTLS", "user",
1436 anonymous_identity="ttls", password="wrong",
1437 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1438 expect_failure=True)
1440 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1441 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1443 hapd = hostapd.add_ap(apdev[0], params)
1444 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
1445 anonymous_identity="ttls", password="password",
1446 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1447 expect_failure=True)
1449 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1450 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1451 params = int_eap_server_params()
1452 hapd = hostapd.add_ap(apdev[0], params)
1453 with alloc_fail(hapd, 1, "eap_gtc_init"):
1454 eap_connect(dev[0], hapd, "TTLS", "user",
1455 anonymous_identity="ttls", password="password",
1456 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1457 expect_failure=True)
1458 dev[0].request("REMOVE_NETWORK all")
1460 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1461 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1462 eap="TTLS", identity="user",
1463 anonymous_identity="ttls", password="password",
1464 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1465 wait_connect=False, scan_freq="2412")
1466 # This would eventually time out, but we can stop after having reached
1467 # the allocation failure.
1470 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1473 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1474 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1475 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1476 hapd = hostapd.add_ap(apdev[0], params)
1478 tests = [ "eap_gtc_init",
1479 "eap_msg_alloc;eap_gtc_process" ]
1481 with alloc_fail(dev[0], 1, func):
1482 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1484 eap="TTLS", identity="user",
1485 anonymous_identity="ttls", password="password",
1486 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1488 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1489 dev[0].request("REMOVE_NETWORK all")
1490 dev[0].wait_disconnected()
1492 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1493 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1494 check_eap_capa(dev[0], "MD5")
1495 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1496 hapd = hostapd.add_ap(apdev[0], params)
1497 eap_connect(dev[0], hapd, "TTLS", "user",
1498 anonymous_identity="ttls", password="password",
1499 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1500 hwsim_utils.test_connectivity(dev[0], hapd)
1501 eap_reauth(dev[0], "TTLS")
1503 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1504 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1505 check_eap_capa(dev[0], "MD5")
1506 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1507 hapd = hostapd.add_ap(apdev[0], params)
1508 eap_connect(dev[0], hapd, "TTLS", "user",
1509 anonymous_identity="ttls", password="wrong",
1510 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1511 expect_failure=True)
1513 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1514 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1515 check_eap_capa(dev[0], "MD5")
1516 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1517 hapd = hostapd.add_ap(apdev[0], params)
1518 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
1519 anonymous_identity="ttls", password="password",
1520 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1521 expect_failure=True)
1523 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1524 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1525 check_eap_capa(dev[0], "MD5")
1526 params = int_eap_server_params()
1527 hapd = hostapd.add_ap(apdev[0], params)
1528 with alloc_fail(hapd, 1, "eap_md5_init"):
1529 eap_connect(dev[0], hapd, "TTLS", "user",
1530 anonymous_identity="ttls", password="password",
1531 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1532 expect_failure=True)
1533 dev[0].request("REMOVE_NETWORK all")
1535 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1537 eap="TTLS", identity="user",
1538 anonymous_identity="ttls", password="password",
1539 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1540 wait_connect=False, scan_freq="2412")
1541 # This would eventually time out, but we can stop after having reached
1542 # the allocation failure.
1545 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1548 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1549 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1550 check_eap_capa(dev[0], "MSCHAPV2")
1551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1552 hapd = hostapd.add_ap(apdev[0], params)
1553 eap_connect(dev[0], hapd, "TTLS", "user",
1554 anonymous_identity="ttls", password="password",
1555 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1556 hwsim_utils.test_connectivity(dev[0], hapd)
1557 eap_reauth(dev[0], "TTLS")
1559 logger.info("Negative test with incorrect password")
1560 dev[0].request("REMOVE_NETWORK all")
1561 eap_connect(dev[0], hapd, "TTLS", "user",
1562 anonymous_identity="ttls", password="password1",
1563 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1564 expect_failure=True)
1566 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1567 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1568 check_eap_capa(dev[0], "MSCHAPV2")
1569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1570 hapd = hostapd.add_ap(apdev[0], params)
1571 eap_connect(dev[0], hapd, "TTLS", "user-no-passwd",
1572 anonymous_identity="ttls", password="password",
1573 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1574 expect_failure=True)
1576 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1577 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1578 check_eap_capa(dev[0], "MSCHAPV2")
1579 params = int_eap_server_params()
1580 hapd = hostapd.add_ap(apdev[0], params)
1581 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1582 eap_connect(dev[0], hapd, "TTLS", "user",
1583 anonymous_identity="ttls", password="password",
1584 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1585 expect_failure=True)
1586 dev[0].request("REMOVE_NETWORK all")
1588 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1589 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1590 eap="TTLS", identity="user",
1591 anonymous_identity="ttls", password="password",
1592 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1593 wait_connect=False, scan_freq="2412")
1594 # This would eventually time out, but we can stop after having reached
1595 # the allocation failure.
1598 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1600 dev[0].request("REMOVE_NETWORK all")
1602 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1603 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1604 eap="TTLS", identity="user",
1605 anonymous_identity="ttls", password="password",
1606 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1607 wait_connect=False, scan_freq="2412")
1608 # This would eventually time out, but we can stop after having reached
1609 # the allocation failure.
1612 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1614 dev[0].request("REMOVE_NETWORK all")
1616 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1617 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1618 eap="TTLS", identity="user",
1619 anonymous_identity="ttls", password="wrong",
1620 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1621 wait_connect=False, scan_freq="2412")
1622 # This would eventually time out, but we can stop after having reached
1623 # the allocation failure.
1626 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1628 dev[0].request("REMOVE_NETWORK all")
1630 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1631 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1632 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1633 hapd = hostapd.add_ap(apdev[0], params)
1634 eap_connect(dev[0], hapd, "TTLS", "0232010000000000",
1635 anonymous_identity="0232010000000000@ttls",
1636 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1637 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1639 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1640 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1641 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1642 hapd = hostapd.add_ap(apdev[0], params)
1643 eap_connect(dev[0], hapd, "PEAP", "0232010000000000",
1644 anonymous_identity="0232010000000000@peap",
1645 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1646 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1648 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1649 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1650 check_eap_capa(dev[0], "FAST")
1651 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1652 hapd = hostapd.add_ap(apdev[0], params)
1653 eap_connect(dev[0], hapd, "FAST", "0232010000000000",
1654 anonymous_identity="0232010000000000@fast",
1655 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1656 phase1="fast_provisioning=2",
1657 pac_file="blob://fast_pac_auth_aka",
1658 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1660 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1661 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1662 check_eap_capa(dev[0], "MSCHAPV2")
1663 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1664 hapd = hostapd.add_ap(apdev[0], params)
1665 eap_connect(dev[0], hapd, "PEAP", "user",
1666 anonymous_identity="peap", password="password",
1667 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1668 hwsim_utils.test_connectivity(dev[0], hapd)
1669 eap_reauth(dev[0], "PEAP")
1670 dev[0].request("REMOVE_NETWORK all")
1671 eap_connect(dev[0], hapd, "PEAP", "user",
1672 anonymous_identity="peap", password="password",
1673 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1674 fragment_size="200")
1676 logger.info("Password as hash value")
1677 dev[0].request("REMOVE_NETWORK all")
1678 eap_connect(dev[0], hapd, "PEAP", "user",
1679 anonymous_identity="peap",
1680 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1681 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1683 logger.info("Negative test with incorrect password")
1684 dev[0].request("REMOVE_NETWORK all")
1685 eap_connect(dev[0], hapd, "PEAP", "user",
1686 anonymous_identity="peap", password="password1",
1687 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1688 expect_failure=True)
1690 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1691 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1692 check_eap_capa(dev[0], "MSCHAPV2")
1693 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1694 hapd = hostapd.add_ap(apdev[0], params)
1695 eap_connect(dev[0], hapd, "PEAP", "DOMAIN\user3",
1696 anonymous_identity="peap", password="password",
1697 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1698 hwsim_utils.test_connectivity(dev[0], hapd)
1699 eap_reauth(dev[0], "PEAP")
1701 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1702 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1703 check_eap_capa(dev[0], "MSCHAPV2")
1704 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1705 hapd = hostapd.add_ap(apdev[0], params)
1706 eap_connect(dev[0], hapd, "PEAP", "user",
1707 anonymous_identity="peap", password="wrong",
1708 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1709 expect_failure=True)
1711 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1712 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1713 check_eap_capa(dev[0], "MSCHAPV2")
1714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1715 hapd = hostapd.add_ap(apdev[0], params)
1716 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
1717 ca_cert="auth_serv/ca.pem",
1718 phase1="peapver=0 crypto_binding=2",
1719 phase2="auth=MSCHAPV2")
1720 hwsim_utils.test_connectivity(dev[0], hapd)
1721 eap_reauth(dev[0], "PEAP")
1723 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
1724 ca_cert="auth_serv/ca.pem",
1725 phase1="peapver=0 crypto_binding=1",
1726 phase2="auth=MSCHAPV2")
1727 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
1728 ca_cert="auth_serv/ca.pem",
1729 phase1="peapver=0 crypto_binding=0",
1730 phase2="auth=MSCHAPV2")
1732 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1733 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1734 check_eap_capa(dev[0], "MSCHAPV2")
1735 params = int_eap_server_params()
1736 hapd = hostapd.add_ap(apdev[0], params)
1737 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1738 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
1739 ca_cert="auth_serv/ca.pem",
1740 phase1="peapver=0 crypto_binding=2",
1741 phase2="auth=MSCHAPV2",
1742 expect_failure=True, local_error_report=True)
1744 def test_ap_wpa2_eap_peap_params(dev, apdev):
1745 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1746 check_eap_capa(dev[0], "MSCHAPV2")
1747 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1748 hapd = hostapd.add_ap(apdev[0], params)
1749 eap_connect(dev[0], hapd, "PEAP", "user",
1750 anonymous_identity="peap", password="password",
1751 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1752 phase1="peapver=0 peaplabel=1",
1753 expect_failure=True)
1754 dev[0].request("REMOVE_NETWORK all")
1755 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1757 anonymous_identity="peap", password="password",
1758 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1759 phase1="peap_outer_success=0",
1760 wait_connect=False, scan_freq="2412")
1761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1763 raise Exception("No EAP success seen")
1764 # This won't succeed to connect with peap_outer_success=0, so stop here.
1765 dev[0].request("REMOVE_NETWORK all")
1766 dev[0].wait_disconnected()
1767 eap_connect(dev[1], hapd, "PEAP", "user", password="password",
1768 ca_cert="auth_serv/ca.pem",
1769 phase1="peap_outer_success=1",
1770 phase2="auth=MSCHAPV2")
1771 eap_connect(dev[2], hapd, "PEAP", "user", password="password",
1772 ca_cert="auth_serv/ca.pem",
1773 phase1="peap_outer_success=2",
1774 phase2="auth=MSCHAPV2")
1775 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1777 anonymous_identity="peap", password="password",
1778 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1779 phase1="peapver=1 peaplabel=1",
1780 wait_connect=False, scan_freq="2412")
1781 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1783 raise Exception("No EAP success seen")
1784 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1786 raise Exception("Unexpected connection")
1788 tests = [ ("peap-ver0", ""),
1790 ("peap-ver0", "peapver=0"),
1791 ("peap-ver1", "peapver=1") ]
1792 for anon,phase1 in tests:
1793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1794 identity="user", anonymous_identity=anon,
1795 password="password", phase1=phase1,
1796 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1798 dev[0].request("REMOVE_NETWORK all")
1799 dev[0].wait_disconnected()
1801 tests = [ ("peap-ver0", "peapver=1"),
1802 ("peap-ver1", "peapver=0") ]
1803 for anon,phase1 in tests:
1804 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1805 identity="user", anonymous_identity=anon,
1806 password="password", phase1=phase1,
1807 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1808 wait_connect=False, scan_freq="2412")
1809 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1811 raise Exception("No EAP-Failure seen")
1812 dev[0].request("REMOVE_NETWORK all")
1813 dev[0].wait_disconnected()
1815 eap_connect(dev[0], hapd, "PEAP", "user", password="password",
1816 ca_cert="auth_serv/ca.pem",
1817 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1818 phase2="auth=MSCHAPV2")
1820 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1821 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1823 hapd = hostapd.add_ap(apdev[0], params)
1824 eap_connect(dev[0], hapd, "PEAP", "cert user",
1825 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1826 ca_cert2="auth_serv/ca.pem",
1827 client_cert2="auth_serv/user.pem",
1828 private_key2="auth_serv/user.key")
1829 eap_reauth(dev[0], "PEAP")
1831 def test_ap_wpa2_eap_tls(dev, apdev):
1832 """WPA2-Enterprise connection using EAP-TLS"""
1833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1834 hapd = hostapd.add_ap(apdev[0], params)
1835 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1836 client_cert="auth_serv/user.pem",
1837 private_key="auth_serv/user.key")
1838 eap_reauth(dev[0], "TLS")
1840 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1841 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1843 hapd = hostapd.add_ap(apdev[0], params)
1844 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1845 client_cert="auth_serv/user.pem",
1846 private_key="auth_serv/user.key.pkcs8",
1847 private_key_passwd="whatever")
1849 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1850 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1851 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1852 hapd = hostapd.add_ap(apdev[0], params)
1853 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1854 client_cert="auth_serv/user.pem",
1855 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1856 private_key_passwd="whatever")
1858 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1859 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861 hapd = hostapd.add_ap(apdev[0], params)
1862 cert = read_pem("auth_serv/ca.pem")
1863 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1864 raise Exception("Could not set cacert blob")
1865 cert = read_pem("auth_serv/user.pem")
1866 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1867 raise Exception("Could not set usercert blob")
1868 key = read_pem("auth_serv/user.rsa-key")
1869 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1870 raise Exception("Could not set cacert blob")
1871 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
1872 client_cert="blob://usercert",
1873 private_key="blob://userkey")
1875 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1876 """EAP-TLS and config blob missing"""
1877 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1878 hostapd.add_ap(apdev[0], params)
1879 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1880 identity="tls user",
1881 ca_cert="blob://testing-blob-does-not-exist",
1882 client_cert="blob://testing-blob-does-not-exist",
1883 private_key="blob://testing-blob-does-not-exist",
1884 wait_connect=False, scan_freq="2412")
1885 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1887 raise Exception("EAP failure not reported")
1888 dev[0].request("REMOVE_NETWORK all")
1889 dev[0].wait_disconnected()
1891 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1892 """EAP-TLS and TLS Message Length in unfragmented packets"""
1893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1894 hapd = hostapd.add_ap(apdev[0], params)
1895 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1896 phase1="include_tls_length=1",
1897 client_cert="auth_serv/user.pem",
1898 private_key="auth_serv/user.key")
1900 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1901 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1902 check_pkcs12_support(dev[0])
1903 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1904 hapd = hostapd.add_ap(apdev[0], params)
1905 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1906 private_key="auth_serv/user.pkcs12",
1907 private_key_passwd="whatever")
1908 dev[0].request("REMOVE_NETWORK all")
1909 dev[0].wait_disconnected()
1911 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1912 identity="tls user",
1913 ca_cert="auth_serv/ca.pem",
1914 private_key="auth_serv/user.pkcs12",
1915 wait_connect=False, scan_freq="2412")
1916 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1918 raise Exception("Request for private key passphrase timed out")
1919 id = ev.split(':')[0].split('-')[-1]
1920 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1921 dev[0].wait_connected(timeout=10)
1922 dev[0].request("REMOVE_NETWORK all")
1923 dev[0].wait_disconnected()
1925 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1926 # different files to cover both cases of the extra certificate being the
1927 # one that signed the client certificate and it being unrelated to the
1928 # client certificate.
