1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status:
180 logger.info("Status: " + str(status))
181 raise Exception("No selectedMethod in status")
182 if method not in status["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e = "WPA2-EAP-SHA256"
187 e = "WPA2/IEEE 802.1X/EAP"
189 e = "WPA/IEEE 802.1X/EAP"
190 if status["key_mgmt"] != e:
191 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
194 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
195 dev.request("REAUTHENTICATE")
196 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
197 expect_failure=expect_failure)
199 def test_ap_wpa2_eap_sim(dev, apdev):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
204 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
205 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils.test_connectivity(dev[0], hapd)
207 eap_reauth(dev[0], "SIM")
209 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger.info("Negative test with incorrect key")
216 dev[0].request("REMOVE_NETWORK all")
217 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
218 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger.info("Invalid GSM-Milenage key")
222 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger.info("Invalid GSM-Milenage key(2)")
228 dev[0].request("REMOVE_NETWORK all")
229 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
230 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger.info("Invalid GSM-Milenage key(3)")
234 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger.info("Invalid GSM-Milenage key(4)")
240 dev[0].request("REMOVE_NETWORK all")
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger.info("Missing key configuration")
246 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
259 params['auth_server_port'] = "1814"
260 hostapd.add_ap(apdev[0]['ifname'], params)
261 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger.info("SIM fast re-authentication")
265 eap_reauth(dev[0], "SIM")
267 logger.info("SIM full auth with pseudonym")
270 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev[0], "SIM")
273 logger.info("SIM full auth with permanent identity")
276 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev[0], "SIM")
280 logger.info("SIM reauth with mismatching MK")
283 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev[0], "SIM", expect_failure=True)
285 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev[0], "SIM")
295 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger.info("SIM reauth with mismatching counter")
297 eap_reauth(dev[0], "SIM")
298 dev[0].request("REMOVE_NETWORK all")
300 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev, apdev):
309 """EAP-SIM configuration options"""
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
313 identity="1232010000000000",
314 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1="sim_min_num_chal=1",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
319 raise Exception("No EAP error message seen")
320 dev[0].request("REMOVE_NETWORK all")
322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
323 identity="1232010000000000",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1="sim_min_num_chal=4",
326 wait_connect=False, scan_freq="2412")
327 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
329 raise Exception("No EAP error message seen (2)")
330 dev[0].request("REMOVE_NETWORK all")
332 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=2")
335 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity="345678")
339 def test_ap_wpa2_eap_sim_ext(dev, apdev):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev, apdev)
344 dev[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
347 check_hlr_auc_gw_support()
348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
349 hostapd.add_ap(apdev[0]['ifname'], params)
350 dev[0].request("SET external_sim 1")
351 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
352 identity="1232010000000000",
353 wait_connect=False, scan_freq="2412")
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
356 raise Exception("Network connected timed out")
358 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid = p[0].split('-')[3]
367 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 raise Exception("EAP failure not reported")
373 dev[0].request("DISCONNECT")
374 dev[0].wait_disconnected()
377 dev[0].select_network(id, freq="2412")
378 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid = p[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 raise Exception("EAP failure not reported")
391 dev[0].request("DISCONNECT")
392 dev[0].wait_disconnected()
395 dev[0].select_network(id, freq="2412")
396 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid = p[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 raise Exception("EAP failure not reported")
409 dev[0].request("DISCONNECT")
410 dev[0].wait_disconnected()
413 dev[0].select_network(id, freq="2412")
414 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid = p[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 raise Exception("EAP failure not reported")
427 dev[0].request("DISCONNECT")
428 dev[0].wait_disconnected()
431 dev[0].select_network(id, freq="2412")
432 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid = p[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 raise Exception("EAP failure not reported")
445 dev[0].request("DISCONNECT")
446 dev[0].wait_disconnected()
449 dev[0].select_network(id, freq="2412")
450 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid = p[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 raise Exception("EAP failure not reported")
463 dev[0].request("DISCONNECT")
464 dev[0].wait_disconnected()
467 dev[0].select_network(id, freq="2412")
468 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid = p[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
487 dev[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
490 check_hlr_auc_gw_support()
491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
492 hostapd.add_ap(apdev[0]['ifname'], params)
493 dev[0].request("SET external_sim 1")
494 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
495 identity="1232010000000000",
496 wait_connect=False, scan_freq="2412")
498 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid = p[0].split('-')[3]
505 rand = p[2].split(' ')[0]
507 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand])
511 if "GSM-AUTH-RESP" not in res:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp = res.split(' ')[2].rstrip()
515 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
516 dev[0].wait_connected(timeout=15)
517 dev[0].request("DISCONNECT")
518 dev[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev[0].select_network(id, freq="2412")
524 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid = p[0].split('-')[3]
531 rand = p[2].split(' ')[0]
533 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand])
537 if "GSM-AUTH-RESP" not in res:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp = res.split(' ')[2].rstrip()
541 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 raise Exception("EAP-Failure not reported")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
553 dev[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
556 check_hlr_auc_gw_support()
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 hostapd.add_ap(apdev[0]['ifname'], params)
559 dev[0].request("SET external_sim 1")
560 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
561 identity="1232010000000000",
562 wait_connect=False, scan_freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 rand = p[2].split(' ')[0]
573 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand])
577 if "GSM-AUTH-RESP" not in res:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp = res.split(' ')[2].rstrip()
581 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
582 dev[0].wait_connected(timeout=15)
583 dev[0].request("DISCONNECT")
584 dev[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev[0].set_network(id, "anonymous_identity", "NULL")
589 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 rand = p[2].split(' ')[0]
600 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand])
604 if "GSM-AUTH-RESP" not in res:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp = res.split(' ')[2].rstrip()
608 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
609 dev[0].wait_connected()
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
618 dev[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
621 check_hlr_auc_gw_support()
622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
623 hostapd.add_ap(apdev[0]['ifname'], params)
624 dev[0].request("SET external_sim 1")
625 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
626 wait_connect=False, scan_freq="2412")
628 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid = ev.split(':')[0].split('-')[-1]
632 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
634 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid = p[0].split('-')[3]
641 rand = p[2].split(' ')[0]
643 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand])
647 if "GSM-AUTH-RESP" not in res:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp = res.split(' ')[2].rstrip()
651 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
652 dev[0].wait_connected(timeout=15)
653 dev[0].request("DISCONNECT")
654 dev[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev[0].set_network(id, "identity", "NULL")
658 dev[0].set_network(id, "anonymous_identity", "NULL")
659 dev[0].select_network(id, freq="2412")
661 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid = ev.split(':')[0].split('-')[-1]
665 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
667 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid = p[0].split('-')[3]
674 rand = p[2].split(' ')[0]
676 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand])
680 if "GSM-AUTH-RESP" not in res:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp = res.split(' ')[2].rstrip()
684 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
685 dev[0].wait_connected()
686 dev[0].request("DISCONNECT")
687 dev[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
694 dev[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
697 check_hlr_auc_gw_support()
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hostapd.add_ap(apdev[0]['ifname'], params)
700 dev[0].request("SET external_sim 1")
701 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
702 identity="1232010000000000",
703 wait_connect=False, scan_freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid = p[0].split('-')[3]
710 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
713 raise Exception("EAP failure not reported")
714 dev[0].request("REMOVE_NETWORK all")
715 dev[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_oom(dev, apdev):
718 """EAP-SIM and OOM"""
719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
720 hostapd.add_ap(apdev[0]['ifname'], params)
721 tests = [ (1, "milenage_f2345"),
722 (2, "milenage_f2345"),
723 (3, "milenage_f2345"),
724 (4, "milenage_f2345"),
725 (5, "milenage_f2345"),
726 (6, "milenage_f2345"),
727 (7, "milenage_f2345"),
728 (8, "milenage_f2345"),
729 (9, "milenage_f2345"),
730 (10, "milenage_f2345"),
731 (11, "milenage_f2345"),
732 (12, "milenage_f2345") ]
733 for count, func in tests:
734 with fail_test(dev[0], count, func):
735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
736 identity="1232010000000000",
737 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
738 wait_connect=False, scan_freq="2412")
739 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
741 raise Exception("EAP method not selected")
742 dev[0].wait_disconnected()
743 dev[0].request("REMOVE_NETWORK all")
745 def test_ap_wpa2_eap_aka(dev, apdev):
746 """WPA2-Enterprise connection using EAP-AKA"""
747 check_hlr_auc_gw_support()
748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
749 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
750 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
751 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
752 hwsim_utils.test_connectivity(dev[0], hapd)
753 eap_reauth(dev[0], "AKA")
755 logger.info("Negative test with incorrect key")
756 dev[0].request("REMOVE_NETWORK all")
757 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
758 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
761 logger.info("Invalid Milenage key")
762 dev[0].request("REMOVE_NETWORK all")
763 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
764 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
767 logger.info("Invalid Milenage key(2)")
768 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
769 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
772 logger.info("Invalid Milenage key(3)")
773 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
774 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
777 logger.info("Invalid Milenage key(4)")
778 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
779 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
782 logger.info("Invalid Milenage key(5)")
783 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
785 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
788 logger.info("Invalid Milenage key(6)")
789 dev[0].request("REMOVE_NETWORK all")
790 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
791 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
794 logger.info("Missing key configuration")
795 dev[0].request("REMOVE_NETWORK all")
796 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
799 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
800 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
801 check_hlr_auc_gw_support()
805 raise HwsimSkip("No sqlite3 module available")
806 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
807 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
808 params['auth_server_port'] = "1814"
809 hostapd.add_ap(apdev[0]['ifname'], params)
810 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
811 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
813 logger.info("AKA fast re-authentication")
814 eap_reauth(dev[0], "AKA")
816 logger.info("AKA full auth with pseudonym")
819 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
820 eap_reauth(dev[0], "AKA")
822 logger.info("AKA full auth with permanent identity")
825 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
826 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
827 eap_reauth(dev[0], "AKA")
829 logger.info("AKA reauth with mismatching MK")
832 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
833 eap_reauth(dev[0], "AKA", expect_failure=True)
834 dev[0].request("REMOVE_NETWORK all")
836 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
837 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
840 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
841 eap_reauth(dev[0], "AKA")
844 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
845 logger.info("AKA reauth with mismatching counter")
846 eap_reauth(dev[0], "AKA")
847 dev[0].request("REMOVE_NETWORK all")
849 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
850 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
853 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
854 logger.info("AKA reauth with max reauth count reached")
855 eap_reauth(dev[0], "AKA")
857 def test_ap_wpa2_eap_aka_config(dev, apdev):
858 """EAP-AKA configuration options"""
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
862 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
863 anonymous_identity="2345678")
865 def test_ap_wpa2_eap_aka_ext(dev, apdev):
866 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
868 _test_ap_wpa2_eap_aka_ext(dev, apdev)
870 dev[0].request("SET external_sim 0")
872 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
873 check_hlr_auc_gw_support()
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hostapd.add_ap(apdev[0]['ifname'], params)
876 dev[0].request("SET external_sim 1")
877 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
878 identity="0232010000000000",
879 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
880 wait_connect=False, scan_freq="2412")
881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
883 raise Exception("Network connected timed out")
885 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
887 raise Exception("Wait for external SIM processing request timed out")
889 if p[1] != "UMTS-AUTH":
890 raise Exception("Unexpected CTRL-REQ-SIM type")
891 rid = p[0].split('-')[3]
894 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
895 # This will fail during processing, but the ctrl_iface command succeeds
896 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
899 raise Exception("EAP failure not reported")
900 dev[0].request("DISCONNECT")
901 dev[0].wait_disconnected()
903 dev[0].dump_monitor()
905 dev[0].select_network(id, freq="2412")
906 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
908 raise Exception("Wait for external SIM processing request timed out")
910 if p[1] != "UMTS-AUTH":
911 raise Exception("Unexpected CTRL-REQ-SIM type")
912 rid = p[0].split('-')[3]
913 # This will fail during UMTS auth validation
914 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
915 raise Exception("CTRL-RSP-SIM failed")
916 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
918 raise Exception("Wait for external SIM processing request timed out")
920 if p[1] != "UMTS-AUTH":
921 raise Exception("Unexpected CTRL-REQ-SIM type")
922 rid = p[0].split('-')[3]
923 # This will fail during UMTS auth validation
924 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
925 raise Exception("CTRL-RSP-SIM failed")
926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
928 raise Exception("EAP failure not reported")
929 dev[0].request("DISCONNECT")
930 dev[0].wait_disconnected()
932 dev[0].dump_monitor()
934 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
936 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
937 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
938 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
939 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
940 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
942 dev[0].select_network(id, freq="2412")
943 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
945 raise Exception("Wait for external SIM processing request timed out")
947 if p[1] != "UMTS-AUTH":
948 raise Exception("Unexpected CTRL-REQ-SIM type")
949 rid = p[0].split('-')[3]
950 # This will fail during UMTS auth validation
951 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
952 raise Exception("CTRL-RSP-SIM failed")
953 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
955 raise Exception("EAP failure not reported")
956 dev[0].request("DISCONNECT")
957 dev[0].wait_disconnected()
959 dev[0].dump_monitor()
961 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
962 """EAP-AKA with external UMTS auth and auth failing"""
964 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
966 dev[0].request("SET external_sim 0")
968 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
969 check_hlr_auc_gw_support()
970 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
971 hostapd.add_ap(apdev[0]['ifname'], params)
972 dev[0].request("SET external_sim 1")
973 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
974 identity="0232010000000000",
975 wait_connect=False, scan_freq="2412")
977 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