1929 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1931 eap_connect(dev[0], hapd, "TLS", "tls user",
1932 ca_cert="auth_serv/ca.pem",
1934 private_key_passwd="whatever")
1935 dev[0].request("REMOVE_NETWORK all")
1936 dev[0].wait_disconnected()
1938 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1939 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1940 check_pkcs12_support(dev[0])
1941 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1942 hapd = hostapd.add_ap(apdev[0], params)
1943 cert = read_pem("auth_serv/ca.pem")
1944 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1945 raise Exception("Could not set cacert blob")
1946 with open("auth_serv/user.pkcs12", "rb") as f:
1947 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1948 raise Exception("Could not set pkcs12 blob")
1949 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="blob://cacert",
1950 private_key="blob://pkcs12",
1951 private_key_passwd="whatever")
1953 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1954 """WPA2-Enterprise negative test - incorrect trust root"""
1955 check_eap_capa(dev[0], "MSCHAPV2")
1956 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1957 hostapd.add_ap(apdev[0], params)
1958 cert = read_pem("auth_serv/ca-incorrect.pem")
1959 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1960 raise Exception("Could not set cacert blob")
1961 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1962 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1963 password="password", phase2="auth=MSCHAPV2",
1964 ca_cert="blob://cacert",
1965 wait_connect=False, scan_freq="2412")
1966 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1967 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1968 password="password", phase2="auth=MSCHAPV2",
1969 ca_cert="auth_serv/ca-incorrect.pem",
1970 wait_connect=False, scan_freq="2412")
1972 for dev in (dev[0], dev[1]):
1973 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1975 raise Exception("Association and EAP start timed out")
1977 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1979 raise Exception("EAP method selection timed out")
1980 if "TTLS" not in ev:
1981 raise Exception("Unexpected EAP method")
1983 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1984 "CTRL-EVENT-EAP-SUCCESS",
1985 "CTRL-EVENT-EAP-FAILURE",
1986 "CTRL-EVENT-CONNECTED",
1987 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1989 raise Exception("EAP result timed out")
1990 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1991 raise Exception("TLS certificate error not reported")
1993 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1994 "CTRL-EVENT-EAP-FAILURE",
1995 "CTRL-EVENT-CONNECTED",
1996 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1998 raise Exception("EAP result(2) timed out")
1999 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2000 raise Exception("EAP failure not reported")
2002 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
2003 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2005 raise Exception("EAP result(3) timed out")
2006 if "CTRL-EVENT-DISCONNECTED" not in ev:
2007 raise Exception("Disconnection not reported")
2009 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2011 raise Exception("Network block disabling not reported")
2013 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
2014 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2015 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2016 hapd = hostapd.add_ap(apdev[0], params)
2017 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2018 identity="pap user", anonymous_identity="ttls",
2019 password="password", phase2="auth=PAP",
2020 ca_cert="auth_serv/ca.pem",
2021 wait_connect=True, scan_freq="2412")
2022 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2023 identity="pap user", anonymous_identity="ttls",
2024 password="password", phase2="auth=PAP",
2025 ca_cert="auth_serv/ca-incorrect.pem",
2026 only_add_network=True, scan_freq="2412")
2028 dev[0].request("DISCONNECT")
2029 dev[0].wait_disconnected()
2030 dev[0].dump_monitor()
2031 dev[0].select_network(id, freq="2412")
2033 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2035 raise Exception("EAP-TTLS not re-started")
2037 ev = dev[0].wait_disconnected(timeout=15)
2038 if "reason=23" not in ev:
2039 raise Exception("Proper reason code for disconnection not reported")
2041 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2042 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2043 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2044 hapd = hostapd.add_ap(apdev[0], params)
2045 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2046 identity="pap user", anonymous_identity="ttls",
2047 password="password", phase2="auth=PAP",
2048 wait_connect=True, scan_freq="2412")
2049 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2050 identity="pap user", anonymous_identity="ttls",
2051 password="password", phase2="auth=PAP",
2052 ca_cert="auth_serv/ca-incorrect.pem",
2053 only_add_network=True, scan_freq="2412")
2055 dev[0].request("DISCONNECT")
2056 dev[0].wait_disconnected()
2057 dev[0].dump_monitor()
2058 dev[0].select_network(id, freq="2412")
2060 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2062 raise Exception("EAP-TTLS not re-started")
2064 ev = dev[0].wait_disconnected(timeout=15)
2065 if "reason=23" not in ev:
2066 raise Exception("Proper reason code for disconnection not reported")
2068 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2069 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2070 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2071 hapd = hostapd.add_ap(apdev[0], params)
2072 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2073 identity="pap user", anonymous_identity="ttls",
2074 password="password", phase2="auth=PAP",
2075 ca_cert="auth_serv/ca.pem",
2076 wait_connect=True, scan_freq="2412")
2077 dev[0].request("DISCONNECT")
2078 dev[0].wait_disconnected()
2079 dev[0].dump_monitor()
2080 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2081 dev[0].select_network(id, freq="2412")
2083 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2085 raise Exception("EAP-TTLS not re-started")
2087 ev = dev[0].wait_disconnected(timeout=15)
2088 if "reason=23" not in ev:
2089 raise Exception("Proper reason code for disconnection not reported")
2091 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2092 """WPA2-Enterprise negative test - domain suffix mismatch"""
2093 check_domain_suffix_match(dev[0])
2094 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2095 hostapd.add_ap(apdev[0], params)
2096 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2097 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2098 password="password", phase2="auth=MSCHAPV2",
2099 ca_cert="auth_serv/ca.pem",
2100 domain_suffix_match="incorrect.example.com",
2101 wait_connect=False, scan_freq="2412")
2103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2105 raise Exception("Association and EAP start timed out")
2107 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2109 raise Exception("EAP method selection timed out")
2110 if "TTLS" not in ev:
2111 raise Exception("Unexpected EAP method")
2113 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2114 "CTRL-EVENT-EAP-SUCCESS",
2115 "CTRL-EVENT-EAP-FAILURE",
2116 "CTRL-EVENT-CONNECTED",
2117 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2119 raise Exception("EAP result timed out")
2120 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2121 raise Exception("TLS certificate error not reported")
2122 if "Domain suffix mismatch" not in ev:
2123 raise Exception("Domain suffix mismatch not reported")
2125 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2126 "CTRL-EVENT-EAP-FAILURE",
2127 "CTRL-EVENT-CONNECTED",
2128 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2130 raise Exception("EAP result(2) timed out")
2131 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2132 raise Exception("EAP failure not reported")
2134 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2135 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2137 raise Exception("EAP result(3) timed out")
2138 if "CTRL-EVENT-DISCONNECTED" not in ev:
2139 raise Exception("Disconnection not reported")
2141 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2143 raise Exception("Network block disabling not reported")
2145 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2146 """WPA2-Enterprise negative test - domain mismatch"""
2147 check_domain_match(dev[0])
2148 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2149 hostapd.add_ap(apdev[0], params)
2150 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2151 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2152 password="password", phase2="auth=MSCHAPV2",
2153 ca_cert="auth_serv/ca.pem",
2154 domain_match="w1.fi",
2155 wait_connect=False, scan_freq="2412")
2157 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2159 raise Exception("Association and EAP start timed out")
2161 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2163 raise Exception("EAP method selection timed out")
2164 if "TTLS" not in ev:
2165 raise Exception("Unexpected EAP method")
2167 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2168 "CTRL-EVENT-EAP-SUCCESS",
2169 "CTRL-EVENT-EAP-FAILURE",
2170 "CTRL-EVENT-CONNECTED",
2171 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2173 raise Exception("EAP result timed out")
2174 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2175 raise Exception("TLS certificate error not reported")
2176 if "Domain mismatch" not in ev:
2177 raise Exception("Domain mismatch not reported")
2179 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2180 "CTRL-EVENT-EAP-FAILURE",
2181 "CTRL-EVENT-CONNECTED",
2182 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2184 raise Exception("EAP result(2) timed out")
2185 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2186 raise Exception("EAP failure not reported")
2188 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2189 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2191 raise Exception("EAP result(3) timed out")
2192 if "CTRL-EVENT-DISCONNECTED" not in ev:
2193 raise Exception("Disconnection not reported")
2195 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2197 raise Exception("Network block disabling not reported")
2199 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2200 """WPA2-Enterprise negative test - subject mismatch"""
2201 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2202 hostapd.add_ap(apdev[0], params)
2203 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2204 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2205 password="password", phase2="auth=MSCHAPV2",
2206 ca_cert="auth_serv/ca.pem",
2207 subject_match="/C=FI/O=w1.fi/CN=example.com",
2208 wait_connect=False, scan_freq="2412")
2210 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2212 raise Exception("Association and EAP start timed out")
2214 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2215 "EAP: Failed to initialize EAP method"], timeout=10)
2217 raise Exception("EAP method selection timed out")
2218 if "EAP: Failed to initialize EAP method" in ev:
2219 tls = dev[0].request("GET tls_library")
2220 if tls.startswith("OpenSSL"):
2221 raise Exception("Failed to select EAP method")
2222 logger.info("subject_match not supported - connection failed, so test succeeded")
2224 if "TTLS" not in ev:
2225 raise Exception("Unexpected EAP method")
2227 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2228 "CTRL-EVENT-EAP-SUCCESS",
2229 "CTRL-EVENT-EAP-FAILURE",
2230 "CTRL-EVENT-CONNECTED",
2231 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2233 raise Exception("EAP result timed out")
2234 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2235 raise Exception("TLS certificate error not reported")
2236 if "Subject mismatch" not in ev:
2237 raise Exception("Subject mismatch not reported")
2239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2240 "CTRL-EVENT-EAP-FAILURE",
2241 "CTRL-EVENT-CONNECTED",
2242 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2244 raise Exception("EAP result(2) timed out")
2245 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2246 raise Exception("EAP failure not reported")
2248 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2249 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2251 raise Exception("EAP result(3) timed out")
2252 if "CTRL-EVENT-DISCONNECTED" not in ev:
2253 raise Exception("Disconnection not reported")
2255 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2257 raise Exception("Network block disabling not reported")
2259 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2260 """WPA2-Enterprise negative test - altsubject mismatch"""
2261 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2262 hostapd.add_ap(apdev[0], params)
2264 tests = [ "incorrect.example.com",
2265 "DNS:incorrect.example.com",
2269 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2271 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2273 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2274 password="password", phase2="auth=MSCHAPV2",
2275 ca_cert="auth_serv/ca.pem",
2276 altsubject_match=match,
2277 wait_connect=False, scan_freq="2412")
2279 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2281 raise Exception("Association and EAP start timed out")
2283 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2284 "EAP: Failed to initialize EAP method"], timeout=10)
2286 raise Exception("EAP method selection timed out")
2287 if "EAP: Failed to initialize EAP method" in ev:
2288 tls = dev[0].request("GET tls_library")
2289 if tls.startswith("OpenSSL"):
2290 raise Exception("Failed to select EAP method")
2291 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2293 if "TTLS" not in ev:
2294 raise Exception("Unexpected EAP method")
2296 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2297 "CTRL-EVENT-EAP-SUCCESS",
2298 "CTRL-EVENT-EAP-FAILURE",
2299 "CTRL-EVENT-CONNECTED",
2300 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2302 raise Exception("EAP result timed out")
2303 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2304 raise Exception("TLS certificate error not reported")
2305 if "AltSubject mismatch" not in ev:
2306 raise Exception("altsubject mismatch not reported")
2308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2309 "CTRL-EVENT-EAP-FAILURE",
2310 "CTRL-EVENT-CONNECTED",
2311 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2313 raise Exception("EAP result(2) timed out")
2314 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2315 raise Exception("EAP failure not reported")
2317 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2318 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2320 raise Exception("EAP result(3) timed out")
2321 if "CTRL-EVENT-DISCONNECTED" not in ev:
2322 raise Exception("Disconnection not reported")
2324 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2326 raise Exception("Network block disabling not reported")
2328 dev[0].request("REMOVE_NETWORK all")
2330 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2331 """WPA2-Enterprise connection using UNAUTH-TLS"""
2332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2333 hapd = hostapd.add_ap(apdev[0], params)
2334 eap_connect(dev[0], hapd, "UNAUTH-TLS", "unauth-tls",
2335 ca_cert="auth_serv/ca.pem")
2336 eap_reauth(dev[0], "UNAUTH-TLS")
2338 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2339 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2340 check_cert_probe_support(dev[0])
2341 skip_with_fips(dev[0])
2342 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2343 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2344 hapd = hostapd.add_ap(apdev[0], params)
2345 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2346 identity="probe", ca_cert="probe://",
2347 wait_connect=False, scan_freq="2412")
2348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2350 raise Exception("Association and EAP start timed out")
2351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2353 raise Exception("No peer server certificate event seen")
2354 if "hash=" + srv_cert_hash not in ev:
2355 raise Exception("Expected server certificate hash not reported")
2356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2358 raise Exception("EAP result timed out")
2359 if "Server certificate chain probe" not in ev:
2360 raise Exception("Server certificate probe not reported")
2361 dev[0].wait_disconnected(timeout=10)
2362 dev[0].request("REMOVE_NETWORK all")
2364 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2365 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2366 password="password", phase2="auth=MSCHAPV2",
2367 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2368 wait_connect=False, scan_freq="2412")
2369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2371 raise Exception("Association and EAP start timed out")
2372 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2374 raise Exception("EAP result timed out")
2375 if "Server certificate mismatch" not in ev:
2376 raise Exception("Server certificate mismatch not reported")
2377 dev[0].wait_disconnected(timeout=10)
2378 dev[0].request("REMOVE_NETWORK all")
2380 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
2381 anonymous_identity="ttls", password="password",
2382 ca_cert="hash://server/sha256/" + srv_cert_hash,
2383 phase2="auth=MSCHAPV2")
2385 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2386 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2387 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2388 hostapd.add_ap(apdev[0], params)
2389 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2390 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2391 password="password", phase2="auth=MSCHAPV2",
2392 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2393 wait_connect=False, scan_freq="2412")
2394 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2395 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2396 password="password", phase2="auth=MSCHAPV2",
2397 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2398 wait_connect=False, scan_freq="2412")
2399 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2400 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2401 password="password", phase2="auth=MSCHAPV2",
2402 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2403 wait_connect=False, scan_freq="2412")
2404 for i in range(0, 3):
2405 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2407 raise Exception("Association and EAP start timed out")
2408 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2410 raise Exception("Did not report EAP method initialization failure")
2412 def test_ap_wpa2_eap_pwd(dev, apdev):
2413 """WPA2-Enterprise connection using EAP-pwd"""
2414 check_eap_capa(dev[0], "PWD")
2415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2416 hapd = hostapd.add_ap(apdev[0], params)
2417 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
2418 eap_reauth(dev[0], "PWD")
2419 dev[0].request("REMOVE_NETWORK all")
2421 eap_connect(dev[1], hapd, "PWD",
2422 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2423 password="secret password",
2426 logger.info("Negative test with incorrect password")
2427 eap_connect(dev[2], hapd, "PWD", "pwd user", password="secret-password",
2428 expect_failure=True, local_error_report=True)
2430 eap_connect(dev[0], hapd, "PWD",
2431 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2432 password="secret password",
2435 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2436 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2437 check_eap_capa(dev[0], "PWD")
2438 skip_with_fips(dev[0])
2439 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2440 hapd = hostapd.add_ap(apdev[0], params)
2441 eap_connect(dev[0], hapd, "PWD", "pwd-hash", password="secret password")
2442 eap_connect(dev[1], hapd, "PWD", "pwd-hash",
2443 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2444 eap_connect(dev[2], hapd, "PWD", "pwd user",
2445 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2446 expect_failure=True, local_error_report=True)
2448 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2449 """WPA2-Enterprise connection using various EAP-pwd groups"""
2450 check_eap_capa(dev[0], "PWD")
2451 tls = dev[0].request("GET tls_library")
2452 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2453 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2454 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2455 groups = [ 19, 20, 21, 25, 26 ]
2456 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2457 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2458 groups += [ 27, 28, 29, 30 ]
2460 logger.info("Group %d" % i)
2461 params['pwd_group'] = str(i)
2462 hapd = hostapd.add_ap(apdev[0], params)
2464 eap_connect(dev[0], hapd, "PWD", "pwd user",
2465 password="secret password")
2466 dev[0].request("REMOVE_NETWORK all")
2467 dev[0].wait_disconnected()
2468 dev[0].dump_monitor()
2470 if "BoringSSL" in tls and i in [ 25 ]:
2471 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2472 dev[0].request("DISCONNECT")
2474 dev[0].request("REMOVE_NETWORK all")
2475 dev[0].dump_monitor()
2479 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2480 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2481 check_eap_capa(dev[0], "PWD")
2482 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2483 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2484 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2485 params['pwd_group'] = "0"
2486 hostapd.add_ap(apdev[0], params)
2487 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2488 identity="pwd user", password="secret password",
2489 scan_freq="2412", wait_connect=False)
2490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2492 raise Exception("Timeout on EAP failure report")
2494 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2495 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2496 check_eap_capa(dev[0], "PWD")
2497 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2498 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2499 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2500 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2501 "pwd_group": "19", "fragment_size": "40" }
2502 hapd = hostapd.add_ap(apdev[0], params)
2503 eap_connect(dev[0], hapd, "PWD", "pwd user", password="secret password")
2505 def test_ap_wpa2_eap_gpsk(dev, apdev):
2506 """WPA2-Enterprise connection using EAP-GPSK"""
2507 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2508 hapd = hostapd.add_ap(apdev[0], params)
2509 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
2510 password="abcdefghijklmnop0123456789abcdef")
2511 eap_reauth(dev[0], "GPSK")
2513 logger.info("Test forced algorithm selection")
2514 for phase1 in [ "cipher=1", "cipher=2" ]:
2515 dev[0].set_network_quoted(id, "phase1", phase1)
2516 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2518 raise Exception("EAP success timed out")
2519 dev[0].wait_connected(timeout=10)
2521 logger.info("Test failed algorithm negotiation")
2522 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2525 raise Exception("EAP failure timed out")
2527 logger.info("Negative test with incorrect password")
2528 dev[0].request("REMOVE_NETWORK all")
2529 eap_connect(dev[0], hapd, "GPSK", "gpsk user",
2530 password="ffcdefghijklmnop0123456789abcdef",
2531 expect_failure=True)
2533 def test_ap_wpa2_eap_sake(dev, apdev):
2534 """WPA2-Enterprise connection using EAP-SAKE"""
2535 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2536 hapd = hostapd.add_ap(apdev[0], params)
2537 eap_connect(dev[0], hapd, "SAKE", "sake user",
2538 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2539 eap_reauth(dev[0], "SAKE")
2541 logger.info("Negative test with incorrect password")
2542 dev[0].request("REMOVE_NETWORK all")
2543 eap_connect(dev[0], hapd, "SAKE", "sake user",
2544 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2545 expect_failure=True)
2547 def test_ap_wpa2_eap_eke(dev, apdev):
2548 """WPA2-Enterprise connection using EAP-EKE"""
2549 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2550 hapd = hostapd.add_ap(apdev[0], params)
2551 id = eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
2552 eap_reauth(dev[0], "EKE")
2554 logger.info("Test forced algorithm selection")
2555 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2556 "dhgroup=4 encr=1 prf=2 mac=2",
2557 "dhgroup=3 encr=1 prf=2 mac=2",
2558 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2559 dev[0].set_network_quoted(id, "phase1", phase1)
2560 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2562 raise Exception("EAP success timed out")
2563 dev[0].wait_connected(timeout=10)
2565 logger.info("Test failed algorithm negotiation")
2566 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2567 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2569 raise Exception("EAP failure timed out")
2571 logger.info("Negative test with incorrect password")
2572 dev[0].request("REMOVE_NETWORK all")
2573 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello1",
2574 expect_failure=True)
2576 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2577 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2578 if not params['long']:
2579 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2580 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2581 hostapd.add_ap(apdev[0], params)
2584 for i in range(100):
2586 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2587 identity="eke user", password="hello",
2588 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2589 scan_freq="2412", wait_connect=False)
2591 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2592 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2594 raise Exception("No connected/disconnected event")
2595 if "CTRL-EVENT-DISCONNECTED" in ev:
2597 # The RADIUS server limits on active sessions can be hit when
2598 # going through this test case, so try to give some more time
2599 # for the server to remove sessions.
2600 logger.info("Failed to connect i=%d j=%d" % (i, j))
2601 dev[j].request("REMOVE_NETWORK all")
2605 dev[j].request("REMOVE_NETWORK all")
2606 dev[j].wait_disconnected()
2607 dev[j].dump_monitor()
2608 logger.info("Total success=%d failure=%d" % (success, fail))
2610 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2611 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2612 params = int_eap_server_params()
2613 params['server_id'] = 'example.server@w1.fi'
2614 hapd = hostapd.add_ap(apdev[0], params)
2615 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello")
2617 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2618 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2619 params = int_eap_server_params()
2620 hapd = hostapd.add_ap(apdev[0], params)
2621 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2623 for count,func in [ (1, "eap_eke_build_commit"),
2624 (2, "eap_eke_build_commit"),
2625 (3, "eap_eke_build_commit"),
2626 (1, "eap_eke_build_confirm"),
2627 (2, "eap_eke_build_confirm"),
2628 (1, "eap_eke_process_commit"),
2629 (2, "eap_eke_process_commit"),
2630 (1, "eap_eke_process_confirm"),
2631 (1, "eap_eke_process_identity"),
2632 (2, "eap_eke_process_identity"),
2633 (3, "eap_eke_process_identity"),
2634 (4, "eap_eke_process_identity") ]:
2635 with alloc_fail(hapd, count, func):
2636 eap_connect(dev[0], hapd, "EKE", "eke user", password="hello",
2637 expect_failure=True)
2638 dev[0].request("REMOVE_NETWORK all")
2640 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2641 (1, "eap_eke_get_session_id", "hello"),
2642 (1, "eap_eke_getKey", "hello"),
2643 (1, "eap_eke_build_msg", "hello"),
2644 (1, "eap_eke_build_failure", "wrong"),
2645 (1, "eap_eke_build_identity", "hello"),
2646 (2, "eap_eke_build_identity", "hello") ]:
2647 with alloc_fail(hapd, count, func):
2648 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2649 eap="EKE", identity="eke user", password=pw,
2650 wait_connect=False, scan_freq="2412")
2651 # This would eventually time out, but we can stop after having
2652 # reached the allocation failure.
2655 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2657 dev[0].request("REMOVE_NETWORK all")
2659 for count in range(1, 1000):
2661 with alloc_fail(hapd, count, "eap_server_sm_step"):
2662 dev[0].connect("test-wpa2-eap",
2663 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2664 eap="EKE", identity="eke user", password=pw,
2665 wait_connect=False, scan_freq="2412")
2666 # This would eventually time out, but we can stop after having
2667 # reached the allocation failure.
2670 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2672 dev[0].request("REMOVE_NETWORK all")
2673 except Exception, e:
2674 if str(e) == "Allocation failure did not trigger":
2676 raise Exception("Too few allocation failures")
2677 logger.info("%d allocation failures tested" % (count - 1))
2681 def test_ap_wpa2_eap_ikev2(dev, apdev):
2682 """WPA2-Enterprise connection using EAP-IKEv2"""
2683 check_eap_capa(dev[0], "IKEV2")
2684 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2685 hapd = hostapd.add_ap(apdev[0], params)
2686 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2687 password="ike password")
2688 eap_reauth(dev[0], "IKEV2")
2689 dev[0].request("REMOVE_NETWORK all")
2690 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2691 password="ike password", fragment_size="50")
2693 logger.info("Negative test with incorrect password")
2694 dev[0].request("REMOVE_NETWORK all")
2695 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2696 password="ike-password", expect_failure=True)
2697 dev[0].request("REMOVE_NETWORK all")
2699 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2700 password="ike password", fragment_size="0")
2701 dev[0].request("REMOVE_NETWORK all")
2702 dev[0].wait_disconnected()
2704 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2705 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2706 check_eap_capa(dev[0], "IKEV2")
2707 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2708 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2709 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2710 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2711 "fragment_size": "50" }
2712 hapd = hostapd.add_ap(apdev[0], params)
2713 eap_connect(dev[0], hapd, "IKEV2", "ikev2 user",
2714 password="ike password")
2715 eap_reauth(dev[0], "IKEV2")
2717 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2718 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2719 check_eap_capa(dev[0], "IKEV2")
2720 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2721 hostapd.add_ap(apdev[0], params)
2723 tests = [ (1, "dh_init"),
2725 (1, "dh_derive_shared") ]
2726 for count, func in tests:
2727 with alloc_fail(dev[0], count, func):
2728 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2729 identity="ikev2 user", password="ike password",
2730 wait_connect=False, scan_freq="2412")
2731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2733 raise Exception("EAP method not selected")
2735 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2738 dev[0].request("REMOVE_NETWORK all")
2740 tests = [ (1, "os_get_random;dh_init") ]
2741 for count, func in tests:
2742 with fail_test(dev[0], count, func):
2743 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2744 identity="ikev2 user", password="ike password",
2745 wait_connect=False, scan_freq="2412")
2746 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2748 raise Exception("EAP method not selected")
2750 if "0:" in dev[0].request("GET_FAIL"):
2753 dev[0].request("REMOVE_NETWORK all")
2755 def test_ap_wpa2_eap_pax(dev, apdev):
2756 """WPA2-Enterprise connection using EAP-PAX"""
2757 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2758 hapd = hostapd.add_ap(apdev[0], params)
2759 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
2760 password_hex="0123456789abcdef0123456789abcdef")
2761 eap_reauth(dev[0], "PAX")
2763 logger.info("Negative test with incorrect password")
2764 dev[0].request("REMOVE_NETWORK all")
2765 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
2766 password_hex="ff23456789abcdef0123456789abcdef",
2767 expect_failure=True)
2769 def test_ap_wpa2_eap_psk(dev, apdev):
2770 """WPA2-Enterprise connection using EAP-PSK"""
2771 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2772 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2773 params["ieee80211w"] = "2"
2774 hapd = hostapd.add_ap(apdev[0], params)
2775 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2776 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2777 eap_reauth(dev[0], "PSK", sha256=True)
2778 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2779 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2781 bss = dev[0].get_bss(apdev[0]['bssid'])
2782 if 'flags' not in bss:
2783 raise Exception("Could not get BSS flags from BSS table")
2784 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2785 raise Exception("Unexpected BSS flags: " + bss['flags'])
2787 logger.info("Negative test with incorrect password")
2788 dev[0].request("REMOVE_NETWORK all")
2789 eap_connect(dev[0], hapd, "PSK", "psk.user@example.com",
2790 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2791 expect_failure=True)
2793 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2794 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2795 skip_with_fips(dev[0])
2796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2797 hostapd.add_ap(apdev[0], params)
2798 tests = [ (1, "=aes_128_eax_encrypt"),
2799 (1, "=aes_128_eax_decrypt") ]
2800 for count, func in tests:
2801 with alloc_fail(dev[0], count, func):
2802 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2803 identity="psk.user@example.com",
2804 password_hex="0123456789abcdef0123456789abcdef",
2805 wait_connect=False, scan_freq="2412")
2806 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2808 raise Exception("EAP method not selected")
2809 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2810 note="Failure not triggered: %d:%s" % (count, func))
2811 dev[0].request("REMOVE_NETWORK all")
2812 dev[0].wait_disconnected()
2814 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2815 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2816 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2817 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2818 (1, "omac1_aes_vector"),
2819 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2820 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2821 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2822 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2823 for count, func in tests:
2824 with fail_test(dev[0], count, func):
2825 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2826 identity="psk.user@example.com",
2827 password_hex="0123456789abcdef0123456789abcdef",
2828 wait_connect=False, scan_freq="2412")
2829 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2831 raise Exception("EAP method not selected")
2832 wait_fail_trigger(dev[0], "GET_FAIL",
2833 note="Failure not triggered: %d:%s" % (count, func))
2834 dev[0].request("REMOVE_NETWORK all")
2835 dev[0].wait_disconnected()
2837 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2838 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2839 identity="psk.user@example.com",
2840 password_hex="0123456789abcdef0123456789abcdef",
2841 wait_connect=False, scan_freq="2412")
2842 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2844 raise Exception("EAP method failure not reported")
2845 dev[0].request("REMOVE_NETWORK all")
2846 dev[0].wait_disconnected()
2848 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2849 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2850 check_eap_capa(dev[0], "MSCHAPV2")
2851 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2852 hapd = hostapd.add_ap(apdev[0], params)
2853 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2854 identity="user", password="password", phase2="auth=MSCHAPV2",
2855 ca_cert="auth_serv/ca.pem", wait_connect=False,
2857 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2858 hwsim_utils.test_connectivity(dev[0], hapd)
2859 eap_reauth(dev[0], "PEAP", rsn=False)
2860 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2861 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2862 status = dev[0].get_status(extra="VERBOSE")
2863 if 'portControl' not in status:
2864 raise Exception("portControl missing from STATUS-VERBOSE")
2865 if status['portControl'] != 'Auto':
2866 raise Exception("Unexpected portControl value: " + status['portControl'])
2867 if 'eap_session_id' not in status:
2868 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2869 if not status['eap_session_id'].startswith("19"):
2870 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2872 def test_ap_wpa2_eap_interactive(dev, apdev):
2873 """WPA2-Enterprise connection using interactive identity/password entry"""
2874 check_eap_capa(dev[0], "MSCHAPV2")
2875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2876 hapd = hostapd.add_ap(apdev[0], params)
2878 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2879 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2881 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2882 "TTLS", "ttls", None, "auth=MSCHAPV2",
2883 "DOMAIN\mschapv2 user", "password"),
2884 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2885 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2886 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2887 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2888 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2889 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2890 ("Connection with dynamic PEAP/EAP-GTC password entry",
2891 "PEAP", None, "user", "auth=GTC", None, "password") ]
2892 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2894 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2895 anonymous_identity=anon, identity=identity,
2896 ca_cert="auth_serv/ca.pem", phase2=phase2,
2897 wait_connect=False, scan_freq="2412")
2899 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2901 raise Exception("Request for identity timed out")
2902 id = ev.split(':')[0].split('-')[-1]
2903 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2904 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2906 raise Exception("Request for password timed out")
2907 id = ev.split(':')[0].split('-')[-1]
2908 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2909 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2910 dev[0].wait_connected(timeout=10)
2911 dev[0].request("REMOVE_NETWORK all")
2913 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2914 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2915 check_eap_capa(dev[0], "MSCHAPV2")
2916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2917 hapd = hostapd.add_ap(apdev[0], params)
2919 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2920 only_add_network=True)
2922 req_id = "DOMAIN\mschapv2 user"
2923 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2924 anonymous_identity="ttls", identity=None,
2925 password="password",
2926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2927 wait_connect=False, scan_freq="2412")
2928 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2930 raise Exception("Request for identity timed out")
2931 id = ev.split(':')[0].split('-')[-1]
2932 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2933 dev[0].wait_connected(timeout=10)
2935 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2936 raise Exception("Failed to enable network")
2937 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2939 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2940 dev[0].request("REMOVE_NETWORK all")
2942 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2943 """WPA2-Enterprise connection using EAP vendor test"""
2944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2945 hapd = hostapd.add_ap(apdev[0], params)
2946 eap_connect(dev[0], hapd, "VENDOR-TEST", "vendor-test")
2947 eap_reauth(dev[0], "VENDOR-TEST")
2948 eap_connect(dev[1], hapd, "VENDOR-TEST", "vendor-test",
2951 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2952 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2953 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2954 hostapd.add_ap(apdev[0], params)
2956 tests = [ "eap_vendor_test_init",
2957 "eap_msg_alloc;eap_vendor_test_process",
2958 "eap_vendor_test_getKey" ]
2960 with alloc_fail(dev[0], 1, func):
2961 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2963 eap="VENDOR-TEST", identity="vendor-test",
2965 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2966 dev[0].request("REMOVE_NETWORK all")
2967 dev[0].wait_disconnected()
2969 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2970 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2971 check_eap_capa(dev[0], "FAST")
2972 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2973 hapd = hostapd.add_ap(apdev[0], params)
2974 eap_connect(dev[0], hapd, "FAST", "user",
2975 anonymous_identity="FAST", password="password",
2976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2977 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2978 hwsim_utils.test_connectivity(dev[0], hapd)
2979 res = eap_reauth(dev[0], "FAST")
2980 if res['tls_session_reused'] != '1':
2981 raise Exception("EAP-FAST could not use PAC session ticket")
2983 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2984 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2985 check_eap_capa(dev[0], "FAST")
2986 pac_file = os.path.join(params['logdir'], "fast.pac")
2987 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2988 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2989 hapd = hostapd.add_ap(apdev[0], params)
2992 eap_connect(dev[0], hapd, "FAST", "user",
2993 anonymous_identity="FAST", password="password",
2994 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2995 phase1="fast_provisioning=1", pac_file=pac_file)
2996 with open(pac_file, "r") as f:
2998 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2999 raise Exception("PAC file header missing")
3000 if "PAC-Key=" not in data:
3001 raise Exception("PAC-Key missing from PAC file")
3002 dev[0].request("REMOVE_NETWORK all")
3003 eap_connect(dev[0], hapd, "FAST", "user",
3004 anonymous_identity="FAST", password="password",
3005 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3008 eap_connect(dev[1], hapd, "FAST", "user",
3009 anonymous_identity="FAST", password="password",
3010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3011 phase1="fast_provisioning=1 fast_pac_format=binary",
3013 dev[1].request("REMOVE_NETWORK all")
3014 eap_connect(dev[1], hapd, "FAST", "user",
3015 anonymous_identity="FAST", password="password",
3016 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3017 phase1="fast_pac_format=binary",
3025 os.remove(pac_file2)
3029 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
3030 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3031 check_eap_capa(dev[0], "FAST")
3032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3033 hapd = hostapd.add_ap(apdev[0], params)
3034 eap_connect(dev[0], hapd, "FAST", "user",
3035 anonymous_identity="FAST", password="password",
3036 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3037 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3038 pac_file="blob://fast_pac_bin")
3039 res = eap_reauth(dev[0], "FAST")
3040 if res['tls_session_reused'] != '1':
3041 raise Exception("EAP-FAST could not use PAC session ticket")
3043 # Verify fast_max_pac_list_len=0 special case
3044 dev[0].request("REMOVE_NETWORK all")
3045 dev[0].wait_disconnected()
3046 eap_connect(dev[0], hapd, "FAST", "user",
3047 anonymous_identity="FAST", password="password",
3048 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3049 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3050 pac_file="blob://fast_pac_bin")
3052 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3053 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3054 check_eap_capa(dev[0], "FAST")
3055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3056 hostapd.add_ap(apdev[0], params)
3058 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3059 identity="user", anonymous_identity="FAST",
3060 password="password",
3061 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3062 pac_file="blob://fast_pac_not_in_use",
3063 wait_connect=False, scan_freq="2412")
3064 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3066 raise Exception("Timeout on EAP failure report")
3067 dev[0].request("REMOVE_NETWORK all")
3069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3070 identity="user", anonymous_identity="FAST",
3071 password="password",
3072 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3073 wait_connect=False, scan_freq="2412")
3074 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3076 raise Exception("Timeout on EAP failure report")
3078 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3079 """EAP-FAST and binary PAC errors"""
3080 check_eap_capa(dev[0], "FAST")
3081 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3082 hapd = hostapd.add_ap(apdev[0], params)
3084 tests = [ (1, "=eap_fast_save_pac_bin"),
3085 (1, "eap_fast_write_pac"),
3086 (2, "eap_fast_write_pac"), ]
3087 for count, func in tests:
3088 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3089 raise Exception("Could not set blob")
3091 with alloc_fail(dev[0], count, func):
3092 eap_connect(dev[0], hapd, "FAST", "user",
3093 anonymous_identity="FAST", password="password",
3094 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3095 phase1="fast_provisioning=1 fast_pac_format=binary",
3096 pac_file="blob://fast_pac_bin_errors")
3097 dev[0].request("REMOVE_NETWORK all")
3098 dev[0].wait_disconnected()
3100 tests = [ "00", "000000000000", "6ae4920c0001",
3102 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3103 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3104 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3105 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3107 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3108 raise Exception("Could not set blob")
3110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3111 identity="user", anonymous_identity="FAST",
3112 password="password",
3113 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3114 phase1="fast_provisioning=1 fast_pac_format=binary",
3115 pac_file="blob://fast_pac_bin_errors",
3116 scan_freq="2412", wait_connect=False)
3117 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3120 raise Exception("Failure not reported")
3121 dev[0].request("REMOVE_NETWORK all")
3122 dev[0].wait_disconnected()
3124 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3125 tests = [ (1, "eap_fast_load_pac_bin"),
3126 (2, "eap_fast_load_pac_bin"),
3127 (3, "eap_fast_load_pac_bin") ]
3128 for count, func in tests:
3129 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3130 raise Exception("Could not set blob")
3132 with alloc_fail(dev[0], count, func):
3133 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3134 identity="user", anonymous_identity="FAST",