979 raise Exception("Wait for external SIM processing request timed out")
981 rid = p[0].split('-')[3]
982 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
985 raise Exception("EAP failure not reported")
986 dev[0].request("REMOVE_NETWORK all")
987 dev[0].wait_disconnected()
989 def test_ap_wpa2_eap_aka_prime(dev, apdev):
990 """WPA2-Enterprise connection using EAP-AKA'"""
991 check_hlr_auc_gw_support()
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
995 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
996 hwsim_utils.test_connectivity(dev[0], hapd)
997 eap_reauth(dev[0], "AKA'")
999 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1000 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1001 identity="6555444333222111@both",
1002 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1003 wait_connect=False, scan_freq="2412")
1004 dev[1].wait_connected(timeout=15)
1006 logger.info("Negative test with incorrect key")
1007 dev[0].request("REMOVE_NETWORK all")
1008 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1009 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1010 expect_failure=True)
1012 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1013 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1014 check_hlr_auc_gw_support()
1018 raise HwsimSkip("No sqlite3 module available")
1019 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1021 params['auth_server_port'] = "1814"
1022 hostapd.add_ap(apdev[0]['ifname'], params)
1023 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1024 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1026 logger.info("AKA' fast re-authentication")
1027 eap_reauth(dev[0], "AKA'")
1029 logger.info("AKA' full auth with pseudonym")
1032 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1033 eap_reauth(dev[0], "AKA'")
1035 logger.info("AKA' full auth with permanent identity")
1038 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1039 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1040 eap_reauth(dev[0], "AKA'")
1042 logger.info("AKA' reauth with mismatching k_aut")
1045 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1046 eap_reauth(dev[0], "AKA'", expect_failure=True)
1047 dev[0].request("REMOVE_NETWORK all")
1049 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1050 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1053 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1054 eap_reauth(dev[0], "AKA'")
1057 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1058 logger.info("AKA' reauth with mismatching counter")
1059 eap_reauth(dev[0], "AKA'")
1060 dev[0].request("REMOVE_NETWORK all")
1062 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1063 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1066 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1067 logger.info("AKA' reauth with max reauth count reached")
1068 eap_reauth(dev[0], "AKA'")
1070 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1071 """EAP-AKA' with external UMTS auth and auth failing"""
1073 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1075 dev[0].request("SET external_sim 0")
1077 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1078 check_hlr_auc_gw_support()
1079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1080 hostapd.add_ap(apdev[0]['ifname'], params)
1081 dev[0].request("SET external_sim 1")
1082 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1083 identity="6555444333222111",
1084 wait_connect=False, scan_freq="2412")
1086 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1088 raise Exception("Wait for external SIM processing request timed out")
1089 p = ev.split(':', 2)
1090 rid = p[0].split('-')[3]
1091 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1092 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1094 raise Exception("EAP failure not reported")
1095 dev[0].request("REMOVE_NETWORK all")
1096 dev[0].wait_disconnected()
1098 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1099 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102 key_mgmt = hapd.get_config()['key_mgmt']
1103 if key_mgmt.split(' ')[0] != "WPA-EAP":
1104 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1105 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1106 anonymous_identity="ttls", password="password",
1107 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1108 hwsim_utils.test_connectivity(dev[0], hapd)
1109 eap_reauth(dev[0], "TTLS")
1110 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1111 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1113 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1114 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1115 check_subject_match_support(dev[0])
1116 check_altsubject_match_support(dev[0])
1117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1118 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1119 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1120 anonymous_identity="ttls", password="password",
1121 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1122 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1123 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1124 eap_reauth(dev[0], "TTLS")
1126 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1127 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1129 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1130 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1131 anonymous_identity="ttls", password="wrong",
1132 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1133 expect_failure=True)
1134 eap_connect(dev[1], apdev[0], "TTLS", "user",
1135 anonymous_identity="ttls", password="password",
1136 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1137 expect_failure=True)
1139 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1140 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1141 skip_with_fips(dev[0])
1142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1144 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1145 anonymous_identity="ttls", password="password",
1146 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1147 hwsim_utils.test_connectivity(dev[0], hapd)
1148 eap_reauth(dev[0], "TTLS")
1150 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1152 skip_with_fips(dev[0])
1153 check_altsubject_match_support(dev[0])
1154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1155 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1157 anonymous_identity="ttls", password="password",
1158 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1159 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1160 eap_reauth(dev[0], "TTLS")
1162 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1163 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1164 skip_with_fips(dev[0])
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1167 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1168 anonymous_identity="ttls", password="wrong",
1169 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1170 expect_failure=True)
1171 eap_connect(dev[1], apdev[0], "TTLS", "user",
1172 anonymous_identity="ttls", password="password",
1173 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1174 expect_failure=True)
1176 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1177 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1178 skip_with_fips(dev[0])
1179 check_domain_suffix_match(dev[0])
1180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1181 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1182 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1183 anonymous_identity="ttls", password="password",
1184 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1185 domain_suffix_match="server.w1.fi")
1186 hwsim_utils.test_connectivity(dev[0], hapd)
1187 eap_reauth(dev[0], "TTLS")
1188 dev[0].request("REMOVE_NETWORK all")
1189 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1190 anonymous_identity="ttls", password="password",
1191 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1192 fragment_size="200")
1193 dev[0].request("REMOVE_NETWORK all")
1194 dev[0].wait_disconnected()
1195 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1196 anonymous_identity="ttls",
1197 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1200 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1201 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1202 skip_with_fips(dev[0])
1203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1204 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1205 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1206 anonymous_identity="ttls", password="wrong",
1207 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1208 expect_failure=True)
1209 eap_connect(dev[1], apdev[0], "TTLS", "user",
1210 anonymous_identity="ttls", password="password",
1211 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1212 expect_failure=True)
1213 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
1214 anonymous_identity="ttls", password="password",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1220 check_domain_suffix_match(dev[0])
1221 check_eap_capa(dev[0], "MSCHAPV2")
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1225 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1226 anonymous_identity="ttls", password="password",
1227 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1228 domain_suffix_match="server.w1.fi")
1229 hwsim_utils.test_connectivity(dev[0], hapd)
1230 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1231 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1232 eap_reauth(dev[0], "TTLS")
1233 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1234 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1235 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1236 raise Exception("dot1xAuthEapolFramesRx did not increase")
1237 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1238 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1239 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1240 raise Exception("backendAuthSuccesses did not increase")
1242 logger.info("Password as hash value")
1243 dev[0].request("REMOVE_NETWORK all")
1244 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1245 anonymous_identity="ttls",
1246 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1247 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1249 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1250 """EAP-TTLS with invalid phase2 parameter values"""
1251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1252 hostapd.add_ap(apdev[0]['ifname'], params)
1253 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1254 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1255 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1258 identity="DOMAIN\mschapv2 user",
1259 anonymous_identity="ttls", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2=t,
1261 wait_connect=False, scan_freq="2412")
1262 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1263 if ev is None or "method=21" not in ev:
1264 raise Exception("EAP-TTLS not started")
1265 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1266 "CTRL-EVENT-CONNECTED"], timeout=5)
1267 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1268 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1269 dev[0].request("REMOVE_NETWORK all")
1270 dev[0].wait_disconnected()
1271 dev[0].dump_monitor()
1273 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1274 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1275 check_domain_match_full(dev[0])
1276 skip_with_fips(dev[0])
1277 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1278 hostapd.add_ap(apdev[0]['ifname'], params)
1279 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1280 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1281 anonymous_identity="ttls", password="password",
1282 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1283 domain_suffix_match="w1.fi")
1284 hwsim_utils.test_connectivity(dev[0], hapd)
1285 eap_reauth(dev[0], "TTLS")
1287 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1288 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1289 check_domain_match(dev[0])
1290 skip_with_fips(dev[0])
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hostapd.add_ap(apdev[0]['ifname'], params)
1293 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1294 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1295 anonymous_identity="ttls", password="password",
1296 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1297 domain_match="Server.w1.fi")
1298 hwsim_utils.test_connectivity(dev[0], hapd)
1299 eap_reauth(dev[0], "TTLS")
1301 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1302 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1303 skip_with_fips(dev[0])
1304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1305 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1306 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1307 anonymous_identity="ttls", password="password1",
1308 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1309 expect_failure=True)
1310 eap_connect(dev[1], apdev[0], "TTLS", "user",
1311 anonymous_identity="ttls", password="password",
1312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1313 expect_failure=True)
1315 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1317 skip_with_fips(dev[0])
1318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1319 hostapd.add_ap(apdev[0]['ifname'], params)
1320 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1321 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1322 anonymous_identity="ttls", password="secret-åäö-€-password",
1323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1324 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1325 anonymous_identity="ttls",
1326 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1327 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1328 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1329 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1330 eap="TTLS", identity="utf8-user-hash",
1331 anonymous_identity="ttls", password_hex=p,
1332 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1333 wait_connect=False, scan_freq="2412")
1334 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1336 raise Exception("No failure reported")
1337 dev[2].request("REMOVE_NETWORK all")
1338 dev[2].wait_disconnected()
1340 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1341 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1343 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1344 eap_connect(dev[0], apdev[0], "TTLS", "user",
1345 anonymous_identity="ttls", password="password",
1346 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1347 hwsim_utils.test_connectivity(dev[0], hapd)
1348 eap_reauth(dev[0], "TTLS")
1350 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1351 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1353 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1354 eap_connect(dev[0], apdev[0], "TTLS", "user",
1355 anonymous_identity="ttls", password="wrong",
1356 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1357 expect_failure=True)
1359 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1360 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1361 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1362 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1363 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1364 anonymous_identity="ttls", password="password",
1365 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1366 expect_failure=True)
1368 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1369 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1370 params = int_eap_server_params()
1371 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1372 with alloc_fail(hapd, 1, "eap_gtc_init"):
1373 eap_connect(dev[0], apdev[0], "TTLS", "user",
1374 anonymous_identity="ttls", password="password",
1375 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1376 expect_failure=True)
1377 dev[0].request("REMOVE_NETWORK all")
1379 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1380 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1381 eap="TTLS", identity="user",
1382 anonymous_identity="ttls", password="password",
1383 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1384 wait_connect=False, scan_freq="2412")
1385 # This would eventually time out, but we can stop after having reached
1386 # the allocation failure.
1389 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1392 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1393 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1395 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1397 tests = [ "eap_gtc_init",
1398 "eap_msg_alloc;eap_gtc_process" ]
1400 with alloc_fail(dev[0], 1, func):
1401 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1403 eap="TTLS", identity="user",
1404 anonymous_identity="ttls", password="password",
1405 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1407 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1408 dev[0].request("REMOVE_NETWORK all")
1409 dev[0].wait_disconnected()
1411 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1412 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1413 check_eap_capa(dev[0], "MD5")
1414 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1415 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1416 eap_connect(dev[0], apdev[0], "TTLS", "user",
1417 anonymous_identity="ttls", password="password",
1418 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1419 hwsim_utils.test_connectivity(dev[0], hapd)
1420 eap_reauth(dev[0], "TTLS")
1422 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1423 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1424 check_eap_capa(dev[0], "MD5")
1425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1426 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1427 eap_connect(dev[0], apdev[0], "TTLS", "user",
1428 anonymous_identity="ttls", password="wrong",
1429 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1430 expect_failure=True)
1432 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1433 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1434 check_eap_capa(dev[0], "MD5")
1435 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1436 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1437 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1438 anonymous_identity="ttls", password="password",
1439 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1440 expect_failure=True)
1442 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1443 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1444 check_eap_capa(dev[0], "MD5")
1445 params = int_eap_server_params()
1446 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1447 with alloc_fail(hapd, 1, "eap_md5_init"):
1448 eap_connect(dev[0], apdev[0], "TTLS", "user",
1449 anonymous_identity="ttls", password="password",
1450 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1451 expect_failure=True)
1452 dev[0].request("REMOVE_NETWORK all")
1454 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1455 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1456 eap="TTLS", identity="user",
1457 anonymous_identity="ttls", password="password",
1458 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1459 wait_connect=False, scan_freq="2412")
1460 # This would eventually time out, but we can stop after having reached
1461 # the allocation failure.