3135 password="password",
3136 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3137 phase1="fast_provisioning=1 fast_pac_format=binary",
3138 pac_file="blob://fast_pac_bin_errors",
3139 scan_freq="2412", wait_connect=False)
3140 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3143 raise Exception("Failure not reported")
3144 dev[0].request("REMOVE_NETWORK all")
3145 dev[0].wait_disconnected()
3147 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3148 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3149 raise Exception("Could not set blob")
3151 eap_connect(dev[0], hapd, "FAST", "user",
3152 anonymous_identity="FAST", password="password",
3153 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3154 phase1="fast_provisioning=1 fast_pac_format=binary",
3155 pac_file="blob://fast_pac_bin_errors")
3156 dev[0].request("REMOVE_NETWORK all")
3157 dev[0].wait_disconnected()
3159 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3160 tests = [ (1, "eap_fast_pac_get_a_id"),
3161 (2, "eap_fast_pac_get_a_id") ]
3162 for count, func in tests:
3163 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3164 raise Exception("Could not set blob")
3165 with alloc_fail(dev[0], count, func):
3166 eap_connect(dev[0], hapd, "FAST", "user",
3167 anonymous_identity="FAST", password="password",
3168 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3169 phase1="fast_provisioning=1 fast_pac_format=binary",
3170 pac_file="blob://fast_pac_bin_errors")
3171 dev[0].request("REMOVE_NETWORK all")
3172 dev[0].wait_disconnected()
3174 def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3175 """EAP-FAST and text PAC errors"""
3176 check_eap_capa(dev[0], "FAST")
3177 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3178 hostapd.add_ap(apdev[0], params)
3180 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3181 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3182 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3183 (1, "eap_fast_parse_start"),
3184 (1, "eap_fast_save_pac") ]
3185 for count, func in tests:
3186 dev[0].request("FLUSH")
3187 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3188 raise Exception("Could not set blob")
3190 with alloc_fail(dev[0], count, func):
3191 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3192 identity="user", anonymous_identity="FAST",
3193 password="password",
3194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3195 phase1="fast_provisioning=1",
3196 pac_file="blob://fast_pac_text_errors",
3197 scan_freq="2412", wait_connect=False)
3198 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3199 dev[0].request("REMOVE_NETWORK all")
3200 dev[0].wait_disconnected()
3202 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3206 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3207 raise Exception("Could not set blob")
3209 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3210 identity="user", anonymous_identity="FAST",
3211 password="password",
3212 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3213 phase1="fast_provisioning=1",
3214 pac_file="blob://fast_pac_text_errors",
3215 scan_freq="2412", wait_connect=False)
3216 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3218 raise Exception("Failure not reported")
3219 dev[0].request("REMOVE_NETWORK all")
3220 dev[0].wait_disconnected()
3222 dev[0].request("FLUSH")
3223 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3224 raise Exception("Could not set blob")
3226 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3228 params = int_eap_server_params()
3229 params['ssid'] = "test-wpa2-eap-2"
3230 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3231 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3232 params['eap_fast_a_id_info'] = "test server %d" % i
3234 hapd2 = hostapd.add_ap(apdev[1], params)
3236 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3237 identity="user", anonymous_identity="FAST",
3238 password="password",
3239 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3240 phase1="fast_provisioning=1",
3241 pac_file="blob://fast_pac_text_errors",
3242 scan_freq="2412", wait_connect=False)
3243 dev[0].wait_connected()
3244 dev[0].request("REMOVE_NETWORK all")
3245 dev[0].wait_disconnected()
3249 def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3250 """EAP-FAST and PAC list truncation"""
3251 check_eap_capa(dev[0], "FAST")
3252 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3253 raise Exception("Could not set blob")
3255 params = int_eap_server_params()
3256 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3257 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3258 params['eap_fast_a_id_info'] = "test server %d" % i
3259 hapd = hostapd.add_ap(apdev[0], params)
3261 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3262 identity="user", anonymous_identity="FAST",
3263 password="password",
3264 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3265 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3266 pac_file="blob://fast_pac_truncate",
3267 scan_freq="2412", wait_connect=False)
3268 dev[0].wait_connected()
3269 dev[0].request("REMOVE_NETWORK all")
3270 dev[0].wait_disconnected()
3274 def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3275 """EAP-FAST and PAC refresh"""
3276 check_eap_capa(dev[0], "FAST")
3277 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3278 raise Exception("Could not set blob")
3280 params = int_eap_server_params()
3281 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3282 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3283 params['eap_fast_a_id_info'] = "test server %d" % i
3284 params['pac_key_refresh_time'] = "1"
3285 params['pac_key_lifetime'] = "10"
3286 hapd = hostapd.add_ap(apdev[0], params)
3288 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3289 identity="user", anonymous_identity="FAST",
3290 password="password",
3291 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3292 phase1="fast_provisioning=1",
3293 pac_file="blob://fast_pac_refresh",
3294 scan_freq="2412", wait_connect=False)
3295 dev[0].wait_connected()
3296 dev[0].request("REMOVE_NETWORK all")
3297 dev[0].wait_disconnected()
3302 params = int_eap_server_params()
3303 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3304 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3305 params['eap_fast_a_id_info'] = "test server %d" % i
3306 params['pac_key_refresh_time'] = "10"
3307 params['pac_key_lifetime'] = "10"
3308 hapd = hostapd.add_ap(apdev[0], params)
3310 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3311 identity="user", anonymous_identity="FAST",
3312 password="password",
3313 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3314 phase1="fast_provisioning=1",
3315 pac_file="blob://fast_pac_refresh",
3316 scan_freq="2412", wait_connect=False)
3317 dev[0].wait_connected()
3318 dev[0].request("REMOVE_NETWORK all")
3319 dev[0].wait_disconnected()
3323 def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3324 """EAP-FAST and PAC lifetime"""
3325 check_eap_capa(dev[0], "FAST")
3326 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3327 raise Exception("Could not set blob")
3330 params = int_eap_server_params()
3331 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3332 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3333 params['eap_fast_a_id_info'] = "test server %d" % i
3334 params['pac_key_refresh_time'] = "0"
3335 params['pac_key_lifetime'] = "2"
3336 hapd = hostapd.add_ap(apdev[0], params)
3338 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3339 identity="user", anonymous_identity="FAST",
3340 password="password",
3341 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3342 phase1="fast_provisioning=2",
3343 pac_file="blob://fast_pac_refresh",
3344 scan_freq="2412", wait_connect=False)
3345 dev[0].wait_connected()
3346 dev[0].request("DISCONNECT")
3347 dev[0].wait_disconnected()
3350 dev[0].request("PMKSA_FLUSH")
3351 dev[0].request("RECONNECT")
3352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3354 raise Exception("No EAP-Failure seen after expired PAC")
3355 dev[0].request("DISCONNECT")
3356 dev[0].wait_disconnected()
3358 dev[0].select_network(id)
3359 dev[0].wait_connected()
3360 dev[0].request("REMOVE_NETWORK all")
3361 dev[0].wait_disconnected()
3363 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3364 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3365 check_eap_capa(dev[0], "FAST")
3366 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3367 hapd = hostapd.add_ap(apdev[0], params)
3368 eap_connect(dev[0], hapd, "FAST", "user",
3369 anonymous_identity="FAST", password="password",
3370 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3371 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3372 hwsim_utils.test_connectivity(dev[0], hapd)
3373 res = eap_reauth(dev[0], "FAST")
3374 if res['tls_session_reused'] != '1':
3375 raise Exception("EAP-FAST could not use PAC session ticket")
3377 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3378 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3379 check_eap_capa(dev[0], "FAST")
3380 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3381 hapd = hostapd.add_ap(apdev[0], params)
3382 id = eap_connect(dev[0], hapd, "FAST", "user",
3383 anonymous_identity="FAST", password="password",
3384 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3385 phase1="fast_provisioning=2",
3386 pac_file="blob://fast_pac_auth")
3387 dev[0].set_network_quoted(id, "identity", "user2")
3388 dev[0].wait_disconnected()
3389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3391 raise Exception("EAP-FAST not started")
3392 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3394 raise Exception("EAP failure not reported")
3395 dev[0].wait_disconnected()
3397 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3398 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3399 check_eap_capa(dev[0], "FAST")
3400 tls = dev[0].request("GET tls_library")
3401 if tls.startswith("OpenSSL"):
3402 func = "tls_connection_get_eap_fast_key"
3404 elif tls.startswith("internal"):
3405 func = "tls_connection_prf"
3408 raise HwsimSkip("Unsupported TLS library")
3409 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3410 hapd = hostapd.add_ap(apdev[0], params)
3411 with alloc_fail(dev[0], count, func):
3412 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3413 identity="user", anonymous_identity="FAST",
3414 password="password", ca_cert="auth_serv/ca.pem",
3416 phase1="fast_provisioning=2",
3417 pac_file="blob://fast_pac_auth",
3418 wait_connect=False, scan_freq="2412")
3419 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3421 raise Exception("EAP failure not reported")
3422 dev[0].request("DISCONNECT")
3424 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3425 """EAP-FAST/MSCHAPv2 and server OOM"""
3426 check_eap_capa(dev[0], "FAST")
3428 params = int_eap_server_params()
3429 params['dh_file'] = 'auth_serv/dh.conf'
3430 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3431 params['eap_fast_a_id'] = '1011'
3432 params['eap_fast_a_id_info'] = 'another test server'
3433 hapd = hostapd.add_ap(apdev[0], params)
3435 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3436 id = eap_connect(dev[0], hapd, "FAST", "user",
3437 anonymous_identity="FAST", password="password",
3438 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3439 phase1="fast_provisioning=1",
3440 pac_file="blob://fast_pac",
3441 expect_failure=True)
3442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3444 raise Exception("No EAP failure reported")
3445 dev[0].wait_disconnected()
3446 dev[0].request("DISCONNECT")
3448 dev[0].select_network(id, freq="2412")
3450 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3451 """EAP-FAST and different TLS cipher suites"""
3452 check_eap_capa(dev[0], "FAST")
3453 tls = dev[0].request("GET tls_library")
3454 if not tls.startswith("OpenSSL"):
3455 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3458 hapd = hostapd.add_ap(apdev[0], params)
3460 dev[0].request("SET blob fast_pac_ciphers ")
3461 eap_connect(dev[0], hapd, "FAST", "user",
3462 anonymous_identity="FAST", password="password",
3463 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3464 phase1="fast_provisioning=2",
3465 pac_file="blob://fast_pac_ciphers")
3466 res = dev[0].get_status_field('EAP TLS cipher')
3467 dev[0].request("REMOVE_NETWORK all")
3468 dev[0].wait_disconnected()
3469 if res != "DHE-RSA-AES256-SHA":
3470 raise Exception("Unexpected cipher suite for provisioning: " + res)
3472 tests = [ "DHE-RSA-AES128-SHA",
3476 "DHE-RSA-AES256-SHA" ]
3477 for cipher in tests:
3478 dev[0].dump_monitor()
3479 logger.info("Testing " + cipher)
3481 eap_connect(dev[0], hapd, "FAST", "user",
3482 openssl_ciphers=cipher,
3483 anonymous_identity="FAST", password="password",
3484 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3485 pac_file="blob://fast_pac_ciphers")
3486 except Exception, e:
3487 if "Could not select EAP method" in str(e) and cipher == "RC4-SHA":
3488 tls = dev[0].request("GET tls_library")
3489 if "run=OpenSSL 1.1" in tls:
3490 logger.info("Allow failure due to missing TLS library support")
3491 dev[0].request("REMOVE_NETWORK all")
3492 dev[0].wait_disconnected()
3495 res = dev[0].get_status_field('EAP TLS cipher')
3496 dev[0].request("REMOVE_NETWORK all")
3497 dev[0].wait_disconnected()
3499 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3501 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3502 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3503 check_ocsp_support(dev[0])
3504 check_pkcs12_support(dev[0])
3505 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3506 hapd = hostapd.add_ap(apdev[0], params)
3507 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3508 private_key="auth_serv/user.pkcs12",
3509 private_key_passwd="whatever", ocsp=2)
3511 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3512 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3513 check_ocsp_multi_support(dev[0])
3514 check_pkcs12_support(dev[0])
3516 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3517 hapd = hostapd.add_ap(apdev[0], params)
3518 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3519 private_key="auth_serv/user.pkcs12",
3520 private_key_passwd="whatever", ocsp=2)
3522 def int_eap_server_params():
3523 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3524 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3525 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3526 "ca_cert": "auth_serv/ca.pem",
3527 "server_cert": "auth_serv/server.pem",
3528 "private_key": "auth_serv/server.key",
3529 "dh_file": "auth_serv/dh.conf" }
3532 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3533 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3534 check_ocsp_support(dev[0])
3535 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3536 if not os.path.exists(ocsp):
3537 raise HwsimSkip("No OCSP response available")
3538 params = int_eap_server_params()
3539 params["ocsp_stapling_response"] = ocsp
3540 hostapd.add_ap(apdev[0], params)
3541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3542 identity="tls user", ca_cert="auth_serv/ca.pem",
3543 private_key="auth_serv/user.pkcs12",
3544 private_key_passwd="whatever", ocsp=2,
3547 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3548 """EAP-TLS and CA signed OCSP response (good)"""
3549 check_ocsp_support(dev[0])
3550 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3551 if not os.path.exists(ocsp):
3552 raise HwsimSkip("No OCSP response available")
3553 params = int_eap_server_params()
3554 params["ocsp_stapling_response"] = ocsp
3555 hostapd.add_ap(apdev[0], params)
3556 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3557 identity="tls user", ca_cert="auth_serv/ca.pem",
3558 private_key="auth_serv/user.pkcs12",
3559 private_key_passwd="whatever", ocsp=2,
3562 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3563 """EAP-TLS and CA signed OCSP response (revoked)"""
3564 check_ocsp_support(dev[0])
3565 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3566 if not os.path.exists(ocsp):
3567 raise HwsimSkip("No OCSP response available")
3568 params = int_eap_server_params()
3569 params["ocsp_stapling_response"] = ocsp
3570 hostapd.add_ap(apdev[0], params)
3571 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3572 identity="tls user", ca_cert="auth_serv/ca.pem",
3573 private_key="auth_serv/user.pkcs12",
3574 private_key_passwd="whatever", ocsp=2,
3575 wait_connect=False, scan_freq="2412")
3578 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3580 raise Exception("Timeout on EAP status")
3581 if 'bad certificate status response' in ev:
3583 if 'certificate revoked' in ev:
3587 raise Exception("Unexpected number of EAP status messages")
3589 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3591 raise Exception("Timeout on EAP failure report")
3593 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3594 """EAP-TLS and CA signed OCSP response (unknown)"""
3595 check_ocsp_support(dev[0])
3596 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3597 if not os.path.exists(ocsp):
3598 raise HwsimSkip("No OCSP response available")
3599 params = int_eap_server_params()
3600 params["ocsp_stapling_response"] = ocsp
3601 hostapd.add_ap(apdev[0], params)
3602 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3603 identity="tls user", ca_cert="auth_serv/ca.pem",
3604 private_key="auth_serv/user.pkcs12",
3605 private_key_passwd="whatever", ocsp=2,
3606 wait_connect=False, scan_freq="2412")
3609 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3611 raise Exception("Timeout on EAP status")
3612 if 'bad certificate status response' in ev:
3616 raise Exception("Unexpected number of EAP status messages")
3618 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3620 raise Exception("Timeout on EAP failure report")
3622 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3623 """EAP-TLS and server signed OCSP response"""
3624 check_ocsp_support(dev[0])
3625 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3626 if not os.path.exists(ocsp):
3627 raise HwsimSkip("No OCSP response available")
3628 params = int_eap_server_params()
3629 params["ocsp_stapling_response"] = ocsp
3630 hostapd.add_ap(apdev[0], params)
3631 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3632 identity="tls user", ca_cert="auth_serv/ca.pem",
3633 private_key="auth_serv/user.pkcs12",
3634 private_key_passwd="whatever", ocsp=2,
3635 wait_connect=False, scan_freq="2412")
3638 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3640 raise Exception("Timeout on EAP status")
3641 if 'bad certificate status response' in ev:
3645 raise Exception("Unexpected number of EAP status messages")
3647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3649 raise Exception("Timeout on EAP failure report")
3651 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3652 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3653 check_ocsp_support(dev[0])
3654 params = int_eap_server_params()
3655 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3656 hostapd.add_ap(apdev[0], params)
3657 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3658 identity="tls user", ca_cert="auth_serv/ca.pem",
3659 private_key="auth_serv/user.pkcs12",
3660 private_key_passwd="whatever", ocsp=2,
3661 wait_connect=False, scan_freq="2412")
3664 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3666 raise Exception("Timeout on EAP status")
3667 if 'bad certificate status response' in ev:
3671 raise Exception("Unexpected number of EAP status messages")
3673 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3675 raise Exception("Timeout on EAP failure report")
3677 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3678 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3679 check_ocsp_support(dev[0])
3680 params = int_eap_server_params()
3681 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3682 hostapd.add_ap(apdev[0], params)
3683 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3684 identity="tls user", ca_cert="auth_serv/ca.pem",
3685 private_key="auth_serv/user.pkcs12",
3686 private_key_passwd="whatever", ocsp=2,
3687 wait_connect=False, scan_freq="2412")
3690 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3692 raise Exception("Timeout on EAP status")
3693 if 'bad certificate status response' in ev:
3697 raise Exception("Unexpected number of EAP status messages")
3699 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3701 raise Exception("Timeout on EAP failure report")
3703 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3704 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3705 check_ocsp_support(dev[0])
3706 params = int_eap_server_params()
3707 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3708 hostapd.add_ap(apdev[0], params)
3709 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3710 identity="tls user", ca_cert="auth_serv/ca.pem",
3711 private_key="auth_serv/user.pkcs12",
3712 private_key_passwd="whatever", ocsp=2,
3713 wait_connect=False, scan_freq="2412")
3716 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3718 raise Exception("Timeout on EAP status")
3719 if 'bad certificate status response' in ev:
3723 raise Exception("Unexpected number of EAP status messages")
3725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3727 raise Exception("Timeout on EAP failure report")
3729 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3730 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3731 check_ocsp_support(dev[0])
3732 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3733 if not os.path.exists(ocsp):
3734 raise HwsimSkip("No OCSP response available")
3735 params = int_eap_server_params()
3736 params["ocsp_stapling_response"] = ocsp
3737 hostapd.add_ap(apdev[0], params)
3738 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3739 identity="pap user", ca_cert="auth_serv/ca.pem",
3740 anonymous_identity="ttls", password="password",
3741 phase2="auth=PAP", ocsp=2,
3742 wait_connect=False, scan_freq="2412")
3745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3747 raise Exception("Timeout on EAP status")
3748 if 'bad certificate status response' in ev:
3750 if 'certificate revoked' in ev:
3754 raise Exception("Unexpected number of EAP status messages")
3756 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3758 raise Exception("Timeout on EAP failure report")
3760 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3761 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3762 check_ocsp_support(dev[0])
3763 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3764 if not os.path.exists(ocsp):
3765 raise HwsimSkip("No OCSP response available")
3766 params = int_eap_server_params()
3767 params["ocsp_stapling_response"] = ocsp
3768 hostapd.add_ap(apdev[0], params)
3769 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3770 identity="pap user", ca_cert="auth_serv/ca.pem",
3771 anonymous_identity="ttls", password="password",
3772 phase2="auth=PAP", ocsp=2,
3773 wait_connect=False, scan_freq="2412")
3776 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3778 raise Exception("Timeout on EAP status")
3779 if 'bad certificate status response' in ev:
3783 raise Exception("Unexpected number of EAP status messages")
3785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3787 raise Exception("Timeout on EAP failure report")
3789 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3790 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3791 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3792 if not os.path.exists(ocsp):
3793 raise HwsimSkip("No OCSP response available")
3794 params = int_eap_server_params()
3795 params["ocsp_stapling_response"] = ocsp
3796 hostapd.add_ap(apdev[0], params)
3797 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3798 identity="pap user", ca_cert="auth_serv/ca.pem",
3799 anonymous_identity="ttls", password="password",
3800 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3802 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3803 """EAP-TLS with intermediate server/user CA"""
3804 params = int_eap_server_params()
3805 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3806 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3807 params["private_key"] = "auth_serv/iCA-server/server.key"
3808 hostapd.add_ap(apdev[0], params)
3809 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3810 identity="tls user",
3811 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3812 client_cert="auth_serv/iCA-user/user.pem",
3813 private_key="auth_serv/iCA-user/user.key",
3816 def root_ocsp(cert):
3817 ca = "auth_serv/ca.pem"
3819 fd2, fn2 = tempfile.mkstemp()
3822 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3823 "-no_nonce", "-sha256", "-text" ]
3824 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3825 stderr=subprocess.PIPE)
3826 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3829 logger.info("OCSP request:\n" + res)
3831 fd, fn = tempfile.mkstemp()
3833 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
3834 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
3835 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3836 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3838 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3839 stderr=subprocess.PIPE)
3840 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3843 logger.info("OCSP response:\n" + res)
3848 prefix = "auth_serv/iCA-server/"
3849 ca = prefix + "cacert.pem"
3850 cert = prefix + cert
3852 fd2, fn2 = tempfile.mkstemp()
3855 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3856 "-no_nonce", "-sha256", "-text" ]
3857 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3858 stderr=subprocess.PIPE)
3859 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3862 logger.info("OCSP request:\n" + res)
3864 fd, fn = tempfile.mkstemp()
3866 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3867 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3868 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3869 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3871 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3872 stderr=subprocess.PIPE)
3873 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3876 logger.info("OCSP response:\n" + res)
3880 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3881 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3882 params = int_eap_server_params()
3883 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3884 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3885 params["private_key"] = "auth_serv/iCA-server/server.key"
3886 fn = ica_ocsp("server.pem")
3887 params["ocsp_stapling_response"] = fn
3889 hostapd.add_ap(apdev[0], params)
3890 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3891 identity="tls user",
3892 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3893 client_cert="auth_serv/iCA-user/user.pem",
3894 private_key="auth_serv/iCA-user/user.key",
3895 scan_freq="2412", ocsp=2)
3899 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3900 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3901 params = int_eap_server_params()
3902 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3903 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3904 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3905 fn = ica_ocsp("server-revoked.pem")
3906 params["ocsp_stapling_response"] = fn
3908 hostapd.add_ap(apdev[0], params)
3909 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3910 identity="tls user",
3911 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3912 client_cert="auth_serv/iCA-user/user.pem",
3913 private_key="auth_serv/iCA-user/user.key",
3914 scan_freq="2412", ocsp=1, wait_connect=False)
3917 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3918 "CTRL-EVENT-EAP-SUCCESS"])
3920 raise Exception("Timeout on EAP status")
3921 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3922 raise Exception("Unexpected EAP-Success")
3923 if 'bad certificate status response' in ev:
3925 if 'certificate revoked' in ev:
3929 raise Exception("Unexpected number of EAP status messages")
3931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3933 raise Exception("Timeout on EAP failure report")
3934 dev[0].request("REMOVE_NETWORK all")
3935 dev[0].wait_disconnected()
3939 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3940 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3941 check_ocsp_support(dev[0])
3942 check_ocsp_multi_support(dev[0])
3944 params = int_eap_server_params()
3945 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3946 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3947 params["private_key"] = "auth_serv/iCA-server/server.key"
3948 fn = ica_ocsp("server.pem")
3949 params["ocsp_stapling_response"] = fn
3951 hostapd.add_ap(apdev[0], params)
3952 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3953 identity="tls user",
3954 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3955 client_cert="auth_serv/iCA-user/user.pem",
3956 private_key="auth_serv/iCA-user/user.key",
3957 scan_freq="2412", ocsp=3, wait_connect=False)
3960 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3961 "CTRL-EVENT-EAP-SUCCESS"])
3963 raise Exception("Timeout on EAP status")
3964 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3965 raise Exception("Unexpected EAP-Success")
3966 if 'bad certificate status response' in ev:
3968 if 'certificate revoked' in ev:
3972 raise Exception("Unexpected number of EAP status messages")
3974 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3976 raise Exception("Timeout on EAP failure report")
3977 dev[0].request("REMOVE_NETWORK all")
3978 dev[0].wait_disconnected()
3982 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3983 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3984 check_ocsp_support(dev[0])
3985 check_ocsp_multi_support(dev[0])
3987 params = int_eap_server_params()
3988 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3989 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3990 params["private_key"] = "auth_serv/iCA-server/server.key"
3991 fn = ica_ocsp("server.pem")
3992 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
3993 params["ocsp_stapling_response"] = fn
3995 with open(fn, "r") as f:
3996 resp_server = f.read()
3997 with open(fn2, "r") as f:
4000 fd3, fn3 = tempfile.mkstemp()
4002 f = os.fdopen(fd3, 'w')
4003 f.write(struct.pack(">L", len(resp_server))[1:4])
4004 f.write(resp_server)
4005 f.write(struct.pack(">L", len(resp_ica))[1:4])
4009 params["ocsp_stapling_response_multi"] = fn3
4011 hostapd.add_ap(apdev[0], params)
4012 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4013 identity="tls user",
4014 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
4015 client_cert="auth_serv/iCA-user/user.pem",
4016 private_key="auth_serv/iCA-user/user.key",
4017 scan_freq="2412", ocsp=3)
4018 dev[0].request("REMOVE_NETWORK all")
4019 dev[0].wait_disconnected()
4025 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
4026 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4027 check_ocsp_support(dev[0])
4028 check_ocsp_multi_support(dev[0])
4030 ocsp_revoked = os.path.join(params['logdir'],
4031 "ocsp-resp-ca-signed-revoked.der")
4032 if not os.path.exists(ocsp_revoked):
4033 raise HwsimSkip("No OCSP response (revoked) available")
4034 ocsp_unknown = os.path.join(params['logdir'],
4035 "ocsp-resp-ca-signed-unknown.der")
4036 if not os.path.exists(ocsp_unknown):
4037 raise HwsimSkip("No OCSP response(unknown) available")
4039 with open(ocsp_revoked, "r") as f:
4040 resp_revoked = f.read()
4041 with open(ocsp_unknown, "r") as f:
4042 resp_unknown = f.read()
4044 fd, fn = tempfile.mkstemp()
4046 # This is not really a valid order of the OCSPResponse items in the
4047 # list, but this works for now to verify parsing and processing of
4048 # multiple responses.
4049 f = os.fdopen(fd, 'w')
4050 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4051 f.write(resp_unknown)
4052 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4053 f.write(resp_revoked)
4054 f.write(struct.pack(">L", 0)[1:4])
4055 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4056 f.write(resp_unknown)
4059 params = int_eap_server_params()
4060 params["ocsp_stapling_response_multi"] = fn
4061 hostapd.add_ap(apdev[0], params)
4062 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4063 identity="tls user", ca_cert="auth_serv/ca.pem",
4064 private_key="auth_serv/user.pkcs12",
4065 private_key_passwd="whatever", ocsp=1,
4066 wait_connect=False, scan_freq="2412")
4069 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4070 "CTRL-EVENT-EAP-SUCCESS"])
4072 raise Exception("Timeout on EAP status")
4073 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4074 raise Exception("Unexpected EAP-Success")
4075 if 'bad certificate status response' in ev:
4077 if 'certificate revoked' in ev:
4081 raise Exception("Unexpected number of EAP status messages")
4085 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
4086 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4087 check_domain_match_full(dev[0])
4088 params = int_eap_server_params()
4089 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4090 params["private_key"] = "auth_serv/server-no-dnsname.key"
4091 hostapd.add_ap(apdev[0], params)
4092 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4093 identity="tls user", ca_cert="auth_serv/ca.pem",
4094 private_key="auth_serv/user.pkcs12",
4095 private_key_passwd="whatever",
4096 domain_suffix_match="server3.w1.fi",
4099 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4100 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4101 check_domain_match(dev[0])
4102 params = int_eap_server_params()
4103 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4104 params["private_key"] = "auth_serv/server-no-dnsname.key"
4105 hostapd.add_ap(apdev[0], params)
4106 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4107 identity="tls user", ca_cert="auth_serv/ca.pem",
4108 private_key="auth_serv/user.pkcs12",
4109 private_key_passwd="whatever",
4110 domain_match="server3.w1.fi",
4113 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4114 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4115 check_domain_match_full(dev[0])
4116 params = int_eap_server_params()
4117 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4118 params["private_key"] = "auth_serv/server-no-dnsname.key"
4119 hostapd.add_ap(apdev[0], params)
4120 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4121 identity="tls user", ca_cert="auth_serv/ca.pem",
4122 private_key="auth_serv/user.pkcs12",
4123 private_key_passwd="whatever",
4124 domain_suffix_match="w1.fi",
4127 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4128 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4129 check_domain_suffix_match(dev[0])
4130 params = int_eap_server_params()
4131 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4132 params["private_key"] = "auth_serv/server-no-dnsname.key"
4133 hostapd.add_ap(apdev[0], params)
4134 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4135 identity="tls user", ca_cert="auth_serv/ca.pem",
4136 private_key="auth_serv/user.pkcs12",
4137 private_key_passwd="whatever",
4138 domain_suffix_match="example.com",
4141 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4142 identity="tls user", ca_cert="auth_serv/ca.pem",
4143 private_key="auth_serv/user.pkcs12",
4144 private_key_passwd="whatever",
4145 domain_suffix_match="erver3.w1.fi",
4148 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4150 raise Exception("Timeout on EAP failure report")
4151 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4153 raise Exception("Timeout on EAP failure report (2)")
4155 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4156 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4157 check_domain_match(dev[0])
4158 params = int_eap_server_params()
4159 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4160 params["private_key"] = "auth_serv/server-no-dnsname.key"
4161 hostapd.add_ap(apdev[0], params)
4162 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4163 identity="tls user", ca_cert="auth_serv/ca.pem",
4164 private_key="auth_serv/user.pkcs12",
4165 private_key_passwd="whatever",
4166 domain_match="example.com",
4169 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4170 identity="tls user", ca_cert="auth_serv/ca.pem",
4171 private_key="auth_serv/user.pkcs12",
4172 private_key_passwd="whatever",
4173 domain_match="w1.fi",
4176 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4178 raise Exception("Timeout on EAP failure report")
4179 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4181 raise Exception("Timeout on EAP failure report (2)")
4183 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4184 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4185 skip_with_fips(dev[0])
4186 params = int_eap_server_params()
4187 params["server_cert"] = "auth_serv/server-expired.pem"
4188 params["private_key"] = "auth_serv/server-expired.key"
4189 hostapd.add_ap(apdev[0], params)
4190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4191 identity="mschap user", password="password",
4192 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4195 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4197 raise Exception("Timeout on EAP certificate error report")
4198 if "reason=4" not in ev or "certificate has expired" not in ev:
4199 raise Exception("Unexpected failure reason: " + ev)
4200 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4202 raise Exception("Timeout on EAP failure report")
4204 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4205 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4206 skip_with_fips(dev[0])
4207 params = int_eap_server_params()
4208 params["server_cert"] = "auth_serv/server-expired.pem"
4209 params["private_key"] = "auth_serv/server-expired.key"
4210 hostapd.add_ap(apdev[0], params)
4211 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4212 identity="mschap user", password="password",
4213 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4214 phase1="tls_disable_time_checks=1",
4217 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4218 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4219 skip_with_fips(dev[0])
4220 params = int_eap_server_params()
4221 params["server_cert"] = "auth_serv/server-long-duration.pem"
4222 params["private_key"] = "auth_serv/server-long-duration.key"
4223 hostapd.add_ap(apdev[0], params)
4224 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4225 identity="mschap user", password="password",
4226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4229 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4230 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4231 skip_with_fips(dev[0])
4232 params = int_eap_server_params()
4233 params["server_cert"] = "auth_serv/server-eku-client.pem"
4234 params["private_key"] = "auth_serv/server-eku-client.key"
4235 hostapd.add_ap(apdev[0], params)
4236 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4237 identity="mschap user", password="password",
4238 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4241 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4243 raise Exception("Timeout on EAP failure report")
4245 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4246 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4247 skip_with_fips(dev[0])
4248 params = int_eap_server_params()
4249 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4250 params["private_key"] = "auth_serv/server-eku-client-server.key"
4251 hostapd.add_ap(apdev[0], params)
4252 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4253 identity="mschap user", password="password",
4254 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4257 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4258 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4259 skip_with_fips(dev[0])
4260 params = int_eap_server_params()
4261 del params["server_cert"]
4262 params["private_key"] = "auth_serv/server.pkcs12"
4263 hostapd.add_ap(apdev[0], params)
4264 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4265 identity="mschap user", password="password",
4266 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4269 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4270 """EAP-TTLS and server PKCS#12 file with extra certs"""
4271 skip_with_fips(dev[0])
4272 params = int_eap_server_params()
4273 del params["server_cert"]
4274 params["private_key"] = "auth_serv/server-extra.pkcs12"
4275 params["private_key_passwd"] = "whatever"
4276 hostapd.add_ap(apdev[0], params)
4277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4278 identity="mschap user", password="password",
4279 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4282 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4283 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4285 hapd = hostapd.add_ap(apdev[0], params)
4286 eap_connect(dev[0], hapd, "TTLS", "pap user",
4287 anonymous_identity="ttls", password="password",
4288 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4289 dh_file="auth_serv/dh.conf")
4291 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4292 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4293 check_dh_dsa_support(dev[0])
4294 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4295 hapd = hostapd.add_ap(apdev[0], params)
4296 eap_connect(dev[0], hapd, "TTLS", "pap user",
4297 anonymous_identity="ttls", password="password",
4298 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4299 dh_file="auth_serv/dsaparam.pem")
4301 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4302 """EAP-TTLS and DH params file not found"""
4303 skip_with_fips(dev[0])
4304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4305 hostapd.add_ap(apdev[0], params)
4306 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4307 identity="mschap user", password="password",
4308 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4309 dh_file="auth_serv/dh-no-such-file.conf",
4310 scan_freq="2412", wait_connect=False)
4311 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4313 raise Exception("EAP failure timed out")
4314 dev[0].request("REMOVE_NETWORK all")
4315 dev[0].wait_disconnected()