1464 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1467 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1468 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1469 check_eap_capa(dev[0], "MSCHAPV2")
1470 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1471 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1472 eap_connect(dev[0], apdev[0], "TTLS", "user",
1473 anonymous_identity="ttls", password="password",
1474 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1475 hwsim_utils.test_connectivity(dev[0], hapd)
1476 eap_reauth(dev[0], "TTLS")
1478 logger.info("Negative test with incorrect password")
1479 dev[0].request("REMOVE_NETWORK all")
1480 eap_connect(dev[0], apdev[0], "TTLS", "user",
1481 anonymous_identity="ttls", password="password1",
1482 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1483 expect_failure=True)
1485 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1486 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1487 check_eap_capa(dev[0], "MSCHAPV2")
1488 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1489 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1490 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1491 anonymous_identity="ttls", password="password",
1492 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1493 expect_failure=True)
1495 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1496 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1497 check_eap_capa(dev[0], "MSCHAPV2")
1498 params = int_eap_server_params()
1499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1500 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1501 eap_connect(dev[0], apdev[0], "TTLS", "user",
1502 anonymous_identity="ttls", password="password",
1503 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1504 expect_failure=True)
1505 dev[0].request("REMOVE_NETWORK all")
1507 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1509 eap="TTLS", identity="user",
1510 anonymous_identity="ttls", password="password",
1511 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1512 wait_connect=False, scan_freq="2412")
1513 # This would eventually time out, but we can stop after having reached
1514 # the allocation failure.
1517 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1519 dev[0].request("REMOVE_NETWORK all")
1521 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1522 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1523 eap="TTLS", identity="user",
1524 anonymous_identity="ttls", password="password",
1525 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1526 wait_connect=False, scan_freq="2412")
1527 # This would eventually time out, but we can stop after having reached
1528 # the allocation failure.
1531 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1533 dev[0].request("REMOVE_NETWORK all")
1535 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1537 eap="TTLS", identity="user",
1538 anonymous_identity="ttls", password="wrong",
1539 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1540 wait_connect=False, scan_freq="2412")
1541 # This would eventually time out, but we can stop after having reached
1542 # the allocation failure.
1545 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1547 dev[0].request("REMOVE_NETWORK all")
1549 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1550 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1552 hostapd.add_ap(apdev[0]['ifname'], params)
1553 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1554 anonymous_identity="0232010000000000@ttls",
1555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1556 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1558 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1559 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1561 hostapd.add_ap(apdev[0]['ifname'], params)
1562 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1563 anonymous_identity="0232010000000000@peap",
1564 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1565 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1567 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1568 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1569 check_eap_capa(dev[0], "FAST")
1570 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1571 hostapd.add_ap(apdev[0]['ifname'], params)
1572 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1573 anonymous_identity="0232010000000000@fast",
1574 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1575 phase1="fast_provisioning=2",
1576 pac_file="blob://fast_pac_auth_aka",
1577 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1579 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1580 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1581 check_eap_capa(dev[0], "MSCHAPV2")
1582 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1583 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1584 eap_connect(dev[0], apdev[0], "PEAP", "user",
1585 anonymous_identity="peap", password="password",
1586 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1587 hwsim_utils.test_connectivity(dev[0], hapd)
1588 eap_reauth(dev[0], "PEAP")
1589 dev[0].request("REMOVE_NETWORK all")
1590 eap_connect(dev[0], apdev[0], "PEAP", "user",
1591 anonymous_identity="peap", password="password",
1592 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1593 fragment_size="200")
1595 logger.info("Password as hash value")
1596 dev[0].request("REMOVE_NETWORK all")
1597 eap_connect(dev[0], apdev[0], "PEAP", "user",
1598 anonymous_identity="peap",
1599 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1600 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1602 logger.info("Negative test with incorrect password")
1603 dev[0].request("REMOVE_NETWORK all")
1604 eap_connect(dev[0], apdev[0], "PEAP", "user",
1605 anonymous_identity="peap", password="password1",
1606 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1607 expect_failure=True)
1609 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1610 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1611 check_eap_capa(dev[0], "MSCHAPV2")
1612 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1613 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1614 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1615 anonymous_identity="peap", password="password",
1616 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1617 hwsim_utils.test_connectivity(dev[0], hapd)
1618 eap_reauth(dev[0], "PEAP")
1620 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1621 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1622 check_eap_capa(dev[0], "MSCHAPV2")
1623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1624 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1625 eap_connect(dev[0], apdev[0], "PEAP", "user",
1626 anonymous_identity="peap", password="wrong",
1627 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1628 expect_failure=True)
1630 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1631 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1632 check_eap_capa(dev[0], "MSCHAPV2")
1633 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1634 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1635 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1636 ca_cert="auth_serv/ca.pem",
1637 phase1="peapver=0 crypto_binding=2",
1638 phase2="auth=MSCHAPV2")
1639 hwsim_utils.test_connectivity(dev[0], hapd)
1640 eap_reauth(dev[0], "PEAP")
1642 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1643 ca_cert="auth_serv/ca.pem",
1644 phase1="peapver=0 crypto_binding=1",
1645 phase2="auth=MSCHAPV2")
1646 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1647 ca_cert="auth_serv/ca.pem",
1648 phase1="peapver=0 crypto_binding=0",
1649 phase2="auth=MSCHAPV2")
1651 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1652 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1653 check_eap_capa(dev[0], "MSCHAPV2")
1654 params = int_eap_server_params()
1655 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1656 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1657 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1658 ca_cert="auth_serv/ca.pem",
1659 phase1="peapver=0 crypto_binding=2",
1660 phase2="auth=MSCHAPV2",
1661 expect_failure=True, local_error_report=True)
1663 def test_ap_wpa2_eap_peap_params(dev, apdev):
1664 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1665 check_eap_capa(dev[0], "MSCHAPV2")
1666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1667 hostapd.add_ap(apdev[0]['ifname'], params)
1668 eap_connect(dev[0], apdev[0], "PEAP", "user",
1669 anonymous_identity="peap", password="password",
1670 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1671 phase1="peapver=0 peaplabel=1",
1672 expect_failure=True)
1673 dev[0].request("REMOVE_NETWORK all")
1674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1676 anonymous_identity="peap", password="password",
1677 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1678 phase1="peap_outer_success=0",
1679 wait_connect=False, scan_freq="2412")
1680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1682 raise Exception("No EAP success seen")
1683 # This won't succeed to connect with peap_outer_success=0, so stop here.
1684 dev[0].request("REMOVE_NETWORK all")
1685 dev[0].wait_disconnected()
1686 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1687 ca_cert="auth_serv/ca.pem",
1688 phase1="peap_outer_success=1",
1689 phase2="auth=MSCHAPV2")
1690 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1691 ca_cert="auth_serv/ca.pem",
1692 phase1="peap_outer_success=2",
1693 phase2="auth=MSCHAPV2")
1694 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1696 anonymous_identity="peap", password="password",
1697 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1698 phase1="peapver=1 peaplabel=1",
1699 wait_connect=False, scan_freq="2412")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1702 raise Exception("No EAP success seen")
1703 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1705 raise Exception("Unexpected connection")
1707 tests = [ ("peap-ver0", ""),
1709 ("peap-ver0", "peapver=0"),
1710 ("peap-ver1", "peapver=1") ]
1711 for anon,phase1 in tests:
1712 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1713 identity="user", anonymous_identity=anon,
1714 password="password", phase1=phase1,
1715 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1717 dev[0].request("REMOVE_NETWORK all")
1718 dev[0].wait_disconnected()
1720 tests = [ ("peap-ver0", "peapver=1"),
1721 ("peap-ver1", "peapver=0") ]
1722 for anon,phase1 in tests:
1723 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1724 identity="user", anonymous_identity=anon,
1725 password="password", phase1=phase1,
1726 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1727 wait_connect=False, scan_freq="2412")
1728 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1730 raise Exception("No EAP-Failure seen")
1731 dev[0].request("REMOVE_NETWORK all")
1732 dev[0].wait_disconnected()
1734 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1735 ca_cert="auth_serv/ca.pem",
1736 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1737 phase2="auth=MSCHAPV2")
1739 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1740 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1742 hostapd.add_ap(apdev[0]['ifname'], params)
1743 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1744 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1745 ca_cert2="auth_serv/ca.pem",
1746 client_cert2="auth_serv/user.pem",
1747 private_key2="auth_serv/user.key")
1748 eap_reauth(dev[0], "PEAP")
1750 def test_ap_wpa2_eap_tls(dev, apdev):
1751 """WPA2-Enterprise connection using EAP-TLS"""
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1755 client_cert="auth_serv/user.pem",
1756 private_key="auth_serv/user.key")
1757 eap_reauth(dev[0], "TLS")
1759 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1760 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1762 hostapd.add_ap(apdev[0]['ifname'], params)
1763 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1764 client_cert="auth_serv/user.pem",
1765 private_key="auth_serv/user.key.pkcs8",
1766 private_key_passwd="whatever")
1768 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1769 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1771 hostapd.add_ap(apdev[0]['ifname'], params)
1772 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1773 client_cert="auth_serv/user.pem",
1774 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1775 private_key_passwd="whatever")
1777 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1778 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1780 hostapd.add_ap(apdev[0]['ifname'], params)
1781 cert = read_pem("auth_serv/ca.pem")
1782 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1783 raise Exception("Could not set cacert blob")
1784 cert = read_pem("auth_serv/user.pem")
1785 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1786 raise Exception("Could not set usercert blob")
1787 key = read_pem("auth_serv/user.rsa-key")
1788 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1789 raise Exception("Could not set cacert blob")
1790 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1791 client_cert="blob://usercert",
1792 private_key="blob://userkey")
1794 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1795 """EAP-TLS and config blob missing"""
1796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1797 hostapd.add_ap(apdev[0]['ifname'], params)
1798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1799 identity="tls user",
1800 ca_cert="blob://testing-blob-does-not-exist",
1801 client_cert="blob://testing-blob-does-not-exist",
1802 private_key="blob://testing-blob-does-not-exist",
1803 wait_connect=False, scan_freq="2412")
1804 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1806 raise Exception("EAP failure not reported")
1807 dev[0].request("REMOVE_NETWORK all")
1808 dev[0].wait_disconnected()
1810 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1811 """EAP-TLS and TLS Message Length in unfragmented packets"""
1812 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1813 hostapd.add_ap(apdev[0]['ifname'], params)
1814 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1815 phase1="include_tls_length=1",
1816 client_cert="auth_serv/user.pem",
1817 private_key="auth_serv/user.key")
1819 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1820 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1821 check_pkcs12_support(dev[0])
1822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1823 hostapd.add_ap(apdev[0]['ifname'], params)
1824 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1825 private_key="auth_serv/user.pkcs12",
1826 private_key_passwd="whatever")
1827 dev[0].request("REMOVE_NETWORK all")
1828 dev[0].wait_disconnected()
1830 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1831 identity="tls user",
1832 ca_cert="auth_serv/ca.pem",
1833 private_key="auth_serv/user.pkcs12",
1834 wait_connect=False, scan_freq="2412")
1835 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1837 raise Exception("Request for private key passphrase timed out")
1838 id = ev.split(':')[0].split('-')[-1]
1839 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1840 dev[0].wait_connected(timeout=10)
1841 dev[0].request("REMOVE_NETWORK all")
1842 dev[0].wait_disconnected()
1844 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1845 # different files to cover both cases of the extra certificate being the
1846 # one that signed the client certificate and it being unrelated to the
1847 # client certificate.