4317 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4318 """EAP-TTLS and invalid DH params file"""
4319 skip_with_fips(dev[0])
4320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4321 hostapd.add_ap(apdev[0], params)
4322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4323 identity="mschap user", password="password",
4324 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4325 dh_file="auth_serv/ca.pem",
4326 scan_freq="2412", wait_connect=False)
4327 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4329 raise Exception("EAP failure timed out")
4330 dev[0].request("REMOVE_NETWORK all")
4331 dev[0].wait_disconnected()
4333 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4334 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4336 hapd = hostapd.add_ap(apdev[0], params)
4337 dh = read_pem("auth_serv/dh2.conf")
4338 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4339 raise Exception("Could not set dhparams blob")
4340 eap_connect(dev[0], hapd, "TTLS", "pap user",
4341 anonymous_identity="ttls", password="password",
4342 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4343 dh_file="blob://dhparams")
4345 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4346 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4347 params = int_eap_server_params()
4348 params["dh_file"] = "auth_serv/dh2.conf"
4349 hapd = hostapd.add_ap(apdev[0], params)
4350 eap_connect(dev[0], hapd, "TTLS", "pap user",
4351 anonymous_identity="ttls", password="password",
4352 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4354 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4355 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4356 params = int_eap_server_params()
4357 params["dh_file"] = "auth_serv/dsaparam.pem"
4358 hapd = hostapd.add_ap(apdev[0], params)
4359 eap_connect(dev[0], hapd, "TTLS", "pap user",
4360 anonymous_identity="ttls", password="password",
4361 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4363 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4364 """EAP-TLS server and dhparams file not found"""
4365 params = int_eap_server_params()
4366 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4367 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
4368 if "FAIL" not in hapd.request("ENABLE"):
4369 raise Exception("Invalid configuration accepted")
4371 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4372 """EAP-TLS server and invalid dhparams file"""
4373 params = int_eap_server_params()
4374 params["dh_file"] = "auth_serv/ca.pem"
4375 hapd = hostapd.add_ap(apdev[0], params, no_enable=True)
4376 if "FAIL" not in hapd.request("ENABLE"):
4377 raise Exception("Invalid configuration accepted")
4379 def test_ap_wpa2_eap_reauth(dev, apdev):
4380 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4381 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4382 params['eap_reauth_period'] = '2'
4383 hapd = hostapd.add_ap(apdev[0], params)
4384 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
4385 password_hex="0123456789abcdef0123456789abcdef")
4386 logger.info("Wait for reauthentication")
4387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4389 raise Exception("Timeout on reauthentication")
4390 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4392 raise Exception("Timeout on reauthentication")
4393 for i in range(0, 20):
4394 state = dev[0].get_status_field("wpa_state")
4395 if state == "COMPLETED":
4398 if state != "COMPLETED":
4399 raise Exception("Reauthentication did not complete")
4401 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4402 """Optional displayable message in EAP Request-Identity"""
4403 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4404 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4405 hapd = hostapd.add_ap(apdev[0], params)
4406 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
4407 password_hex="0123456789abcdef0123456789abcdef")
4409 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4410 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4411 check_hlr_auc_gw_support()
4412 params = int_eap_server_params()
4413 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4414 params['eap_sim_aka_result_ind'] = "1"
4415 hapd = hostapd.add_ap(apdev[0], params)
4417 eap_connect(dev[0], hapd, "SIM", "1232010000000000",
4418 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4419 phase1="result_ind=1")
4420 eap_reauth(dev[0], "SIM")
4421 eap_connect(dev[1], hapd, "SIM", "1232010000000000",
4422 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4424 dev[0].request("REMOVE_NETWORK all")
4425 dev[1].request("REMOVE_NETWORK all")
4427 eap_connect(dev[0], hapd, "AKA", "0232010000000000",
4428 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4429 phase1="result_ind=1")
4430 eap_reauth(dev[0], "AKA")
4431 eap_connect(dev[1], hapd, "AKA", "0232010000000000",
4432 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4434 dev[0].request("REMOVE_NETWORK all")
4435 dev[1].request("REMOVE_NETWORK all")
4437 eap_connect(dev[0], hapd, "AKA'", "6555444333222111",
4438 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4439 phase1="result_ind=1")
4440 eap_reauth(dev[0], "AKA'")
4441 eap_connect(dev[1], hapd, "AKA'", "6555444333222111",
4442 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4444 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4445 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4446 skip_with_fips(dev[0])
4447 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4448 hostapd.add_ap(apdev[0], params)
4449 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4450 eap="TTLS", identity="mschap user",
4451 wait_connect=False, scan_freq="2412", ieee80211w="1",
4452 anonymous_identity="ttls", password="password",
4453 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4455 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4457 raise Exception("EAP roundtrip limit not reached")
4459 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4460 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4461 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4462 hostapd.add_ap(apdev[0], params)
4463 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4464 eap="PSK", identity="vendor-test",
4465 password_hex="ff23456789abcdef0123456789abcdef",
4469 for i in range(0, 5):
4470 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4472 raise Exception("Association and EAP start timed out")
4473 if "refuse proposed method" in ev:
4477 raise Exception("Unexpected EAP status: " + ev)
4479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4481 raise Exception("EAP failure timed out")
4483 def test_ap_wpa2_eap_sql(dev, apdev, params):
4484 """WPA2-Enterprise connection using SQLite for user DB"""
4485 skip_with_fips(dev[0])
4489 raise HwsimSkip("No sqlite3 module available")
4490 dbfile = os.path.join(params['logdir'], "eap-user.db")
4495 con = sqlite3.connect(dbfile)
4498 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4499 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4500 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4501 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4502 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4503 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4504 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4505 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4508 params = int_eap_server_params()
4509 params["eap_user_file"] = "sqlite:" + dbfile
4510 hapd = hostapd.add_ap(apdev[0], params)
4511 eap_connect(dev[0], hapd, "TTLS", "user-mschapv2",
4512 anonymous_identity="ttls", password="password",
4513 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4514 dev[0].request("REMOVE_NETWORK all")
4515 eap_connect(dev[1], hapd, "TTLS", "user-mschap",
4516 anonymous_identity="ttls", password="password",
4517 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4518 dev[1].request("REMOVE_NETWORK all")
4519 eap_connect(dev[0], hapd, "TTLS", "user-chap",
4520 anonymous_identity="ttls", password="password",
4521 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4522 eap_connect(dev[1], hapd, "TTLS", "user-pap",
4523 anonymous_identity="ttls", password="password",
4524 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4528 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4529 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4530 params = int_eap_server_params()
4531 hostapd.add_ap(apdev[0], params)
4532 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4533 identity="\x80", password="password", wait_connect=False)
4534 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4535 identity="a\x80", password="password", wait_connect=False)
4536 for i in range(0, 2):
4537 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4539 raise Exception("Association and EAP start timed out")
4540 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4542 raise Exception("EAP method selection timed out")
4544 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4545 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4547 hostapd.add_ap(apdev[0], params)
4548 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4549 identity="\x80", password="password", wait_connect=False)
4550 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4551 identity="a\x80", password="password", wait_connect=False)
4552 for i in range(0, 2):
4553 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4555 raise Exception("Association and EAP start timed out")
4556 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4558 raise Exception("EAP method selection timed out")
4560 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4561 """OpenSSL cipher suite configuration on wpa_supplicant"""
4562 tls = dev[0].request("GET tls_library")
4563 if not tls.startswith("OpenSSL"):
4564 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4565 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4566 hapd = hostapd.add_ap(apdev[0], params)
4567 eap_connect(dev[0], hapd, "TTLS", "pap user",
4568 anonymous_identity="ttls", password="password",
4569 openssl_ciphers="AES128",
4570 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4571 eap_connect(dev[1], hapd, "TTLS", "pap user",
4572 anonymous_identity="ttls", password="password",
4573 openssl_ciphers="EXPORT",
4574 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4575 expect_failure=True, maybe_local_error=True)
4576 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4577 identity="pap user", anonymous_identity="ttls",
4578 password="password",
4579 openssl_ciphers="FOO",
4580 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4582 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4584 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4585 dev[2].request("DISCONNECT")
4587 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4588 """OpenSSL cipher suite configuration on hostapd"""
4589 tls = dev[0].request("GET tls_library")
4590 if not tls.startswith("OpenSSL"):
4591 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4592 params = int_eap_server_params()
4593 params['openssl_ciphers'] = "AES256"
4594 hapd = hostapd.add_ap(apdev[0], params)
4595 tls = hapd.request("GET tls_library")
4596 if not tls.startswith("OpenSSL"):
4597 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4598 eap_connect(dev[0], hapd, "TTLS", "pap user",
4599 anonymous_identity="ttls", password="password",
4600 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4601 eap_connect(dev[1], hapd, "TTLS", "pap user",
4602 anonymous_identity="ttls", password="password",
4603 openssl_ciphers="AES128",
4604 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4605 expect_failure=True)
4606 eap_connect(dev[2], hapd, "TTLS", "pap user",
4607 anonymous_identity="ttls", password="password",
4608 openssl_ciphers="HIGH:!ADH",
4609 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4611 params['openssl_ciphers'] = "FOO"
4612 hapd2 = hostapd.add_ap(apdev[1], params, no_enable=True)
4613 if "FAIL" not in hapd2.request("ENABLE"):
4614 raise Exception("Invalid openssl_ciphers value accepted")
4616 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4617 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4618 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4619 hapd = hostapd.add_ap(apdev[0], p)
4620 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4621 pid = find_wpas_process(dev[0])
4622 id = eap_connect(dev[0], hapd, "TTLS", "pap-secret",
4623 anonymous_identity="ttls", password=password,
4624 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4625 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4626 # event has been delivered, so verify that wpa_supplicant has returned to
4627 # eloop before reading process memory.
4630 buf = read_process_memory(pid, password)
4632 dev[0].request("DISCONNECT")
4633 dev[0].wait_disconnected()
4641 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4642 for l in f.readlines():
4643 if "EAP-TTLS: Derived key - hexdump" in l:
4644 val = l.strip().split(':')[3].replace(' ', '')
4645 msk = binascii.unhexlify(val)
4646 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4647 val = l.strip().split(':')[3].replace(' ', '')
4648 emsk = binascii.unhexlify(val)
4649 if "WPA: PMK - hexdump" in l:
4650 val = l.strip().split(':')[3].replace(' ', '')
4651 pmk = binascii.unhexlify(val)
4652 if "WPA: PTK - hexdump" in l:
4653 val = l.strip().split(':')[3].replace(' ', '')
4654 ptk = binascii.unhexlify(val)
4655 if "WPA: Group Key - hexdump" in l:
4656 val = l.strip().split(':')[3].replace(' ', '')
4657 gtk = binascii.unhexlify(val)
4658 if not msk or not emsk or not pmk or not ptk or not gtk:
4659 raise Exception("Could not find keys from debug log")
4661 raise Exception("Unexpected GTK length")
4667 fname = os.path.join(params['logdir'],
4668 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4670 logger.info("Checking keys in memory while associated")
4671 get_key_locations(buf, password, "Password")
4672 get_key_locations(buf, pmk, "PMK")
4673 get_key_locations(buf, msk, "MSK")
4674 get_key_locations(buf, emsk, "EMSK")
4675 if password not in buf:
4676 raise HwsimSkip("Password not found while associated")
4678 raise HwsimSkip("PMK not found while associated")
4680 raise Exception("KCK not found while associated")
4682 raise Exception("KEK not found while associated")
4684 raise Exception("TK found from memory")
4686 get_key_locations(buf, gtk, "GTK")
4687 raise Exception("GTK found from memory")
4689 logger.info("Checking keys in memory after disassociation")
4690 buf = read_process_memory(pid, password)
4692 # Note: Password is still present in network configuration
4693 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4695 get_key_locations(buf, password, "Password")
4696 get_key_locations(buf, pmk, "PMK")
4697 get_key_locations(buf, msk, "MSK")
4698 get_key_locations(buf, emsk, "EMSK")
4699 verify_not_present(buf, kck, fname, "KCK")
4700 verify_not_present(buf, kek, fname, "KEK")
4701 verify_not_present(buf, tk, fname, "TK")
4702 verify_not_present(buf, gtk, fname, "GTK")
4704 dev[0].request("PMKSA_FLUSH")
4705 dev[0].set_network_quoted(id, "identity", "foo")
4706 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4707 buf = read_process_memory(pid, password)
4708 get_key_locations(buf, password, "Password")
4709 get_key_locations(buf, pmk, "PMK")
4710 get_key_locations(buf, msk, "MSK")
4711 get_key_locations(buf, emsk, "EMSK")
4712 verify_not_present(buf, pmk, fname, "PMK")
4714 dev[0].request("REMOVE_NETWORK all")
4716 logger.info("Checking keys in memory after network profile removal")
4717 buf = read_process_memory(pid, password)
4719 get_key_locations(buf, password, "Password")
4720 get_key_locations(buf, pmk, "PMK")
4721 get_key_locations(buf, msk, "MSK")
4722 get_key_locations(buf, emsk, "EMSK")
4723 verify_not_present(buf, password, fname, "password")
4724 verify_not_present(buf, pmk, fname, "PMK")
4725 verify_not_present(buf, kck, fname, "KCK")
4726 verify_not_present(buf, kek, fname, "KEK")
4727 verify_not_present(buf, tk, fname, "TK")
4728 verify_not_present(buf, gtk, fname, "GTK")
4729 verify_not_present(buf, msk, fname, "MSK")
4730 verify_not_present(buf, emsk, fname, "EMSK")
4732 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4733 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4734 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4735 hapd = hostapd.add_ap(apdev[0], params)
4736 bssid = apdev[0]['bssid']
4737 eap_connect(dev[0], hapd, "TTLS", "pap user",
4738 anonymous_identity="ttls", password="password",
4739 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4741 # Send unexpected WEP EAPOL-Key; this gets dropped
4742 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4744 raise Exception("EAPOL_RX to wpa_supplicant failed")
4746 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4747 """WPA2-EAP and wpas interface in a bridge"""
4751 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4753 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4754 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4755 subprocess.call(['brctl', 'delbr', br_ifname])
4756 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4758 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4760 hapd = hostapd.add_ap(apdev[0], params)
4764 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4765 subprocess.call(['brctl', 'addbr', br_ifname])
4766 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4767 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4768 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4769 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4770 wpas.interface_add(ifname, br_ifname=br_ifname)
4773 id = eap_connect(wpas, hapd, "PAX", "pax.user@example.com",
4774 password_hex="0123456789abcdef0123456789abcdef")
4776 eap_reauth(wpas, "PAX")
4778 # Try again as a regression test for packet socket workaround
4779 eap_reauth(wpas, "PAX")
4781 wpas.request("DISCONNECT")
4782 wpas.wait_disconnected()
4784 wpas.request("RECONNECT")
4785 wpas.wait_connected()
4788 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4789 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4790 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4791 hapd = hostapd.add_ap(apdev[0], params)
4792 key_mgmt = hapd.get_config()['key_mgmt']
4793 if key_mgmt.split(' ')[0] != "WPA-EAP":
4794 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4795 eap_connect(dev[0], hapd, "TTLS", "pap user",
4796 anonymous_identity="ttls", password="password",
4797 ca_cert="auth_serv/ca.pem",
4798 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4799 eap_reauth(dev[0], "TTLS")
4801 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4802 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4804 hapd = hostapd.add_ap(apdev[0], params)
4805 key_mgmt = hapd.get_config()['key_mgmt']
4806 if key_mgmt.split(' ')[0] != "WPA-EAP":
4807 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4808 eap_connect(dev[0], hapd, "TTLS", "pap user",
4809 anonymous_identity="ttls", password="password",
4810 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4812 eap_reauth(dev[0], "TTLS")
4814 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4815 """EAP-TLS and server checking CRL"""
4816 params = int_eap_server_params()
4817 params['check_crl'] = '1'
4818 hapd = hostapd.add_ap(apdev[0], params)
4820 # check_crl=1 and no CRL available --> reject connection
4821 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4822 client_cert="auth_serv/user.pem",
4823 private_key="auth_serv/user.key", expect_failure=True)
4824 dev[0].request("REMOVE_NETWORK all")
4827 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4830 # check_crl=1 and valid CRL --> accept
4831 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4832 client_cert="auth_serv/user.pem",
4833 private_key="auth_serv/user.key")
4834 dev[0].request("REMOVE_NETWORK all")
4837 hapd.set("check_crl", "2")
4840 # check_crl=2 and valid CRL --> accept
4841 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4842 client_cert="auth_serv/user.pem",
4843 private_key="auth_serv/user.key")
4844 dev[0].request("REMOVE_NETWORK all")
4846 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4847 """EAP-TLS and OOM"""
4848 check_subject_match_support(dev[0])
4849 check_altsubject_match_support(dev[0])
4850 check_domain_match(dev[0])
4851 check_domain_match_full(dev[0])
4853 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4854 hostapd.add_ap(apdev[0], params)
4856 tests = [ (1, "tls_connection_set_subject_match"),
4857 (2, "tls_connection_set_subject_match"),
4858 (3, "tls_connection_set_subject_match"),
4859 (4, "tls_connection_set_subject_match") ]
4860 for count, func in tests:
4861 with alloc_fail(dev[0], count, func):
4862 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4863 identity="tls user", ca_cert="auth_serv/ca.pem",
4864 client_cert="auth_serv/user.pem",
4865 private_key="auth_serv/user.key",
4866 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4867 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4868 domain_suffix_match="server.w1.fi",
4869 domain_match="server.w1.fi",
4870 wait_connect=False, scan_freq="2412")
4871 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4872 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4874 raise Exception("No passphrase request")
4875 dev[0].request("REMOVE_NETWORK all")
4876 dev[0].wait_disconnected()
4878 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4879 """WPA2-Enterprise connection using MAC ACL"""
4880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4881 params["macaddr_acl"] = "2"
4882 hapd = hostapd.add_ap(apdev[0], params)
4883 eap_connect(dev[1], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4884 client_cert="auth_serv/user.pem",
4885 private_key="auth_serv/user.key")
4887 def test_ap_wpa2_eap_oom(dev, apdev):
4888 """EAP server and OOM"""
4889 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4890 hapd = hostapd.add_ap(apdev[0], params)
4891 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4893 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4894 # The first attempt fails, but STA will send EAPOL-Start to retry and
4896 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4897 identity="tls user", ca_cert="auth_serv/ca.pem",
4898 client_cert="auth_serv/user.pem",
4899 private_key="auth_serv/user.key",
4902 def check_tls_ver(dev, hapd, phase1, expected):
4903 eap_connect(dev, hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4904 client_cert="auth_serv/user.pem",
4905 private_key="auth_serv/user.key",
4907 ver = dev.get_status_field("eap_tls_version")
4909 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4911 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4912 """EAP-TLS and TLS version configuration"""
4913 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4914 hapd = hostapd.add_ap(apdev[0], params)
4916 tls = dev[0].request("GET tls_library")
4917 if tls.startswith("OpenSSL"):
4918 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4919 check_tls_ver(dev[0], hapd,
4920 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4922 elif tls.startswith("internal"):
4923 check_tls_ver(dev[0], hapd,
4924 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4925 check_tls_ver(dev[1], hapd,
4926 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4927 check_tls_ver(dev[2], hapd,
4928 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4930 def test_rsn_ie_proto_eap_sta(dev, apdev):
4931 """RSN element protocol testing for EAP cases on STA side"""
4932 bssid = apdev[0]['bssid']
4933 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4934 # This is the RSN element used normally by hostapd
4935 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4936 hapd = hostapd.add_ap(apdev[0], params)
4937 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4938 identity="gpsk user",
4939 password="abcdefghijklmnop0123456789abcdef",
4942 tests = [ ('No RSN Capabilities field',
4943 '30120100000fac040100000fac040100000fac01'),
4944 ('No AKM Suite fields',
4945 '300c0100000fac040100000fac04'),
4946 ('No Pairwise Cipher Suite fields',
4947 '30060100000fac04'),
4948 ('No Group Data Cipher Suite field',
4950 for txt,ie in tests:
4951 dev[0].request("DISCONNECT")
4952 dev[0].wait_disconnected()
4955 hapd.set('own_ie_override', ie)
4957 dev[0].request("BSS_FLUSH 0")
4958 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4959 dev[0].select_network(id, freq=2412)
4960 dev[0].wait_connected()
4962 dev[0].request("DISCONNECT")
4963 dev[0].wait_disconnected()
4964 dev[0].flush_scan_cache()
4966 def check_tls_session_resumption_capa(dev, hapd):
4967 tls = hapd.request("GET tls_library")
4968 if not tls.startswith("OpenSSL"):
4969 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4971 tls = dev.request("GET tls_library")
4972 if not tls.startswith("OpenSSL"):
4973 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4975 def test_eap_ttls_pap_session_resumption(dev, apdev):
4976 """EAP-TTLS/PAP session resumption"""
4977 params = int_eap_server_params()
4978 params['tls_session_lifetime'] = '60'
4979 hapd = hostapd.add_ap(apdev[0], params)
4980 check_tls_session_resumption_capa(dev[0], hapd)
4981 eap_connect(dev[0], hapd, "TTLS", "pap user",
4982 anonymous_identity="ttls", password="password",
4983 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4985 if dev[0].get_status_field("tls_session_reused") != '0':
4986 raise Exception("Unexpected session resumption on the first connection")
4988 dev[0].request("REAUTHENTICATE")
4989 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4991 raise Exception("EAP success timed out")
4992 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4994 raise Exception("Key handshake with the AP timed out")
4995 if dev[0].get_status_field("tls_session_reused") != '1':
4996 raise Exception("Session resumption not used on the second connection")
4998 def test_eap_ttls_chap_session_resumption(dev, apdev):
4999 """EAP-TTLS/CHAP session resumption"""
5000 params = int_eap_server_params()
5001 params['tls_session_lifetime'] = '60'
5002 hapd = hostapd.add_ap(apdev[0], params)
5003 check_tls_session_resumption_capa(dev[0], hapd)
5004 eap_connect(dev[0], hapd, "TTLS", "chap user",
5005 anonymous_identity="ttls", password="password",
5006 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
5007 if dev[0].get_status_field("tls_session_reused") != '0':
5008 raise Exception("Unexpected session resumption on the first connection")
5010 dev[0].request("REAUTHENTICATE")
5011 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5013 raise Exception("EAP success timed out")
5014 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5016 raise Exception("Key handshake with the AP timed out")
5017 if dev[0].get_status_field("tls_session_reused") != '1':
5018 raise Exception("Session resumption not used on the second connection")
5020 def test_eap_ttls_mschap_session_resumption(dev, apdev):
5021 """EAP-TTLS/MSCHAP session resumption"""
5022 check_domain_suffix_match(dev[0])
5023 params = int_eap_server_params()
5024 params['tls_session_lifetime'] = '60'
5025 hapd = hostapd.add_ap(apdev[0], params)
5026 check_tls_session_resumption_capa(dev[0], hapd)
5027 eap_connect(dev[0], hapd, "TTLS", "mschap user",
5028 anonymous_identity="ttls", password="password",
5029 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
5030 domain_suffix_match="server.w1.fi")
5031 if dev[0].get_status_field("tls_session_reused") != '0':
5032 raise Exception("Unexpected session resumption on the first connection")
5034 dev[0].request("REAUTHENTICATE")
5035 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5037 raise Exception("EAP success timed out")
5038 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5040 raise Exception("Key handshake with the AP timed out")
5041 if dev[0].get_status_field("tls_session_reused") != '1':
5042 raise Exception("Session resumption not used on the second connection")
5044 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5045 """EAP-TTLS/MSCHAPv2 session resumption"""
5046 check_domain_suffix_match(dev[0])
5047 check_eap_capa(dev[0], "MSCHAPV2")
5048 params = int_eap_server_params()
5049 params['tls_session_lifetime'] = '60'
5050 hapd = hostapd.add_ap(apdev[0], params)
5051 check_tls_session_resumption_capa(dev[0], hapd)
5052 eap_connect(dev[0], hapd, "TTLS", "DOMAIN\mschapv2 user",
5053 anonymous_identity="ttls", password="password",
5054 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5055 domain_suffix_match="server.w1.fi")
5056 if dev[0].get_status_field("tls_session_reused") != '0':
5057 raise Exception("Unexpected session resumption on the first connection")
5059 dev[0].request("REAUTHENTICATE")
5060 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5062 raise Exception("EAP success timed out")
5063 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5065 raise Exception("Key handshake with the AP timed out")
5066 if dev[0].get_status_field("tls_session_reused") != '1':
5067 raise Exception("Session resumption not used on the second connection")
5069 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5070 """EAP-TTLS/EAP-GTC session resumption"""
5071 params = int_eap_server_params()
5072 params['tls_session_lifetime'] = '60'
5073 hapd = hostapd.add_ap(apdev[0], params)
5074 check_tls_session_resumption_capa(dev[0], hapd)
5075 eap_connect(dev[0], hapd, "TTLS", "user",
5076 anonymous_identity="ttls", password="password",
5077 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5078 if dev[0].get_status_field("tls_session_reused") != '0':
5079 raise Exception("Unexpected session resumption on the first connection")
5081 dev[0].request("REAUTHENTICATE")
5082 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5084 raise Exception("EAP success timed out")
5085 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5087 raise Exception("Key handshake with the AP timed out")
5088 if dev[0].get_status_field("tls_session_reused") != '1':
5089 raise Exception("Session resumption not used on the second connection")
5091 def test_eap_ttls_no_session_resumption(dev, apdev):
5092 """EAP-TTLS session resumption disabled on server"""
5093 params = int_eap_server_params()
5094 params['tls_session_lifetime'] = '0'
5095 hapd = hostapd.add_ap(apdev[0], params)
5096 eap_connect(dev[0], hapd, "TTLS", "pap user",
5097 anonymous_identity="ttls", password="password",
5098 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5100 if dev[0].get_status_field("tls_session_reused") != '0':
5101 raise Exception("Unexpected session resumption on the first connection")
5103 dev[0].request("REAUTHENTICATE")
5104 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5106 raise Exception("EAP success timed out")
5107 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5109 raise Exception("Key handshake with the AP timed out")
5110 if dev[0].get_status_field("tls_session_reused") != '0':
5111 raise Exception("Unexpected session resumption on the second connection")
5113 def test_eap_peap_session_resumption(dev, apdev):
5114 """EAP-PEAP session resumption"""
5115 params = int_eap_server_params()
5116 params['tls_session_lifetime'] = '60'
5117 hapd = hostapd.add_ap(apdev[0], params)
5118 check_tls_session_resumption_capa(dev[0], hapd)
5119 eap_connect(dev[0], hapd, "PEAP", "user",
5120 anonymous_identity="peap", password="password",
5121 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5122 if dev[0].get_status_field("tls_session_reused") != '0':
5123 raise Exception("Unexpected session resumption on the first connection")
5125 dev[0].request("REAUTHENTICATE")
5126 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5128 raise Exception("EAP success timed out")
5129 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5131 raise Exception("Key handshake with the AP timed out")
5132 if dev[0].get_status_field("tls_session_reused") != '1':
5133 raise Exception("Session resumption not used on the second connection")
5135 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5136 """EAP-PEAP session resumption with crypto binding"""
5137 params = int_eap_server_params()
5138 params['tls_session_lifetime'] = '60'
5139 hapd = hostapd.add_ap(apdev[0], params)
5140 check_tls_session_resumption_capa(dev[0], hapd)
5141 eap_connect(dev[0], hapd, "PEAP", "user",
5142 anonymous_identity="peap", password="password",
5143 phase1="peapver=0 crypto_binding=2",
5144 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5145 if dev[0].get_status_field("tls_session_reused") != '0':
5146 raise Exception("Unexpected session resumption on the first connection")
5148 dev[0].request("REAUTHENTICATE")
5149 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5151 raise Exception("EAP success timed out")
5152 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5154 raise Exception("Key handshake with the AP timed out")
5155 if dev[0].get_status_field("tls_session_reused") != '1':
5156 raise Exception("Session resumption not used on the second connection")
5158 def test_eap_peap_no_session_resumption(dev, apdev):
5159 """EAP-PEAP session resumption disabled on server"""
5160 params = int_eap_server_params()
5161 hapd = hostapd.add_ap(apdev[0], params)
5162 eap_connect(dev[0], hapd, "PEAP", "user",
5163 anonymous_identity="peap", password="password",
5164 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5165 if dev[0].get_status_field("tls_session_reused") != '0':
5166 raise Exception("Unexpected session resumption on the first connection")
5168 dev[0].request("REAUTHENTICATE")
5169 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5171 raise Exception("EAP success timed out")
5172 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5174 raise Exception("Key handshake with the AP timed out")
5175 if dev[0].get_status_field("tls_session_reused") != '0':
5176 raise Exception("Unexpected session resumption on the second connection")
5178 def test_eap_tls_session_resumption(dev, apdev):
5179 """EAP-TLS session resumption"""
5180 params = int_eap_server_params()
5181 params['tls_session_lifetime'] = '60'
5182 hapd = hostapd.add_ap(apdev[0], params)
5183 check_tls_session_resumption_capa(dev[0], hapd)
5184 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5185 client_cert="auth_serv/user.pem",
5186 private_key="auth_serv/user.key")
5187 if dev[0].get_status_field("tls_session_reused") != '0':
5188 raise Exception("Unexpected session resumption on the first connection")
5190 dev[0].request("REAUTHENTICATE")
5191 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5193 raise Exception("EAP success timed out")
5194 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5196 raise Exception("Key handshake with the AP timed out")
5197 if dev[0].get_status_field("tls_session_reused") != '1':
5198 raise Exception("Session resumption not used on the second connection")
5200 dev[0].request("REAUTHENTICATE")
5201 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5203 raise Exception("EAP success timed out")
5204 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5206 raise Exception("Key handshake with the AP timed out")
5207 if dev[0].get_status_field("tls_session_reused") != '1':
5208 raise Exception("Session resumption not used on the third connection")
5210 def test_eap_tls_session_resumption_expiration(dev, apdev):
5211 """EAP-TLS session resumption"""
5212 params = int_eap_server_params()
5213 params['tls_session_lifetime'] = '1'
5214 hapd = hostapd.add_ap(apdev[0], params)
5215 check_tls_session_resumption_capa(dev[0], hapd)
5216 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5217 client_cert="auth_serv/user.pem",
5218 private_key="auth_serv/user.key")
5219 if dev[0].get_status_field("tls_session_reused") != '0':
5220 raise Exception("Unexpected session resumption on the first connection")
5222 # Allow multiple attempts since OpenSSL may not expire the cached entry
5227 dev[0].request("REAUTHENTICATE")
5228 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5230 raise Exception("EAP success timed out")
5231 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5233 raise Exception("Key handshake with the AP timed out")
5234 if dev[0].get_status_field("tls_session_reused") == '0':
5236 if dev[0].get_status_field("tls_session_reused") != '0':
5237 raise Exception("Session resumption used after lifetime expiration")
5239 def test_eap_tls_no_session_resumption(dev, apdev):
5240 """EAP-TLS session resumption disabled on server"""
5241 params = int_eap_server_params()
5242 hapd = hostapd.add_ap(apdev[0], params)
5243 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5244 client_cert="auth_serv/user.pem",
5245 private_key="auth_serv/user.key")
5246 if dev[0].get_status_field("tls_session_reused") != '0':
5247 raise Exception("Unexpected session resumption on the first connection")
5249 dev[0].request("REAUTHENTICATE")
5250 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5252 raise Exception("EAP success timed out")
5253 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5255 raise Exception("Key handshake with the AP timed out")
5256 if dev[0].get_status_field("tls_session_reused") != '0':
5257 raise Exception("Unexpected session resumption on the second connection")
5259 def test_eap_tls_session_resumption_radius(dev, apdev):
5260 """EAP-TLS session resumption (RADIUS)"""
5261 params = { "ssid": "as", "beacon_int": "2000",
5262 "radius_server_clients": "auth_serv/radius_clients.conf",
5263 "radius_server_auth_port": '18128',
5265 "eap_user_file": "auth_serv/eap_user.conf",
5266 "ca_cert": "auth_serv/ca.pem",
5267 "server_cert": "auth_serv/server.pem",
5268 "private_key": "auth_serv/server.key",
5269 "tls_session_lifetime": "60" }
5270 authsrv = hostapd.add_ap(apdev[1], params)
5271 check_tls_session_resumption_capa(dev[0], authsrv)
5273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5274 params['auth_server_port'] = "18128"
5275 hapd = hostapd.add_ap(apdev[0], params)
5276 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5277 client_cert="auth_serv/user.pem",
5278 private_key="auth_serv/user.key")
5279 if dev[0].get_status_field("tls_session_reused") != '0':
5280 raise Exception("Unexpected session resumption on the first connection")
5282 dev[0].request("REAUTHENTICATE")
5283 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5285 raise Exception("EAP success timed out")
5286 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5288 raise Exception("Key handshake with the AP timed out")
5289 if dev[0].get_status_field("tls_session_reused") != '1':
5290 raise Exception("Session resumption not used on the second connection")
5292 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5293 """EAP-TLS session resumption disabled (RADIUS)"""
5294 params = { "ssid": "as", "beacon_int": "2000",
5295 "radius_server_clients": "auth_serv/radius_clients.conf",
5296 "radius_server_auth_port": '18128',
5298 "eap_user_file": "auth_serv/eap_user.conf",
5299 "ca_cert": "auth_serv/ca.pem",
5300 "server_cert": "auth_serv/server.pem",
5301 "private_key": "auth_serv/server.key",
5302 "tls_session_lifetime": "0" }
5303 hostapd.add_ap(apdev[1], params)
5305 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5306 params['auth_server_port'] = "18128"
5307 hapd = hostapd.add_ap(apdev[0], params)
5308 eap_connect(dev[0], hapd, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5309 client_cert="auth_serv/user.pem",
5310 private_key="auth_serv/user.key")
5311 if dev[0].get_status_field("tls_session_reused") != '0':
5312 raise Exception("Unexpected session resumption on the first connection")
5314 dev[0].request("REAUTHENTICATE")
5315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5317 raise Exception("EAP success timed out")
5318 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5320 raise Exception("Key handshake with the AP timed out")
5321 if dev[0].get_status_field("tls_session_reused") != '0':
5322 raise Exception("Unexpected session resumption on the second connection")
5324 def test_eap_mschapv2_errors(dev, apdev):
5325 """EAP-MSCHAPv2 error cases"""
5326 check_eap_capa(dev[0], "MSCHAPV2")
5327 check_eap_capa(dev[0], "FAST")
5329 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5330 hapd = hostapd.add_ap(apdev[0], params)
5331 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5332 identity="phase1-user", password="password",
5334 dev[0].request("REMOVE_NETWORK all")
5335 dev[0].wait_disconnected()
5337 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5338 (1, "nt_password_hash;mschapv2_derive_response"),
5339 (1, "nt_password_hash;=mschapv2_derive_response"),
5340 (1, "generate_nt_response;mschapv2_derive_response"),
5341 (1, "generate_authenticator_response;mschapv2_derive_response"),
5342 (1, "nt_password_hash;=mschapv2_derive_response"),
5343 (1, "get_master_key;mschapv2_derive_response"),
5344 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5345 for count, func in tests:
5346 with fail_test(dev[0], count, func):
5347 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5348 identity="phase1-user", password="password",
5349 wait_connect=False, scan_freq="2412")
5350 wait_fail_trigger(dev[0], "GET_FAIL")
5351 dev[0].request("REMOVE_NETWORK all")
5352 dev[0].wait_disconnected()
5354 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5355 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5356 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5357 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5358 for count, func in tests:
5359 with fail_test(dev[0], count, func):
5360 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5361 identity="phase1-user",
5362 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5363 wait_connect=False, scan_freq="2412")
5364 wait_fail_trigger(dev[0], "GET_FAIL")
5365 dev[0].request("REMOVE_NETWORK all")
5366 dev[0].wait_disconnected()
5368 tests = [ (1, "eap_mschapv2_init"),
5369 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5370 (1, "eap_msg_alloc;eap_mschapv2_success"),
5371 (1, "eap_mschapv2_getKey") ]
5372 for count, func in tests:
5373 with alloc_fail(dev[0], count, func):
5374 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5375 identity="phase1-user", password="password",
5376 wait_connect=False, scan_freq="2412")
5377 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5378 dev[0].request("REMOVE_NETWORK all")