1848 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1850 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1851 ca_cert="auth_serv/ca.pem",
1853 private_key_passwd="whatever")
1854 dev[0].request("REMOVE_NETWORK all")
1855 dev[0].wait_disconnected()
1857 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1858 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1859 check_pkcs12_support(dev[0])
1860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861 hostapd.add_ap(apdev[0]['ifname'], params)
1862 cert = read_pem("auth_serv/ca.pem")
1863 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1864 raise Exception("Could not set cacert blob")
1865 with open("auth_serv/user.pkcs12", "rb") as f:
1866 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1867 raise Exception("Could not set pkcs12 blob")
1868 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1869 private_key="blob://pkcs12",
1870 private_key_passwd="whatever")
1872 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1873 """WPA2-Enterprise negative test - incorrect trust root"""
1874 check_eap_capa(dev[0], "MSCHAPV2")
1875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1876 hostapd.add_ap(apdev[0]['ifname'], params)
1877 cert = read_pem("auth_serv/ca-incorrect.pem")
1878 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1879 raise Exception("Could not set cacert blob")
1880 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1881 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1882 password="password", phase2="auth=MSCHAPV2",
1883 ca_cert="blob://cacert",
1884 wait_connect=False, scan_freq="2412")
1885 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1886 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1887 password="password", phase2="auth=MSCHAPV2",
1888 ca_cert="auth_serv/ca-incorrect.pem",
1889 wait_connect=False, scan_freq="2412")
1891 for dev in (dev[0], dev[1]):
1892 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1894 raise Exception("Association and EAP start timed out")
1896 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1898 raise Exception("EAP method selection timed out")
1899 if "TTLS" not in ev:
1900 raise Exception("Unexpected EAP method")
1902 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1903 "CTRL-EVENT-EAP-SUCCESS",
1904 "CTRL-EVENT-EAP-FAILURE",
1905 "CTRL-EVENT-CONNECTED",
1906 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1908 raise Exception("EAP result timed out")
1909 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1910 raise Exception("TLS certificate error not reported")
1912 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1913 "CTRL-EVENT-EAP-FAILURE",
1914 "CTRL-EVENT-CONNECTED",
1915 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1917 raise Exception("EAP result(2) timed out")
1918 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1919 raise Exception("EAP failure not reported")
1921 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1922 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1924 raise Exception("EAP result(3) timed out")
1925 if "CTRL-EVENT-DISCONNECTED" not in ev:
1926 raise Exception("Disconnection not reported")
1928 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1930 raise Exception("Network block disabling not reported")
1932 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1933 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1936 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1937 identity="pap user", anonymous_identity="ttls",
1938 password="password", phase2="auth=PAP",
1939 ca_cert="auth_serv/ca.pem",
1940 wait_connect=True, scan_freq="2412")
1941 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1942 identity="pap user", anonymous_identity="ttls",
1943 password="password", phase2="auth=PAP",
1944 ca_cert="auth_serv/ca-incorrect.pem",
1945 only_add_network=True, scan_freq="2412")
1947 dev[0].request("DISCONNECT")
1948 dev[0].wait_disconnected()
1949 dev[0].dump_monitor()
1950 dev[0].select_network(id, freq="2412")
1952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1954 raise Exception("EAP-TTLS not re-started")
1956 ev = dev[0].wait_disconnected(timeout=15)
1957 if "reason=23" not in ev:
1958 raise Exception("Proper reason code for disconnection not reported")
1960 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1961 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1962 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1963 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1964 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1965 identity="pap user", anonymous_identity="ttls",
1966 password="password", phase2="auth=PAP",
1967 wait_connect=True, scan_freq="2412")
1968 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1969 identity="pap user", anonymous_identity="ttls",
1970 password="password", phase2="auth=PAP",
1971 ca_cert="auth_serv/ca-incorrect.pem",
1972 only_add_network=True, scan_freq="2412")
1974 dev[0].request("DISCONNECT")
1975 dev[0].wait_disconnected()
1976 dev[0].dump_monitor()
1977 dev[0].select_network(id, freq="2412")
1979 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1981 raise Exception("EAP-TTLS not re-started")
1983 ev = dev[0].wait_disconnected(timeout=15)
1984 if "reason=23" not in ev:
1985 raise Exception("Proper reason code for disconnection not reported")
1987 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1988 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1989 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1990 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1991 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1992 identity="pap user", anonymous_identity="ttls",
1993 password="password", phase2="auth=PAP",
1994 ca_cert="auth_serv/ca.pem",
1995 wait_connect=True, scan_freq="2412")
1996 dev[0].request("DISCONNECT")
1997 dev[0].wait_disconnected()
1998 dev[0].dump_monitor()
1999 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2000 dev[0].select_network(id, freq="2412")
2002 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2004 raise Exception("EAP-TTLS not re-started")
2006 ev = dev[0].wait_disconnected(timeout=15)
2007 if "reason=23" not in ev:
2008 raise Exception("Proper reason code for disconnection not reported")
2010 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2011 """WPA2-Enterprise negative test - domain suffix mismatch"""
2012 check_domain_suffix_match(dev[0])
2013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2014 hostapd.add_ap(apdev[0]['ifname'], params)
2015 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2016 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2017 password="password", phase2="auth=MSCHAPV2",
2018 ca_cert="auth_serv/ca.pem",
2019 domain_suffix_match="incorrect.example.com",
2020 wait_connect=False, scan_freq="2412")
2022 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2024 raise Exception("Association and EAP start timed out")
2026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2028 raise Exception("EAP method selection timed out")
2029 if "TTLS" not in ev:
2030 raise Exception("Unexpected EAP method")
2032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2033 "CTRL-EVENT-EAP-SUCCESS",
2034 "CTRL-EVENT-EAP-FAILURE",
2035 "CTRL-EVENT-CONNECTED",
2036 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2038 raise Exception("EAP result timed out")
2039 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2040 raise Exception("TLS certificate error not reported")
2041 if "Domain suffix mismatch" not in ev:
2042 raise Exception("Domain suffix mismatch not reported")
2044 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2045 "CTRL-EVENT-EAP-FAILURE",
2046 "CTRL-EVENT-CONNECTED",
2047 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2049 raise Exception("EAP result(2) timed out")
2050 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2051 raise Exception("EAP failure not reported")
2053 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2054 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2056 raise Exception("EAP result(3) timed out")
2057 if "CTRL-EVENT-DISCONNECTED" not in ev:
2058 raise Exception("Disconnection not reported")
2060 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2062 raise Exception("Network block disabling not reported")
2064 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2065 """WPA2-Enterprise negative test - domain mismatch"""
2066 check_domain_match(dev[0])
2067 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2068 hostapd.add_ap(apdev[0]['ifname'], params)
2069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2070 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2071 password="password", phase2="auth=MSCHAPV2",
2072 ca_cert="auth_serv/ca.pem",
2073 domain_match="w1.fi",
2074 wait_connect=False, scan_freq="2412")
2076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2078 raise Exception("Association and EAP start timed out")
2080 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2082 raise Exception("EAP method selection timed out")
2083 if "TTLS" not in ev:
2084 raise Exception("Unexpected EAP method")
2086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2087 "CTRL-EVENT-EAP-SUCCESS",
2088 "CTRL-EVENT-EAP-FAILURE",
2089 "CTRL-EVENT-CONNECTED",
2090 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2092 raise Exception("EAP result timed out")
2093 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2094 raise Exception("TLS certificate error not reported")
2095 if "Domain mismatch" not in ev:
2096 raise Exception("Domain mismatch not reported")
2098 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2099 "CTRL-EVENT-EAP-FAILURE",
2100 "CTRL-EVENT-CONNECTED",
2101 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2103 raise Exception("EAP result(2) timed out")
2104 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2105 raise Exception("EAP failure not reported")
2107 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2108 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2110 raise Exception("EAP result(3) timed out")
2111 if "CTRL-EVENT-DISCONNECTED" not in ev:
2112 raise Exception("Disconnection not reported")
2114 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2116 raise Exception("Network block disabling not reported")
2118 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2119 """WPA2-Enterprise negative test - subject mismatch"""
2120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2121 hostapd.add_ap(apdev[0]['ifname'], params)
2122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2123 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2124 password="password", phase2="auth=MSCHAPV2",
2125 ca_cert="auth_serv/ca.pem",
2126 subject_match="/C=FI/O=w1.fi/CN=example.com",
2127 wait_connect=False, scan_freq="2412")
2129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2131 raise Exception("Association and EAP start timed out")
2133 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2134 "EAP: Failed to initialize EAP method"], timeout=10)
2136 raise Exception("EAP method selection timed out")
2137 if "EAP: Failed to initialize EAP method" in ev:
2138 tls = dev[0].request("GET tls_library")
2139 if tls.startswith("OpenSSL"):
2140 raise Exception("Failed to select EAP method")
2141 logger.info("subject_match not supported - connection failed, so test succeeded")
2143 if "TTLS" not in ev:
2144 raise Exception("Unexpected EAP method")
2146 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2147 "CTRL-EVENT-EAP-SUCCESS",
2148 "CTRL-EVENT-EAP-FAILURE",
2149 "CTRL-EVENT-CONNECTED",
2150 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2152 raise Exception("EAP result timed out")
2153 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2154 raise Exception("TLS certificate error not reported")
2155 if "Subject mismatch" not in ev:
2156 raise Exception("Subject mismatch not reported")
2158 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2159 "CTRL-EVENT-EAP-FAILURE",
2160 "CTRL-EVENT-CONNECTED",
2161 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2163 raise Exception("EAP result(2) timed out")
2164 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2165 raise Exception("EAP failure not reported")
2167 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2170 raise Exception("EAP result(3) timed out")
2171 if "CTRL-EVENT-DISCONNECTED" not in ev:
2172 raise Exception("Disconnection not reported")
2174 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2176 raise Exception("Network block disabling not reported")
2178 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2179 """WPA2-Enterprise negative test - altsubject mismatch"""
2180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2181 hostapd.add_ap(apdev[0]['ifname'], params)
2183 tests = [ "incorrect.example.com",
2184 "DNS:incorrect.example.com",
2188 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2190 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2191 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2192 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2193 password="password", phase2="auth=MSCHAPV2",
2194 ca_cert="auth_serv/ca.pem",
2195 altsubject_match=match,
2196 wait_connect=False, scan_freq="2412")
2198 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2200 raise Exception("Association and EAP start timed out")
2202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2203 "EAP: Failed to initialize EAP method"], timeout=10)
2205 raise Exception("EAP method selection timed out")
2206 if "EAP: Failed to initialize EAP method" in ev:
2207 tls = dev[0].request("GET tls_library")
2208 if tls.startswith("OpenSSL"):
2209 raise Exception("Failed to select EAP method")
2210 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2212 if "TTLS" not in ev:
2213 raise Exception("Unexpected EAP method")
2215 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2216 "CTRL-EVENT-EAP-SUCCESS",
2217 "CTRL-EVENT-EAP-FAILURE",
2218 "CTRL-EVENT-CONNECTED",
2219 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2221 raise Exception("EAP result timed out")
2222 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2223 raise Exception("TLS certificate error not reported")
2224 if "AltSubject mismatch" not in ev:
2225 raise Exception("altsubject mismatch not reported")
2227 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2228 "CTRL-EVENT-EAP-FAILURE",
2229 "CTRL-EVENT-CONNECTED",
2230 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2232 raise Exception("EAP result(2) timed out")
2233 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2234 raise Exception("EAP failure not reported")
2236 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2237 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2239 raise Exception("EAP result(3) timed out")
2240 if "CTRL-EVENT-DISCONNECTED" not in ev:
2241 raise Exception("Disconnection not reported")
2243 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2245 raise Exception("Network block disabling not reported")
2247 dev[0].request("REMOVE_NETWORK all")
2249 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2250 """WPA2-Enterprise connection using UNAUTH-TLS"""
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252 hostapd.add_ap(apdev[0]['ifname'], params)
2253 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
2254 ca_cert="auth_serv/ca.pem")
2255 eap_reauth(dev[0], "UNAUTH-TLS")
2257 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2258 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2259 check_cert_probe_support(dev[0])
2260 skip_with_fips(dev[0])
2261 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2263 hostapd.add_ap(apdev[0]['ifname'], params)
2264 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2265 identity="probe", ca_cert="probe://",
2266 wait_connect=False, scan_freq="2412")
2267 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2269 raise Exception("Association and EAP start timed out")
2270 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2272 raise Exception("No peer server certificate event seen")
2273 if "hash=" + srv_cert_hash not in ev:
2274 raise Exception("Expected server certificate hash not reported")
2275 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2277 raise Exception("EAP result timed out")
2278 if "Server certificate chain probe" not in ev:
2279 raise Exception("Server certificate probe not reported")
2280 dev[0].wait_disconnected(timeout=10)
2281 dev[0].request("REMOVE_NETWORK all")
2283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2284 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2285 password="password", phase2="auth=MSCHAPV2",