5379 dev[0].wait_disconnected()
5381 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5382 for count, func in tests:
5383 with alloc_fail(dev[0], count, func):
5384 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5385 identity="phase1-user", password="wrong password",
5386 wait_connect=False, scan_freq="2412")
5387 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5388 dev[0].request("REMOVE_NETWORK all")
5389 dev[0].wait_disconnected()
5391 tests = [ (2, "eap_mschapv2_init"),
5392 (3, "eap_mschapv2_init") ]
5393 for count, func in tests:
5394 with alloc_fail(dev[0], count, func):
5395 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5396 anonymous_identity="FAST", identity="user",
5397 password="password",
5398 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5399 phase1="fast_provisioning=1",
5400 pac_file="blob://fast_pac",
5401 wait_connect=False, scan_freq="2412")
5402 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5403 dev[0].request("REMOVE_NETWORK all")
5404 dev[0].wait_disconnected()
5406 def test_eap_gpsk_errors(dev, apdev):
5407 """EAP-GPSK error cases"""
5408 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5409 hapd = hostapd.add_ap(apdev[0], params)
5410 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5411 identity="gpsk user",
5412 password="abcdefghijklmnop0123456789abcdef",
5414 dev[0].request("REMOVE_NETWORK all")
5415 dev[0].wait_disconnected()
5417 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5418 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5420 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5422 (1, "eap_gpsk_derive_keys_helper", None),
5423 (2, "eap_gpsk_derive_keys_helper", None),
5424 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5426 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5428 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5429 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5430 (1, "eap_gpsk_derive_mid_helper", None) ]
5431 for count, func, phase1 in tests:
5432 with fail_test(dev[0], count, func):
5433 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5434 identity="gpsk user",
5435 password="abcdefghijklmnop0123456789abcdef",
5437 wait_connect=False, scan_freq="2412")
5438 wait_fail_trigger(dev[0], "GET_FAIL")
5439 dev[0].request("REMOVE_NETWORK all")
5440 dev[0].wait_disconnected()
5442 tests = [ (1, "eap_gpsk_init"),
5443 (2, "eap_gpsk_init"),
5444 (3, "eap_gpsk_init"),
5445 (1, "eap_gpsk_process_id_server"),
5446 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5447 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5448 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5449 (1, "eap_gpsk_derive_keys"),
5450 (1, "eap_gpsk_derive_keys_helper"),
5451 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5452 (1, "eap_gpsk_getKey"),
5453 (1, "eap_gpsk_get_emsk"),
5454 (1, "eap_gpsk_get_session_id") ]
5455 for count, func in tests:
5456 with alloc_fail(dev[0], count, func):
5457 dev[0].request("ERP_FLUSH")
5458 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5459 identity="gpsk user", erp="1",
5460 password="abcdefghijklmnop0123456789abcdef",
5461 wait_connect=False, scan_freq="2412")
5462 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5463 dev[0].request("REMOVE_NETWORK all")
5464 dev[0].wait_disconnected()
5466 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5467 """EAP-SIM DB error cases"""
5468 sockpath = '/tmp/hlr_auc_gw.sock-test'
5473 hparams = int_eap_server_params()
5474 hparams['eap_sim_db'] = 'unix:' + sockpath
5475 hapd = hostapd.add_ap(apdev[0], hparams)
5477 # Initial test with hlr_auc_gw socket not available
5478 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5479 eap="SIM", identity="1232010000000000",
5480 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5481 scan_freq="2412", wait_connect=False)
5482 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5484 raise Exception("EAP-Failure not reported")
5485 dev[0].wait_disconnected()
5486 dev[0].request("DISCONNECT")
5488 # Test with invalid responses and response timeout
5490 class test_handler(SocketServer.DatagramRequestHandler):
5492 data = self.request[0].strip()
5493 socket = self.request[1]
5494 logger.debug("Received hlr_auc_gw request: " + data)
5495 # EAP-SIM DB: Failed to parse response string
5496 socket.sendto("FOO", self.client_address)
5497 # EAP-SIM DB: Failed to parse response string
5498 socket.sendto("FOO 1", self.client_address)
5499 # EAP-SIM DB: Unknown external response
5500 socket.sendto("FOO 1 2", self.client_address)
5501 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5503 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5506 dev[0].select_network(id)
5507 server.handle_request()
5508 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5510 raise Exception("EAP-Failure not reported")
5511 dev[0].wait_disconnected()
5512 dev[0].request("DISCONNECT")
5514 # Test with a valid response
5516 class test_handler2(SocketServer.DatagramRequestHandler):
5518 data = self.request[0].strip()
5519 socket = self.request[1]
5520 logger.debug("Received hlr_auc_gw request: " + data)
5521 fname = os.path.join(params['logdir'],
5522 'hlr_auc_gw.milenage_db')
5523 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5525 stdout=subprocess.PIPE)
5526 res = cmd.stdout.read().strip()
5528 logger.debug("hlr_auc_gw response: " + res)
5529 socket.sendto(res, self.client_address)
5531 server.RequestHandlerClass = test_handler2
5533 dev[0].select_network(id)
5534 server.handle_request()
5535 dev[0].wait_connected()
5536 dev[0].request("DISCONNECT")
5537 dev[0].wait_disconnected()
5539 def test_eap_tls_sha512(dev, apdev, params):
5540 """EAP-TLS with SHA512 signature"""
5541 params = int_eap_server_params()
5542 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5543 params["server_cert"] = "auth_serv/sha512-server.pem"
5544 params["private_key"] = "auth_serv/sha512-server.key"
5545 hostapd.add_ap(apdev[0], params)
5547 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5548 identity="tls user sha512",
5549 ca_cert="auth_serv/sha512-ca.pem",
5550 client_cert="auth_serv/sha512-user.pem",
5551 private_key="auth_serv/sha512-user.key",
5553 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5554 identity="tls user sha512",
5555 ca_cert="auth_serv/sha512-ca.pem",
5556 client_cert="auth_serv/sha384-user.pem",
5557 private_key="auth_serv/sha384-user.key",
5560 def test_eap_tls_sha384(dev, apdev, params):
5561 """EAP-TLS with SHA384 signature"""
5562 params = int_eap_server_params()
5563 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5564 params["server_cert"] = "auth_serv/sha384-server.pem"
5565 params["private_key"] = "auth_serv/sha384-server.key"
5566 hostapd.add_ap(apdev[0], params)
5568 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5569 identity="tls user sha512",
5570 ca_cert="auth_serv/sha512-ca.pem",
5571 client_cert="auth_serv/sha512-user.pem",
5572 private_key="auth_serv/sha512-user.key",
5574 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5575 identity="tls user sha512",
5576 ca_cert="auth_serv/sha512-ca.pem",
5577 client_cert="auth_serv/sha384-user.pem",
5578 private_key="auth_serv/sha384-user.key",
5581 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5582 """WPA2-Enterprise AP and association request RSN IE differences"""
5583 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5584 hostapd.add_ap(apdev[0], params)
5586 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5587 params["ieee80211w"] = "2"
5588 hostapd.add_ap(apdev[1], params)
5590 # Success cases with optional RSN IE fields removed one by one
5591 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5592 "30140100000fac040100000fac040100000fac010000"),
5593 ("Extra PMKIDCount field in RSN IE",
5594 "30160100000fac040100000fac040100000fac0100000000"),
5595 ("Extra Group Management Cipher Suite in RSN IE",
5596 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5597 ("Extra undefined extension field in RSN IE",
5598 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5599 ("RSN IE without RSN Capabilities",
5600 "30120100000fac040100000fac040100000fac01"),
5601 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5602 ("RSN IE without pairwise", "30060100000fac04"),
5603 ("RSN IE without group", "30020100") ]
5604 for title, ie in tests:
5606 set_test_assoc_ie(dev[0], ie)
5607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5608 identity="gpsk user",
5609 password="abcdefghijklmnop0123456789abcdef",
5611 dev[0].request("REMOVE_NETWORK all")
5612 dev[0].wait_disconnected()
5614 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5615 "30140100000fac040100000fac040100000fac01cc00"),
5616 ("Group management cipher included in assoc req RSN IE",
5617 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5618 for title, ie in tests:
5620 set_test_assoc_ie(dev[0], ie)
5621 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5622 eap="GPSK", identity="gpsk user",
5623 password="abcdefghijklmnop0123456789abcdef",
5625 dev[0].request("REMOVE_NETWORK all")
5626 dev[0].wait_disconnected()
5628 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5629 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5630 for title, ie, status in tests:
5632 set_test_assoc_ie(dev[0], ie)
5633 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5634 identity="gpsk user",
5635 password="abcdefghijklmnop0123456789abcdef",
5636 scan_freq="2412", wait_connect=False)
5637 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5639 raise Exception("Association rejection not reported")
5640 if "status_code=" + str(status) not in ev:
5641 raise Exception("Unexpected status code: " + ev)
5642 dev[0].request("REMOVE_NETWORK all")
5643 dev[0].dump_monitor()
5645 tests = [ ("Management frame protection not enabled",
5646 "30140100000fac040100000fac040100000fac010000", 31),
5647 ("Unsupported management group cipher",
5648 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5649 for title, ie, status in tests:
5651 set_test_assoc_ie(dev[0], ie)
5652 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5653 eap="GPSK", identity="gpsk user",
5654 password="abcdefghijklmnop0123456789abcdef",
5655 scan_freq="2412", wait_connect=False)
5656 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5658 raise Exception("Association rejection not reported")
5659 if "status_code=" + str(status) not in ev:
5660 raise Exception("Unexpected status code: " + ev)
5661 dev[0].request("REMOVE_NETWORK all")
5662 dev[0].dump_monitor()
5664 def test_eap_tls_ext_cert_check(dev, apdev):
5665 """EAP-TLS and external server certification validation"""
5666 # With internal server certificate chain validation
5667 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5668 identity="tls user",
5669 ca_cert="auth_serv/ca.pem",
5670 client_cert="auth_serv/user.pem",
5671 private_key="auth_serv/user.key",
5672 phase1="tls_ext_cert_check=1", scan_freq="2412",
5673 only_add_network=True)
5674 run_ext_cert_check(dev, apdev, id)
5676 def test_eap_ttls_ext_cert_check(dev, apdev):
5677 """EAP-TTLS and external server certification validation"""
5678 # Without internal server certificate chain validation
5679 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5680 identity="pap user", anonymous_identity="ttls",
5681 password="password", phase2="auth=PAP",
5682 phase1="tls_ext_cert_check=1", scan_freq="2412",
5683 only_add_network=True)
5684 run_ext_cert_check(dev, apdev, id)
5686 def test_eap_peap_ext_cert_check(dev, apdev):
5687 """EAP-PEAP and external server certification validation"""
5688 # With internal server certificate chain validation
5689 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5690 identity="user", anonymous_identity="peap",
5691 ca_cert="auth_serv/ca.pem",
5692 password="password", phase2="auth=MSCHAPV2",
5693 phase1="tls_ext_cert_check=1", scan_freq="2412",
5694 only_add_network=True)
5695 run_ext_cert_check(dev, apdev, id)
5697 def test_eap_fast_ext_cert_check(dev, apdev):
5698 """EAP-FAST and external server certification validation"""
5699 check_eap_capa(dev[0], "FAST")
5700 # With internal server certificate chain validation
5701 dev[0].request("SET blob fast_pac_auth_ext ")
5702 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5703 identity="user", anonymous_identity="FAST",
5704 ca_cert="auth_serv/ca.pem",
5705 password="password", phase2="auth=GTC",
5706 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5707 pac_file="blob://fast_pac_auth_ext",
5709 only_add_network=True)
5710 run_ext_cert_check(dev, apdev, id)
5712 def run_ext_cert_check(dev, apdev, net_id):
5713 check_ext_cert_check_support(dev[0])
5714 if not openssl_imported:
5715 raise HwsimSkip("OpenSSL python method not available")
5717 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5718 hapd = hostapd.add_ap(apdev[0], params)
5720 dev[0].select_network(net_id)
5723 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5724 "CTRL-REQ-EXT_CERT_CHECK",
5725 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5727 raise Exception("No peer server certificate event seen")
5728 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5731 vals = ev.split(' ')
5733 if v.startswith("depth="):
5734 depth = int(v.split('=')[1])
5735 elif v.startswith("cert="):
5736 cert = v.split('=')[1]
5737 if depth is not None and cert:
5738 certs[depth] = binascii.unhexlify(cert)
5739 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5740 raise Exception("Unexpected EAP-Success")
5741 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5742 id = ev.split(':')[0].split('-')[-1]
5745 raise Exception("Server certificate not received")
5747 raise Exception("Server certificate issuer not received")
5749 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5751 cn = cert.get_subject().commonName
5752 logger.info("Server certificate CN=" + cn)
5754 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5756 icn = issuer.get_subject().commonName
5757 logger.info("Issuer certificate CN=" + icn)
5759 if cn != "server.w1.fi":
5760 raise Exception("Unexpected server certificate CN: " + cn)
5761 if icn != "Root CA":
5762 raise Exception("Unexpected server certificate issuer CN: " + icn)
5764 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5766 raise Exception("Unexpected EAP-Success before external check result indication")
5768 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5769 dev[0].wait_connected()
5771 dev[0].request("DISCONNECT")
5772 dev[0].wait_disconnected()
5773 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5774 raise Exception("PMKSA_FLUSH failed")
5775 dev[0].request("SET blob fast_pac_auth_ext ")
5776 dev[0].request("RECONNECT")
5778 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5780 raise Exception("No peer server certificate event seen (2)")
5781 id = ev.split(':')[0].split('-')[-1]
5782 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5783 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5785 raise Exception("EAP-Failure not reported")
5786 dev[0].request("REMOVE_NETWORK all")
5787 dev[0].wait_disconnected()
5789 def test_eap_tls_errors(dev, apdev):
5790 """EAP-TLS error cases"""
5791 params = int_eap_server_params()
5792 params['fragment_size'] = '100'
5793 hostapd.add_ap(apdev[0], params)
5794 with alloc_fail(dev[0], 1,
5795 "eap_peer_tls_reassemble_fragment"):
5796 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5797 identity="tls user", ca_cert="auth_serv/ca.pem",
5798 client_cert="auth_serv/user.pem",
5799 private_key="auth_serv/user.key",
5800 wait_connect=False, scan_freq="2412")
5801 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5802 dev[0].request("REMOVE_NETWORK all")
5803 dev[0].wait_disconnected()
5805 with alloc_fail(dev[0], 1, "eap_tls_init"):
5806 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5807 identity="tls user", ca_cert="auth_serv/ca.pem",
5808 client_cert="auth_serv/user.pem",
5809 private_key="auth_serv/user.key",
5810 wait_connect=False, scan_freq="2412")
5811 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5812 dev[0].request("REMOVE_NETWORK all")
5813 dev[0].wait_disconnected()
5815 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5816 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5817 identity="tls user", ca_cert="auth_serv/ca.pem",
5818 client_cert="auth_serv/user.pem",
5819 private_key="auth_serv/user.key",
5821 wait_connect=False, scan_freq="2412")
5822 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5823 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5825 raise Exception("No CTRL-REQ-PIN seen")
5826 dev[0].request("REMOVE_NETWORK all")
5827 dev[0].wait_disconnected()
5829 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5830 "eap_peer_tls_derive_session_id;eap_tls_success",
5833 "eap_tls_get_session_id" ]
5835 with alloc_fail(dev[0], 1, func):
5836 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5837 identity="tls user", ca_cert="auth_serv/ca.pem",
5838 client_cert="auth_serv/user.pem",
5839 private_key="auth_serv/user.key",
5841 wait_connect=False, scan_freq="2412")
5842 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5843 dev[0].request("REMOVE_NETWORK all")
5844 dev[0].wait_disconnected()
5846 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5847 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5848 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5849 wait_connect=False, scan_freq="2412")
5850 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5851 dev[0].request("REMOVE_NETWORK all")
5852 dev[0].wait_disconnected()
5854 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5855 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5856 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5857 wait_connect=False, scan_freq="2412")
5858 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5859 dev[0].request("REMOVE_NETWORK all")
5860 dev[0].wait_disconnected()
5862 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5863 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5864 eap="WFA-UNAUTH-TLS",
5865 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5866 wait_connect=False, scan_freq="2412")
5867 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5868 dev[0].request("REMOVE_NETWORK all")
5869 dev[0].wait_disconnected()
5871 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5872 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5873 eap="WFA-UNAUTH-TLS",
5874 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5875 wait_connect=False, scan_freq="2412")
5876 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5877 dev[0].request("REMOVE_NETWORK all")
5878 dev[0].wait_disconnected()
5880 def test_ap_wpa2_eap_status(dev, apdev):
5881 """EAP state machine status information"""
5882 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5883 hostapd.add_ap(apdev[0], params)
5884 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5885 identity="cert user",
5886 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
5887 ca_cert2="auth_serv/ca.pem",
5888 client_cert2="auth_serv/user.pem",
5889 private_key2="auth_serv/user.key",
5890 scan_freq="2412", wait_connect=False)
5896 selected_methods = []
5897 for i in range(100000):
5898 s = dev[0].get_status(extra="VERBOSE")
5899 if 'EAP state' in s:
5900 state = s['EAP state']
5902 if state not in states:
5903 states.append(state)
5904 if state == "SUCCESS":
5907 if 'methodState' in s:
5908 val = s['methodState']
5909 if val not in method_states:
5910 method_states.append(val)
5913 if val not in decisions:
5914 decisions.append(val)
5915 if 'reqMethod' in s:
5916 val = s['reqMethod']
5917 if val not in req_methods:
5918 req_methods.append(val)
5919 if 'selectedMethod' in s:
5920 val = s['selectedMethod']
5921 if val not in selected_methods:
5922 selected_methods.append(val)
5923 logger.info("Iterations: %d" % i)
5924 logger.info("EAP states: " + str(states))
5925 logger.info("methodStates: " + str(method_states))
5926 logger.info("decisions: " + str(decisions))
5927 logger.info("reqMethods: " + str(req_methods))
5928 logger.info("selectedMethods: " + str(selected_methods))
5930 raise Exception("EAP did not succeed")
5931 dev[0].wait_connected()
5932 dev[0].request("REMOVE_NETWORK all")
5933 dev[0].wait_disconnected()
5935 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
5936 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
5937 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5938 params['wpa_ptk_rekey'] = '2'
5939 hapd = hostapd.add_ap(apdev[0], params)
5940 id = eap_connect(dev[0], hapd, "GPSK", "gpsk user",
5941 password="abcdefghijklmnop0123456789abcdef")
5942 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
5944 raise Exception("PTK rekey timed out")
5945 hwsim_utils.test_connectivity(dev[0], hapd)
5947 def test_ap_wpa2_eap_wildcard_ssid(dev, apdev):
5948 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
5949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5950 hapd = hostapd.add_ap(apdev[0], params)
5951 dev[0].connect(bssid=apdev[0]['bssid'], key_mgmt="WPA-EAP", eap="GPSK",
5952 identity="gpsk user",
5953 password="abcdefghijklmnop0123456789abcdef",