2286 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2287 wait_connect=False, scan_freq="2412")
2288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2290 raise Exception("Association and EAP start timed out")
2291 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2293 raise Exception("EAP result timed out")
2294 if "Server certificate mismatch" not in ev:
2295 raise Exception("Server certificate mismatch not reported")
2296 dev[0].wait_disconnected(timeout=10)
2297 dev[0].request("REMOVE_NETWORK all")
2299 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
2300 anonymous_identity="ttls", password="password",
2301 ca_cert="hash://server/sha256/" + srv_cert_hash,
2302 phase2="auth=MSCHAPV2")
2304 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2305 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2307 hostapd.add_ap(apdev[0]['ifname'], params)
2308 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2309 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2310 password="password", phase2="auth=MSCHAPV2",
2311 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2312 wait_connect=False, scan_freq="2412")
2313 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2314 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2315 password="password", phase2="auth=MSCHAPV2",
2316 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2317 wait_connect=False, scan_freq="2412")
2318 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2319 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2320 password="password", phase2="auth=MSCHAPV2",
2321 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2322 wait_connect=False, scan_freq="2412")
2323 for i in range(0, 3):
2324 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2326 raise Exception("Association and EAP start timed out")
2327 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2329 raise Exception("Did not report EAP method initialization failure")
2331 def test_ap_wpa2_eap_pwd(dev, apdev):
2332 """WPA2-Enterprise connection using EAP-pwd"""
2333 check_eap_capa(dev[0], "PWD")
2334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2335 hostapd.add_ap(apdev[0]['ifname'], params)
2336 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2337 eap_reauth(dev[0], "PWD")
2338 dev[0].request("REMOVE_NETWORK all")
2340 eap_connect(dev[1], apdev[0], "PWD",
2341 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2342 password="secret password",
2345 logger.info("Negative test with incorrect password")
2346 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2347 expect_failure=True, local_error_report=True)
2349 eap_connect(dev[0], apdev[0], "PWD",
2350 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2351 password="secret password",
2354 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2355 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2356 check_eap_capa(dev[0], "PWD")
2357 skip_with_fips(dev[0])
2358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359 hostapd.add_ap(apdev[0]['ifname'], params)
2360 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2361 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2362 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2363 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2364 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2365 expect_failure=True, local_error_report=True)
2367 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2368 """WPA2-Enterprise connection using various EAP-pwd groups"""
2369 check_eap_capa(dev[0], "PWD")
2370 tls = dev[0].request("GET tls_library")
2371 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2372 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2373 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2374 groups = [ 19, 20, 21, 25, 26 ]
2375 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2376 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2377 groups += [ 27, 28, 29, 30 ]
2379 logger.info("Group %d" % i)
2380 params['pwd_group'] = str(i)
2381 hostapd.add_ap(apdev[0]['ifname'], params)
2383 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2384 password="secret password")
2385 dev[0].request("REMOVE_NETWORK all")
2386 dev[0].wait_disconnected()
2387 dev[0].dump_monitor()
2389 if "BoringSSL" in tls and i in [ 25 ]:
2390 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2391 dev[0].request("DISCONNECT")
2393 dev[0].request("REMOVE_NETWORK all")
2394 dev[0].dump_monitor()
2398 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2399 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2400 check_eap_capa(dev[0], "PWD")
2401 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2402 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2403 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2404 params['pwd_group'] = "0"
2405 hostapd.add_ap(apdev[0]['ifname'], params)
2406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2407 identity="pwd user", password="secret password",
2408 scan_freq="2412", wait_connect=False)
2409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2411 raise Exception("Timeout on EAP failure report")
2413 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2415 check_eap_capa(dev[0], "PWD")
2416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2417 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2418 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2419 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2420 "pwd_group": "19", "fragment_size": "40" }
2421 hostapd.add_ap(apdev[0]['ifname'], params)
2422 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2424 def test_ap_wpa2_eap_gpsk(dev, apdev):
2425 """WPA2-Enterprise connection using EAP-GPSK"""
2426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2427 hostapd.add_ap(apdev[0]['ifname'], params)
2428 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2429 password="abcdefghijklmnop0123456789abcdef")
2430 eap_reauth(dev[0], "GPSK")
2432 logger.info("Test forced algorithm selection")
2433 for phase1 in [ "cipher=1", "cipher=2" ]:
2434 dev[0].set_network_quoted(id, "phase1", phase1)
2435 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2437 raise Exception("EAP success timed out")
2438 dev[0].wait_connected(timeout=10)
2440 logger.info("Test failed algorithm negotiation")
2441 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2444 raise Exception("EAP failure timed out")
2446 logger.info("Negative test with incorrect password")
2447 dev[0].request("REMOVE_NETWORK all")
2448 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2449 password="ffcdefghijklmnop0123456789abcdef",
2450 expect_failure=True)
2452 def test_ap_wpa2_eap_sake(dev, apdev):
2453 """WPA2-Enterprise connection using EAP-SAKE"""
2454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2455 hostapd.add_ap(apdev[0]['ifname'], params)
2456 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2457 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2458 eap_reauth(dev[0], "SAKE")
2460 logger.info("Negative test with incorrect password")
2461 dev[0].request("REMOVE_NETWORK all")
2462 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2463 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2464 expect_failure=True)
2466 def test_ap_wpa2_eap_eke(dev, apdev):
2467 """WPA2-Enterprise connection using EAP-EKE"""
2468 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2469 hostapd.add_ap(apdev[0]['ifname'], params)
2470 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2471 eap_reauth(dev[0], "EKE")
2473 logger.info("Test forced algorithm selection")
2474 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2475 "dhgroup=4 encr=1 prf=2 mac=2",
2476 "dhgroup=3 encr=1 prf=2 mac=2",
2477 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2478 dev[0].set_network_quoted(id, "phase1", phase1)
2479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2481 raise Exception("EAP success timed out")
2482 dev[0].wait_connected(timeout=10)
2484 logger.info("Test failed algorithm negotiation")
2485 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2486 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2488 raise Exception("EAP failure timed out")
2490 logger.info("Negative test with incorrect password")
2491 dev[0].request("REMOVE_NETWORK all")
2492 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2493 expect_failure=True)
2495 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2496 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2497 if not params['long']:
2498 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2500 hostapd.add_ap(apdev[0]['ifname'], params)
2503 for i in range(100):
2505 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2506 identity="eke user", password="hello",
2507 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2508 scan_freq="2412", wait_connect=False)
2510 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2511 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2513 raise Exception("No connected/disconnected event")
2514 if "CTRL-EVENT-DISCONNECTED" in ev:
2516 # The RADIUS server limits on active sessions can be hit when
2517 # going through this test case, so try to give some more time
2518 # for the server to remove sessions.
2519 logger.info("Failed to connect i=%d j=%d" % (i, j))
2520 dev[j].request("REMOVE_NETWORK all")
2524 dev[j].request("REMOVE_NETWORK all")
2525 dev[j].wait_disconnected()
2526 dev[j].dump_monitor()
2527 logger.info("Total success=%d failure=%d" % (success, fail))
2529 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2530 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2531 params = int_eap_server_params()
2532 params['server_id'] = 'example.server@w1.fi'
2533 hostapd.add_ap(apdev[0]['ifname'], params)
2534 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2536 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2537 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2538 params = int_eap_server_params()
2539 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2540 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2542 for count,func in [ (1, "eap_eke_build_commit"),
2543 (2, "eap_eke_build_commit"),
2544 (3, "eap_eke_build_commit"),
2545 (1, "eap_eke_build_confirm"),
2546 (2, "eap_eke_build_confirm"),
2547 (1, "eap_eke_process_commit"),
2548 (2, "eap_eke_process_commit"),
2549 (1, "eap_eke_process_confirm"),
2550 (1, "eap_eke_process_identity"),
2551 (2, "eap_eke_process_identity"),
2552 (3, "eap_eke_process_identity"),
2553 (4, "eap_eke_process_identity") ]:
2554 with alloc_fail(hapd, count, func):
2555 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2556 expect_failure=True)
2557 dev[0].request("REMOVE_NETWORK all")
2559 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2560 (1, "eap_eke_get_session_id", "hello"),
2561 (1, "eap_eke_getKey", "hello"),
2562 (1, "eap_eke_build_msg", "hello"),
2563 (1, "eap_eke_build_failure", "wrong"),
2564 (1, "eap_eke_build_identity", "hello"),
2565 (2, "eap_eke_build_identity", "hello") ]:
2566 with alloc_fail(hapd, count, func):
2567 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2568 eap="EKE", identity="eke user", password=pw,
2569 wait_connect=False, scan_freq="2412")
2570 # This would eventually time out, but we can stop after having
2571 # reached the allocation failure.
2574 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2576 dev[0].request("REMOVE_NETWORK all")
2578 for count in range(1, 1000):
2580 with alloc_fail(hapd, count, "eap_server_sm_step"):
2581 dev[0].connect("test-wpa2-eap",
2582 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2583 eap="EKE", identity="eke user", password=pw,
2584 wait_connect=False, scan_freq="2412")
2585 # This would eventually time out, but we can stop after having
2586 # reached the allocation failure.
2589 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2591 dev[0].request("REMOVE_NETWORK all")
2592 except Exception, e:
2593 if str(e) == "Allocation failure did not trigger":
2595 raise Exception("Too few allocation failures")
2596 logger.info("%d allocation failures tested" % (count - 1))
2600 def test_ap_wpa2_eap_ikev2(dev, apdev):
2601 """WPA2-Enterprise connection using EAP-IKEv2"""
2602 check_eap_capa(dev[0], "IKEV2")
2603 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2604 hostapd.add_ap(apdev[0]['ifname'], params)
2605 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2606 password="ike password")
2607 eap_reauth(dev[0], "IKEV2")
2608 dev[0].request("REMOVE_NETWORK all")
2609 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2610 password="ike password", fragment_size="50")
2612 logger.info("Negative test with incorrect password")
2613 dev[0].request("REMOVE_NETWORK all")
2614 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2615 password="ike-password", expect_failure=True)
2616 dev[0].request("REMOVE_NETWORK all")
2618 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2619 password="ike password", fragment_size="0")
2620 dev[0].request("REMOVE_NETWORK all")
2621 dev[0].wait_disconnected()
2623 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2624 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2625 check_eap_capa(dev[0], "IKEV2")
2626 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2627 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2628 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2629 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2630 "fragment_size": "50" }
2631 hostapd.add_ap(apdev[0]['ifname'], params)
2632 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2633 password="ike password")
2634 eap_reauth(dev[0], "IKEV2")
2636 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2637 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2638 check_eap_capa(dev[0], "IKEV2")
2639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2640 hostapd.add_ap(apdev[0]['ifname'], params)
2642 tests = [ (1, "dh_init"),
2644 (1, "dh_derive_shared") ]
2645 for count, func in tests:
2646 with alloc_fail(dev[0], count, func):
2647 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2648 identity="ikev2 user", password="ike password",
2649 wait_connect=False, scan_freq="2412")
2650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2652 raise Exception("EAP method not selected")
2654 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2657 dev[0].request("REMOVE_NETWORK all")
2659 tests = [ (1, "os_get_random;dh_init") ]
2660 for count, func in tests:
2661 with fail_test(dev[0], count, func):
2662 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2663 identity="ikev2 user", password="ike password",
2664 wait_connect=False, scan_freq="2412")
2665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2667 raise Exception("EAP method not selected")
2669 if "0:" in dev[0].request("GET_FAIL"):
2672 dev[0].request("REMOVE_NETWORK all")
2674 def test_ap_wpa2_eap_pax(dev, apdev):
2675 """WPA2-Enterprise connection using EAP-PAX"""
2676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2677 hostapd.add_ap(apdev[0]['ifname'], params)
2678 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2679 password_hex="0123456789abcdef0123456789abcdef")
2680 eap_reauth(dev[0], "PAX")
2682 logger.info("Negative test with incorrect password")
2683 dev[0].request("REMOVE_NETWORK all")
2684 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2685 password_hex="ff23456789abcdef0123456789abcdef",
2686 expect_failure=True)
2688 def test_ap_wpa2_eap_psk(dev, apdev):
2689 """WPA2-Enterprise connection using EAP-PSK"""
2690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2691 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2692 params["ieee80211w"] = "2"
2693 hostapd.add_ap(apdev[0]['ifname'], params)
2694 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2695 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2696 eap_reauth(dev[0], "PSK", sha256=True)
2697 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2698 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2700 bss = dev[0].get_bss(apdev[0]['bssid'])
2701 if 'flags' not in bss:
2702 raise Exception("Could not get BSS flags from BSS table")
2703 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2704 raise Exception("Unexpected BSS flags: " + bss['flags'])
2706 logger.info("Negative test with incorrect password")
2707 dev[0].request("REMOVE_NETWORK all")
2708 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2709 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2710 expect_failure=True)
2712 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2713 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2714 skip_with_fips(dev[0])
2715 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2716 hostapd.add_ap(apdev[0]['ifname'], params)
2717 tests = [ (1, "=aes_128_eax_encrypt"),
2718 (1, "=aes_128_eax_decrypt") ]
2719 for count, func in tests:
2720 with alloc_fail(dev[0], count, func):
2721 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2722 identity="psk.user@example.com",
2723 password_hex="0123456789abcdef0123456789abcdef",
2724 wait_connect=False, scan_freq="2412")
2725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2727 raise Exception("EAP method not selected")
2728 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2729 note="Failure not triggered: %d:%s" % (count, func))
2730 dev[0].request("REMOVE_NETWORK all")
2731 dev[0].wait_disconnected()
2733 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2734 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2735 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2736 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2737 (1, "omac1_aes_vector"),
2738 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2739 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2740 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2741 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2742 for count, func in tests:
2743 with fail_test(dev[0], count, func):
2744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2745 identity="psk.user@example.com",
2746 password_hex="0123456789abcdef0123456789abcdef",
2747 wait_connect=False, scan_freq="2412")
2748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2750 raise Exception("EAP method not selected")
2751 wait_fail_trigger(dev[0], "GET_FAIL",
2752 note="Failure not triggered: %d:%s" % (count, func))
2753 dev[0].request("REMOVE_NETWORK all")
2754 dev[0].wait_disconnected()
2756 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2757 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2758 identity="psk.user@example.com",
2759 password_hex="0123456789abcdef0123456789abcdef",
2760 wait_connect=False, scan_freq="2412")
2761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2763 raise Exception("EAP method failure not reported")
2764 dev[0].request("REMOVE_NETWORK all")
2765 dev[0].wait_disconnected()
2767 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2768 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2769 check_eap_capa(dev[0], "MSCHAPV2")
2770 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2772 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2773 identity="user", password="password", phase2="auth=MSCHAPV2",
2774 ca_cert="auth_serv/ca.pem", wait_connect=False,
2776 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2777 hwsim_utils.test_connectivity(dev[0], hapd)
2778 eap_reauth(dev[0], "PEAP", rsn=False)
2779 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2780 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2781 status = dev[0].get_status(extra="VERBOSE")
2782 if 'portControl' not in status:
2783 raise Exception("portControl missing from STATUS-VERBOSE")
2784 if status['portControl'] != 'Auto':
2785 raise Exception("Unexpected portControl value: " + status['portControl'])
2786 if 'eap_session_id' not in status:
2787 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2788 if not status['eap_session_id'].startswith("19"):
2789 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2791 def test_ap_wpa2_eap_interactive(dev, apdev):
2792 """WPA2-Enterprise connection using interactive identity/password entry"""
2793 check_eap_capa(dev[0], "MSCHAPV2")
2794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2795 hostapd.add_ap(apdev[0]['ifname'], params)
2796 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2798 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2799 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2801 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2802 "TTLS", "ttls", None, "auth=MSCHAPV2",
2803 "DOMAIN\mschapv2 user", "password"),
2804 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2805 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2806 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2807 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2808 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2809 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2810 ("Connection with dynamic PEAP/EAP-GTC password entry",
2811 "PEAP", None, "user", "auth=GTC", None, "password") ]
2812 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2814 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2815 anonymous_identity=anon, identity=identity,
2816 ca_cert="auth_serv/ca.pem", phase2=phase2,
2817 wait_connect=False, scan_freq="2412")
2819 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2821 raise Exception("Request for identity timed out")
2822 id = ev.split(':')[0].split('-')[-1]
2823 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2824 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2826 raise Exception("Request for password timed out")
2827 id = ev.split(':')[0].split('-')[-1]
2828 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2829 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2830 dev[0].wait_connected(timeout=10)
2831 dev[0].request("REMOVE_NETWORK all")
2833 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2834 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2835 check_eap_capa(dev[0], "MSCHAPV2")
2836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2837 hostapd.add_ap(apdev[0]['ifname'], params)
2838 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2840 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2841 only_add_network=True)
2843 req_id = "DOMAIN\mschapv2 user"
2844 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2845 anonymous_identity="ttls", identity=None,
2846 password="password",
2847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2848 wait_connect=False, scan_freq="2412")
2849 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2851 raise Exception("Request for identity timed out")
2852 id = ev.split(':')[0].split('-')[-1]
2853 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2854 dev[0].wait_connected(timeout=10)
2856 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2857 raise Exception("Failed to enable network")
2858 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2860 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2861 dev[0].request("REMOVE_NETWORK all")
2863 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2864 """WPA2-Enterprise connection using EAP vendor test"""
2865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2866 hostapd.add_ap(apdev[0]['ifname'], params)
2867 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2868 eap_reauth(dev[0], "VENDOR-TEST")
2869 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2872 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2873 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2875 hostapd.add_ap(apdev[0]['ifname'], params)
2877 tests = [ "eap_vendor_test_init",
2878 "eap_msg_alloc;eap_vendor_test_process",
2879 "eap_vendor_test_getKey" ]
2881 with alloc_fail(dev[0], 1, func):
2882 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2884 eap="VENDOR-TEST", identity="vendor-test",
2886 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2887 dev[0].request("REMOVE_NETWORK all")
2888 dev[0].wait_disconnected()
2890 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2891 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2892 check_eap_capa(dev[0], "FAST")
2893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2894 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2895 eap_connect(dev[0], apdev[0], "FAST", "user",
2896 anonymous_identity="FAST", password="password",
2897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2898 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2899 hwsim_utils.test_connectivity(dev[0], hapd)
2900 res = eap_reauth(dev[0], "FAST")
2901 if res['tls_session_reused'] != '1':
2902 raise Exception("EAP-FAST could not use PAC session ticket")
2904 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2905 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2906 check_eap_capa(dev[0], "FAST")
2907 pac_file = os.path.join(params['logdir'], "fast.pac")
2908 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2910 hostapd.add_ap(apdev[0]['ifname'], params)
2913 eap_connect(dev[0], apdev[0], "FAST", "user",
2914 anonymous_identity="FAST", password="password",
2915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2916 phase1="fast_provisioning=1", pac_file=pac_file)
2917 with open(pac_file, "r") as f:
2919 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2920 raise Exception("PAC file header missing")
2921 if "PAC-Key=" not in data:
2922 raise Exception("PAC-Key missing from PAC file")
2923 dev[0].request("REMOVE_NETWORK all")
2924 eap_connect(dev[0], apdev[0], "FAST", "user",
2925 anonymous_identity="FAST", password="password",
2926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2929 eap_connect(dev[1], apdev[0], "FAST", "user",
2930 anonymous_identity="FAST", password="password",
2931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2932 phase1="fast_provisioning=1 fast_pac_format=binary",
2934 dev[1].request("REMOVE_NETWORK all")
2935 eap_connect(dev[1], apdev[0], "FAST", "user",
2936 anonymous_identity="FAST", password="password",
2937 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2938 phase1="fast_pac_format=binary",
2946 os.remove(pac_file2)
2950 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2951 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2952 check_eap_capa(dev[0], "FAST")
2953 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2954 hostapd.add_ap(apdev[0]['ifname'], params)
2955 eap_connect(dev[0], apdev[0], "FAST", "user",
2956 anonymous_identity="FAST", password="password",
2957 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2958 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2959 pac_file="blob://fast_pac_bin")
2960 res = eap_reauth(dev[0], "FAST")
2961 if res['tls_session_reused'] != '1':
2962 raise Exception("EAP-FAST could not use PAC session ticket")
2964 # Verify fast_max_pac_list_len=0 special case
2965 dev[0].request("REMOVE_NETWORK all")
2966 dev[0].wait_disconnected()
2967 eap_connect(dev[0], apdev[0], "FAST", "user",
2968 anonymous_identity="FAST", password="password",
2969 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2970 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
2971 pac_file="blob://fast_pac_bin")
2973 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2974 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2975 check_eap_capa(dev[0], "FAST")
2976 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2977 hostapd.add_ap(apdev[0]['ifname'], params)
2979 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2980 identity="user", anonymous_identity="FAST",
2981 password="password",
2982 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2983 pac_file="blob://fast_pac_not_in_use",
2984 wait_connect=False, scan_freq="2412")
2985 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2987 raise Exception("Timeout on EAP failure report")
2988 dev[0].request("REMOVE_NETWORK all")
2990 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2991 identity="user", anonymous_identity="FAST",
2992 password="password",
2993 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2994 wait_connect=False, scan_freq="2412")
2995 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2997 raise Exception("Timeout on EAP failure report")
2999 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3000 """EAP-FAST and binary PAC errors"""
3001 check_eap_capa(dev[0], "FAST")
3002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3003 hostapd.add_ap(apdev[0]['ifname'], params)
3005 tests = [ (1, "=eap_fast_save_pac_bin"),
3006 (1, "eap_fast_write_pac"),
3007 (2, "eap_fast_write_pac"), ]
3008 for count, func in tests:
3009 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3010 raise Exception("Could not set blob")
3012 with alloc_fail(dev[0], count, func):
3013 eap_connect(dev[0], apdev[0], "FAST", "user",
3014 anonymous_identity="FAST", password="password",
3015 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3016 phase1="fast_provisioning=1 fast_pac_format=binary",
3017 pac_file="blob://fast_pac_bin_errors")
3018 dev[0].request("REMOVE_NETWORK all")
3019 dev[0].wait_disconnected()
3021 tests = [ "00", "000000000000", "6ae4920c0001",
3023 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3024 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3025 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3026 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3028 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3029 raise Exception("Could not set blob")
3031 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3032 identity="user", anonymous_identity="FAST",
3033 password="password",
3034 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3035 phase1="fast_provisioning=1 fast_pac_format=binary",
3036 pac_file="blob://fast_pac_bin_errors",
3037 scan_freq="2412", wait_connect=False)
3038 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3041 raise Exception("Failure not reported")
3042 dev[0].request("REMOVE_NETWORK all")
3043 dev[0].wait_disconnected()
3045 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3046 tests = [ (1, "eap_fast_load_pac_bin"),
3047 (2, "eap_fast_load_pac_bin"),
3048 (3, "eap_fast_load_pac_bin") ]
3049 for count, func in tests:
3050 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3051 raise Exception("Could not set blob")
3053 with alloc_fail(dev[0], count, func):
3054 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3055 identity="user", anonymous_identity="FAST",
3056 password="password",
3057 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3058 phase1="fast_provisioning=1 fast_pac_format=binary",
3059 pac_file="blob://fast_pac_bin_errors",
3060 scan_freq="2412", wait_connect=False)
3061 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3064 raise Exception("Failure not reported")
3065 dev[0].request("REMOVE_NETWORK all")
3066 dev[0].wait_disconnected()
3068 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3069 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3070 raise Exception("Could not set blob")
3072 eap_connect(dev[0], apdev[0], "FAST", "user",
3073 anonymous_identity="FAST", password="password",
3074 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3075 phase1="fast_provisioning=1 fast_pac_format=binary",
3076 pac_file="blob://fast_pac_bin_errors")
3077 dev[0].request("REMOVE_NETWORK all")
3078 dev[0].wait_disconnected()
3080 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3081 tests = [ (1, "eap_fast_pac_get_a_id"),
3082 (2, "eap_fast_pac_get_a_id") ]
3083 for count, func in tests:
3084 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3085 raise Exception("Could not set blob")
3086 with alloc_fail(dev[0], count, func):
3087 eap_connect(dev[0], apdev[0], "FAST", "user",
3088 anonymous_identity="FAST", password="password",
3089 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3090 phase1="fast_provisioning=1 fast_pac_format=binary",
3091 pac_file="blob://fast_pac_bin_errors")
3092 dev[0].request("REMOVE_NETWORK all")
3093 dev[0].wait_disconnected()
3095 def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3096 """EAP-FAST and text PAC errors"""
3097 check_eap_capa(dev[0], "FAST")
3098 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3099 hostapd.add_ap(apdev[0]['ifname'], params)
3101 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3102 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3103 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3104 (1, "eap_fast_parse_start"),
3105 (1, "eap_fast_save_pac") ]
3106 for count, func in tests:
3107 dev[0].request("FLUSH")
3108 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3109 raise Exception("Could not set blob")
3111 with alloc_fail(dev[0], count, func):
3112 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3113 identity="user", anonymous_identity="FAST",
3114 password="password",
3115 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3116 phase1="fast_provisioning=1",
3117 pac_file="blob://fast_pac_text_errors",
3118 scan_freq="2412", wait_connect=False)
3119 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3120 dev[0].request("REMOVE_NETWORK all")
3121 dev[0].wait_disconnected()
3123 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3127 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3128 raise Exception("Could not set blob")
3130 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3131 identity="user", anonymous_identity="FAST",
3132 password="password",
3133 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3134 phase1="fast_provisioning=1",
3135 pac_file="blob://fast_pac_text_errors",
3136 scan_freq="2412", wait_connect=False)
3137 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3139 raise Exception("Failure not reported")
3140 dev[0].request("REMOVE_NETWORK all")
3141 dev[0].wait_disconnected()
3143 dev[0].request("FLUSH")
3144 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3145 raise Exception("Could not set blob")
3147 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3149 params = int_eap_server_params()
3150 params['ssid'] = "test-wpa2-eap-2"
3151 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3152 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3153 params['eap_fast_a_id_info'] = "test server %d" % i
3155 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
3157 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3158 identity="user", anonymous_identity="FAST",
3159 password="password",
3160 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3161 phase1="fast_provisioning=1",
3162 pac_file="blob://fast_pac_text_errors",
3163 scan_freq="2412", wait_connect=False)
3164 dev[0].wait_connected()
3165 dev[0].request("REMOVE_NETWORK all")
3166 dev[0].wait_disconnected()
3170 def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3171 """EAP-FAST and PAC list truncation"""
3172 check_eap_capa(dev[0], "FAST")
3173 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3174 raise Exception("Could not set blob")
3176 params = int_eap_server_params()
3177 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3178 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3179 params['eap_fast_a_id_info'] = "test server %d" % i
3180 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3182 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3183 identity="user", anonymous_identity="FAST",
3184 password="password",
3185 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3186 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3187 pac_file="blob://fast_pac_truncate",
3188 scan_freq="2412", wait_connect=False)
3189 dev[0].wait_connected()
3190 dev[0].request("REMOVE_NETWORK all")
3191 dev[0].wait_disconnected()
3195 def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3196 """EAP-FAST and PAC refresh"""
3197 check_eap_capa(dev[0], "FAST")
3198 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3199 raise Exception("Could not set blob")
3201 params = int_eap_server_params()
3202 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3203 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3204 params['eap_fast_a_id_info'] = "test server %d" % i
3205 params['pac_key_refresh_time'] = "1"
3206 params['pac_key_lifetime'] = "10"
3207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3209 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3210 identity="user", anonymous_identity="FAST",
3211 password="password",
3212 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3213 phase1="fast_provisioning=1",
3214 pac_file="blob://fast_pac_refresh",
3215 scan_freq="2412", wait_connect=False)
3216 dev[0].wait_connected()
3217 dev[0].request("REMOVE_NETWORK all")
3218 dev[0].wait_disconnected()
3223 params = int_eap_server_params()
3224 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3225 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3226 params['eap_fast_a_id_info'] = "test server %d" % i
3227 params['pac_key_refresh_time'] = "10"
3228 params['pac_key_lifetime'] = "10"
3229 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3231 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3232 identity="user", anonymous_identity="FAST",
3233 password="password",
3234 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3235 phase1="fast_provisioning=1",
3236 pac_file="blob://fast_pac_refresh",
3237 scan_freq="2412", wait_connect=False)
3238 dev[0].wait_connected()
3239 dev[0].request("REMOVE_NETWORK all")
3240 dev[0].wait_disconnected()
3244 def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3245 """EAP-FAST and PAC lifetime"""
3246 check_eap_capa(dev[0], "FAST")
3247 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3248 raise Exception("Could not set blob")
3251 params = int_eap_server_params()
3252 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3253 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3254 params['eap_fast_a_id_info'] = "test server %d" % i
3255 params['pac_key_refresh_time'] = "0"
3256 params['pac_key_lifetime'] = "2"
3257 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3259 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3260 identity="user", anonymous_identity="FAST",
3261 password="password",
3262 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3263 phase1="fast_provisioning=2",
3264 pac_file="blob://fast_pac_refresh",
3265 scan_freq="2412", wait_connect=False)
3266 dev[0].wait_connected()
3267 dev[0].request("DISCONNECT")
3268 dev[0].wait_disconnected()
3271 dev[0].request("PMKSA_FLUSH")
3272 dev[0].request("RECONNECT")
3273 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3275 raise Exception("No EAP-Failure seen after expired PAC")
3276 dev[0].request("DISCONNECT")
3277 dev[0].wait_disconnected()
3279 dev[0].select_network(id)
3280 dev[0].wait_connected()
3281 dev[0].request("REMOVE_NETWORK all")
3282 dev[0].wait_disconnected()
3284 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3285 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3286 check_eap_capa(dev[0], "FAST")
3287 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3288 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3289 eap_connect(dev[0], apdev[0], "FAST", "user",
3290 anonymous_identity="FAST", password="password",
3291 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3292 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3293 hwsim_utils.test_connectivity(dev[0], hapd)
3294 res = eap_reauth(dev[0], "FAST")
3295 if res['tls_session_reused'] != '1':
3296 raise Exception("EAP-FAST could not use PAC session ticket")
3298 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3299 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3300 check_eap_capa(dev[0], "FAST")
3301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3302 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3303 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3304 anonymous_identity="FAST", password="password",
3305 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3306 phase1="fast_provisioning=2",
3307 pac_file="blob://fast_pac_auth")
3308 dev[0].set_network_quoted(id, "identity", "user2")
3309 dev[0].wait_disconnected()
3310 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3312 raise Exception("EAP-FAST not started")
3313 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3315 raise Exception("EAP failure not reported")
3316 dev[0].wait_disconnected()
3318 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3319 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3320 check_eap_capa(dev[0], "FAST")
3321 tls = dev[0].request("GET tls_library")
3322 if tls.startswith("OpenSSL"):
3323 func = "openssl_tls_prf"
3325 elif tls.startswith("internal"):
3326 func = "tls_connection_prf"
3329 raise HwsimSkip("Unsupported TLS library")
3330 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3331 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3332 with alloc_fail(dev[0], count, func):
3333 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3334 identity="user", anonymous_identity="FAST",
3335 password="password", ca_cert="auth_serv/ca.pem",
3337 phase1="fast_provisioning=2",
3338 pac_file="blob://fast_pac_auth",
3339 wait_connect=False, scan_freq="2412")
3340 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3342 raise Exception("EAP failure not reported")
3343 dev[0].request("DISCONNECT")
3345 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3346 """EAP-FAST/MSCHAPv2 and server OOM"""
3347 check_eap_capa(dev[0], "FAST")
3349 params = int_eap_server_params()
3350 params['dh_file'] = 'auth_serv/dh.conf'
3351 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3352 params['eap_fast_a_id'] = '1011'
3353 params['eap_fast_a_id_info'] = 'another test server'
3354 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3356 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3357 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3358 anonymous_identity="FAST", password="password",
3359 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3360 phase1="fast_provisioning=1",
3361 pac_file="blob://fast_pac",
3362 expect_failure=True)
3363 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3365 raise Exception("No EAP failure reported")
3366 dev[0].wait_disconnected()
3367 dev[0].request("DISCONNECT")
3369 dev[0].select_network(id, freq="2412")
3371 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3372 """EAP-FAST and different TLS cipher suites"""
3373 check_eap_capa(dev[0], "FAST")
3374 tls = dev[0].request("GET tls_library")
3375 if not tls.startswith("OpenSSL"):
3376 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3378 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3379 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3381 dev[0].request("SET blob fast_pac_ciphers ")
3382 eap_connect(dev[0], apdev[0], "FAST", "user",
3383 anonymous_identity="FAST", password="password",
3384 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3385 phase1="fast_provisioning=2",
3386 pac_file="blob://fast_pac_ciphers")
3387 res = dev[0].get_status_field('EAP TLS cipher')
3388 dev[0].request("REMOVE_NETWORK all")
3389 dev[0].wait_disconnected()
3390 if res != "DHE-RSA-AES256-SHA":
3391 raise Exception("Unexpected cipher suite for provisioning: " + res)
3393 tests = [ "DHE-RSA-AES128-SHA",
3397 "DHE-RSA-AES256-SHA" ]
3398 for cipher in tests:
3399 eap_connect(dev[0], apdev[0], "FAST", "user",
3400 openssl_ciphers=cipher,
3401 anonymous_identity="FAST", password="password",
3402 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3403 pac_file="blob://fast_pac_ciphers")
3404 res = dev[0].get_status_field('EAP TLS cipher')
3405 dev[0].request("REMOVE_NETWORK all")
3406 dev[0].wait_disconnected()
3408 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3410 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3411 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3412 check_ocsp_support(dev[0])
3413 check_pkcs12_support(dev[0])
3414 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3415 hostapd.add_ap(apdev[0]['ifname'], params)
3416 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3417 private_key="auth_serv/user.pkcs12",
3418 private_key_passwd="whatever", ocsp=2)
3420 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3421 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3422 check_ocsp_multi_support(dev[0])
3423 check_pkcs12_support(dev[0])
3425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3426 hostapd.add_ap(apdev[0]['ifname'], params)
3427 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3428 private_key="auth_serv/user.pkcs12",
3429 private_key_passwd="whatever", ocsp=2)
3431 def int_eap_server_params():
3432 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3433 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3434 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3435 "ca_cert": "auth_serv/ca.pem",
3436 "server_cert": "auth_serv/server.pem",
3437 "private_key": "auth_serv/server.key",
3438 "dh_file": "auth_serv/dh.conf" }
3441 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3442 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3443 check_ocsp_support(dev[0])
3444 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3445 if not os.path.exists(ocsp):
3446 raise HwsimSkip("No OCSP response available")
3447 params = int_eap_server_params()
3448 params["ocsp_stapling_response"] = ocsp
3449 hostapd.add_ap(apdev[0]['ifname'], params)
3450 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3451 identity="tls user", ca_cert="auth_serv/ca.pem",
3452 private_key="auth_serv/user.pkcs12",
3453 private_key_passwd="whatever", ocsp=2,
3456 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3457 """EAP-TLS and CA signed OCSP response (good)"""
3458 check_ocsp_support(dev[0])
3459 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3460 if not os.path.exists(ocsp):
3461 raise HwsimSkip("No OCSP response available")
3462 params = int_eap_server_params()
3463 params["ocsp_stapling_response"] = ocsp
3464 hostapd.add_ap(apdev[0]['ifname'], params)
3465 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3466 identity="tls user", ca_cert="auth_serv/ca.pem",
3467 private_key="auth_serv/user.pkcs12",
3468 private_key_passwd="whatever", ocsp=2,
3471 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3472 """EAP-TLS and CA signed OCSP response (revoked)"""
3473 check_ocsp_support(dev[0])
3474 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3475 if not os.path.exists(ocsp):
3476 raise HwsimSkip("No OCSP response available")
3477 params = int_eap_server_params()
3478 params["ocsp_stapling_response"] = ocsp
3479 hostapd.add_ap(apdev[0]['ifname'], params)
3480 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3481 identity="tls user", ca_cert="auth_serv/ca.pem",
3482 private_key="auth_serv/user.pkcs12",
3483 private_key_passwd="whatever", ocsp=2,
3484 wait_connect=False, scan_freq="2412")
3487 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3489 raise Exception("Timeout on EAP status")
3490 if 'bad certificate status response' in ev:
3492 if 'certificate revoked' in ev:
3496 raise Exception("Unexpected number of EAP status messages")
3498 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3500 raise Exception("Timeout on EAP failure report")
3502 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3503 """EAP-TLS and CA signed OCSP response (unknown)"""
3504 check_ocsp_support(dev[0])
3505 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3506 if not os.path.exists(ocsp):
3507 raise HwsimSkip("No OCSP response available")
3508 params = int_eap_server_params()
3509 params["ocsp_stapling_response"] = ocsp
3510 hostapd.add_ap(apdev[0]['ifname'], params)
3511 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3512 identity="tls user", ca_cert="auth_serv/ca.pem",
3513 private_key="auth_serv/user.pkcs12",
3514 private_key_passwd="whatever", ocsp=2,
3515 wait_connect=False, scan_freq="2412")
3518 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3520 raise Exception("Timeout on EAP status")
3521 if 'bad certificate status response' in ev:
3525 raise Exception("Unexpected number of EAP status messages")
3527 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3529 raise Exception("Timeout on EAP failure report")
3531 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3532 """EAP-TLS and server signed OCSP response"""
3533 check_ocsp_support(dev[0])
3534 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3535 if not os.path.exists(ocsp):
3536 raise HwsimSkip("No OCSP response available")
3537 params = int_eap_server_params()
3538 params["ocsp_stapling_response"] = ocsp
3539 hostapd.add_ap(apdev[0]['ifname'], params)
3540 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3541 identity="tls user", ca_cert="auth_serv/ca.pem",
3542 private_key="auth_serv/user.pkcs12",
3543 private_key_passwd="whatever", ocsp=2,
3544 wait_connect=False, scan_freq="2412")
3547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3549 raise Exception("Timeout on EAP status")
3550 if 'bad certificate status response' in ev:
3554 raise Exception("Unexpected number of EAP status messages")
3556 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3558 raise Exception("Timeout on EAP failure report")
3560 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3561 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3562 check_ocsp_support(dev[0])
3563 params = int_eap_server_params()
3564 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3565 hostapd.add_ap(apdev[0]['ifname'], params)
3566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3567 identity="tls user", ca_cert="auth_serv/ca.pem",
3568 private_key="auth_serv/user.pkcs12",
3569 private_key_passwd="whatever", ocsp=2,
3570 wait_connect=False, scan_freq="2412")
3573 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3575 raise Exception("Timeout on EAP status")
3576 if 'bad certificate status response' in ev:
3580 raise Exception("Unexpected number of EAP status messages")
3582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3584 raise Exception("Timeout on EAP failure report")
3586 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3587 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3588 check_ocsp_support(dev[0])
3589 params = int_eap_server_params()
3590 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3591 hostapd.add_ap(apdev[0]['ifname'], params)
3592 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3593 identity="tls user", ca_cert="auth_serv/ca.pem",
3594 private_key="auth_serv/user.pkcs12",
3595 private_key_passwd="whatever", ocsp=2,
3596 wait_connect=False, scan_freq="2412")
3599 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3601 raise Exception("Timeout on EAP status")
3602 if 'bad certificate status response' in ev:
3606 raise Exception("Unexpected number of EAP status messages")
3608 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3610 raise Exception("Timeout on EAP failure report")
3612 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3613 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3614 check_ocsp_support(dev[0])
3615 params = int_eap_server_params()
3616 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3617 hostapd.add_ap(apdev[0]['ifname'], params)
3618 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3619 identity="tls user", ca_cert="auth_serv/ca.pem",
3620 private_key="auth_serv/user.pkcs12",
3621 private_key_passwd="whatever", ocsp=2,
3622 wait_connect=False, scan_freq="2412")
3625 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3627 raise Exception("Timeout on EAP status")
3628 if 'bad certificate status response' in ev:
3632 raise Exception("Unexpected number of EAP status messages")
3634 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3636 raise Exception("Timeout on EAP failure report")
3638 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3639 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3640 check_ocsp_support(dev[0])
3641 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3642 if not os.path.exists(ocsp):
3643 raise HwsimSkip("No OCSP response available")
3644 params = int_eap_server_params()
3645 params["ocsp_stapling_response"] = ocsp
3646 hostapd.add_ap(apdev[0]['ifname'], params)
3647 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3648 identity="pap user", ca_cert="auth_serv/ca.pem",
3649 anonymous_identity="ttls", password="password",
3650 phase2="auth=PAP", ocsp=2,
3651 wait_connect=False, scan_freq="2412")
3654 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3656 raise Exception("Timeout on EAP status")
3657 if 'bad certificate status response' in ev:
3659 if 'certificate revoked' in ev:
3663 raise Exception("Unexpected number of EAP status messages")
3665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3667 raise Exception("Timeout on EAP failure report")
3669 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3670 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3671 check_ocsp_support(dev[0])
3672 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3673 if not os.path.exists(ocsp):
3674 raise HwsimSkip("No OCSP response available")
3675 params = int_eap_server_params()
3676 params["ocsp_stapling_response"] = ocsp
3677 hostapd.add_ap(apdev[0]['ifname'], params)
3678 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3679 identity="pap user", ca_cert="auth_serv/ca.pem",
3680 anonymous_identity="ttls", password="password",
3681 phase2="auth=PAP", ocsp=2,
3682 wait_connect=False, scan_freq="2412")
3685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3687 raise Exception("Timeout on EAP status")
3688 if 'bad certificate status response' in ev:
3692 raise Exception("Unexpected number of EAP status messages")
3694 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3696 raise Exception("Timeout on EAP failure report")
3698 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3699 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3700 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3701 if not os.path.exists(ocsp):
3702 raise HwsimSkip("No OCSP response available")
3703 params = int_eap_server_params()
3704 params["ocsp_stapling_response"] = ocsp
3705 hostapd.add_ap(apdev[0]['ifname'], params)
3706 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3707 identity="pap user", ca_cert="auth_serv/ca.pem",
3708 anonymous_identity="ttls", password="password",
3709 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3711 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3712 """EAP-TLS with intermediate server/user CA"""
3713 params = int_eap_server_params()
3714 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3715 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3716 params["private_key"] = "auth_serv/iCA-server/server.key"
3717 hostapd.add_ap(apdev[0]['ifname'], params)
3718 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3719 identity="tls user",
3720 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3721 client_cert="auth_serv/iCA-user/user.pem",
3722 private_key="auth_serv/iCA-user/user.key",
3725 def root_ocsp(cert):
3726 ca = "auth_serv/ca.pem"
3728 fd2, fn2 = tempfile.mkstemp()
3731 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3732 "-no_nonce", "-sha256", "-text" ]
3733 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3734 stderr=subprocess.PIPE)
3735 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3738 logger.info("OCSP request:\n" + res)
3740 fd, fn = tempfile.mkstemp()
3742 arg = [ "openssl", "ocsp", "-index", "rootCA/index.txt",
3743 "-rsigner", ca, "-rkey", "auth_serv/caa-key.pem",
3744 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3745 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3747 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3748 stderr=subprocess.PIPE)
3749 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3752 logger.info("OCSP response:\n" + res)
3757 prefix = "auth_serv/iCA-server/"
3758 ca = prefix + "cacert.pem"
3759 cert = prefix + cert
3761 fd2, fn2 = tempfile.mkstemp()
3764 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3765 "-no_nonce", "-sha256", "-text" ]
3766 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3767 stderr=subprocess.PIPE)
3768 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3771 logger.info("OCSP request:\n" + res)
3773 fd, fn = tempfile.mkstemp()
3775 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3776 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3777 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3778 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3780 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3781 stderr=subprocess.PIPE)
3782 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3785 logger.info("OCSP response:\n" + res)
3789 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3790 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3791 params = int_eap_server_params()
3792 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3793 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3794 params["private_key"] = "auth_serv/iCA-server/server.key"
3795 fn = ica_ocsp("server.pem")
3796 params["ocsp_stapling_response"] = fn
3798 hostapd.add_ap(apdev[0]['ifname'], params)
3799 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3800 identity="tls user",
3801 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3802 client_cert="auth_serv/iCA-user/user.pem",
3803 private_key="auth_serv/iCA-user/user.key",
3804 scan_freq="2412", ocsp=2)
3808 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3809 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3810 params = int_eap_server_params()
3811 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3812 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3813 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3814 fn = ica_ocsp("server-revoked.pem")
3815 params["ocsp_stapling_response"] = fn
3817 hostapd.add_ap(apdev[0]['ifname'], params)
3818 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3819 identity="tls user",
3820 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3821 client_cert="auth_serv/iCA-user/user.pem",
3822 private_key="auth_serv/iCA-user/user.key",
3823 scan_freq="2412", ocsp=1, wait_connect=False)
3826 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3827 "CTRL-EVENT-EAP-SUCCESS"])
3829 raise Exception("Timeout on EAP status")
3830 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3831 raise Exception("Unexpected EAP-Success")
3832 if 'bad certificate status response' in ev:
3834 if 'certificate revoked' in ev:
3838 raise Exception("Unexpected number of EAP status messages")
3840 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3842 raise Exception("Timeout on EAP failure report")
3843 dev[0].request("REMOVE_NETWORK all")
3844 dev[0].wait_disconnected()
3848 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3849 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3850 check_ocsp_support(dev[0])
3851 check_ocsp_multi_support(dev[0])
3853 params = int_eap_server_params()
3854 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3855 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3856 params["private_key"] = "auth_serv/iCA-server/server.key"
3857 fn = ica_ocsp("server.pem")
3858 params["ocsp_stapling_response"] = fn
3860 hostapd.add_ap(apdev[0]['ifname'], params)
3861 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3862 identity="tls user",
3863 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3864 client_cert="auth_serv/iCA-user/user.pem",
3865 private_key="auth_serv/iCA-user/user.key",
3866 scan_freq="2412", ocsp=3, wait_connect=False)
3869 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3870 "CTRL-EVENT-EAP-SUCCESS"])
3872 raise Exception("Timeout on EAP status")
3873 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3874 raise Exception("Unexpected EAP-Success")
3875 if 'bad certificate status response' in ev:
3877 if 'certificate revoked' in ev:
3881 raise Exception("Unexpected number of EAP status messages")
3883 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3885 raise Exception("Timeout on EAP failure report")
3886 dev[0].request("REMOVE_NETWORK all")
3887 dev[0].wait_disconnected()
3891 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3892 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3893 check_ocsp_support(dev[0])
3894 check_ocsp_multi_support(dev[0])
3896 params = int_eap_server_params()
3897 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3898 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3899 params["private_key"] = "auth_serv/iCA-server/server.key"
3900 fn = ica_ocsp("server.pem")
3901 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
3902 params["ocsp_stapling_response"] = fn
3904 with open(fn, "r") as f:
3905 resp_server = f.read()
3906 with open(fn2, "r") as f:
3909 fd3, fn3 = tempfile.mkstemp()
3911 f = os.fdopen(fd3, 'w')
3912 f.write(struct.pack(">L", len(resp_server))[1:4])
3913 f.write(resp_server)
3914 f.write(struct.pack(">L", len(resp_ica))[1:4])
3918 params["ocsp_stapling_response_multi"] = fn3
3920 hostapd.add_ap(apdev[0]['ifname'], params)
3921 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3922 identity="tls user",
3923 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3924 client_cert="auth_serv/iCA-user/user.pem",
3925 private_key="auth_serv/iCA-user/user.key",
3926 scan_freq="2412", ocsp=3, wait_connect=False)
3929 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3930 "CTRL-EVENT-EAP-SUCCESS"])
3932 raise Exception("Timeout on EAP status")
3933 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3934 raise Exception("Unexpected EAP-Success")
3935 if 'bad certificate status response' in ev:
3937 if 'certificate revoked' in ev:
3941 raise Exception("Unexpected number of EAP status messages")
3943 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3945 raise Exception("Timeout on EAP failure report")
3946 dev[0].request("REMOVE_NETWORK all")
3947 dev[0].wait_disconnected()
3953 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
3954 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3955 check_ocsp_support(dev[0])
3956 check_ocsp_multi_support(dev[0])
3958 ocsp_revoked = os.path.join(params['logdir'],
3959 "ocsp-resp-ca-signed-revoked.der")
3960 if not os.path.exists(ocsp_revoked):
3961 raise HwsimSkip("No OCSP response (revoked) available")
3962 ocsp_unknown = os.path.join(params['logdir'],
3963 "ocsp-resp-ca-signed-unknown.der")
3964 if not os.path.exists(ocsp_unknown):
3965 raise HwsimSkip("No OCSP response(unknown) available")
3967 with open(ocsp_revoked, "r") as f:
3968 resp_revoked = f.read()
3969 with open(ocsp_unknown, "r") as f:
3970 resp_unknown = f.read()
3972 fd, fn = tempfile.mkstemp()
3974 # This is not really a valid order of the OCSPResponse items in the
3975 # list, but this works for now to verify parsing and processing of
3976 # multiple responses.
3977 f = os.fdopen(fd, 'w')
3978 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3979 f.write(resp_unknown)
3980 f.write(struct.pack(">L", len(resp_revoked))[1:4])
3981 f.write(resp_revoked)
3982 f.write(struct.pack(">L", 0)[1:4])
3983 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3984 f.write(resp_unknown)
3987 params = int_eap_server_params()
3988 params["ocsp_stapling_response_multi"] = fn
3989 hostapd.add_ap(apdev[0]['ifname'], params)
3990 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3991 identity="tls user", ca_cert="auth_serv/ca.pem",
3992 private_key="auth_serv/user.pkcs12",
3993 private_key_passwd="whatever", ocsp=1,
3994 wait_connect=False, scan_freq="2412")
3997 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3998 "CTRL-EVENT-EAP-SUCCESS"])
4000 raise Exception("Timeout on EAP status")
4001 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4002 raise Exception("Unexpected EAP-Success")
4003 if 'bad certificate status response' in ev:
4005 if 'certificate revoked' in ev:
4009 raise Exception("Unexpected number of EAP status messages")
4013 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
4014 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4015 check_domain_match_full(dev[0])
4016 params = int_eap_server_params()
4017 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4018 params["private_key"] = "auth_serv/server-no-dnsname.key"
4019 hostapd.add_ap(apdev[0]['ifname'], params)
4020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4021 identity="tls user", ca_cert="auth_serv/ca.pem",
4022 private_key="auth_serv/user.pkcs12",
4023 private_key_passwd="whatever",
4024 domain_suffix_match="server3.w1.fi",
4027 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4028 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4029 check_domain_match(dev[0])
4030 params = int_eap_server_params()
4031 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4032 params["private_key"] = "auth_serv/server-no-dnsname.key"
4033 hostapd.add_ap(apdev[0]['ifname'], params)
4034 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4035 identity="tls user", ca_cert="auth_serv/ca.pem",
4036 private_key="auth_serv/user.pkcs12",
4037 private_key_passwd="whatever",
4038 domain_match="server3.w1.fi",
4041 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4042 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4043 check_domain_match_full(dev[0])
4044 params = int_eap_server_params()
4045 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4046 params["private_key"] = "auth_serv/server-no-dnsname.key"
4047 hostapd.add_ap(apdev[0]['ifname'], params)
4048 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4049 identity="tls user", ca_cert="auth_serv/ca.pem",
4050 private_key="auth_serv/user.pkcs12",
4051 private_key_passwd="whatever",
4052 domain_suffix_match="w1.fi",
4055 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4056 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4057 check_domain_suffix_match(dev[0])
4058 params = int_eap_server_params()
4059 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4060 params["private_key"] = "auth_serv/server-no-dnsname.key"
4061 hostapd.add_ap(apdev[0]['ifname'], params)
4062 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4063 identity="tls user", ca_cert="auth_serv/ca.pem",
4064 private_key="auth_serv/user.pkcs12",
4065 private_key_passwd="whatever",
4066 domain_suffix_match="example.com",
4069 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4070 identity="tls user", ca_cert="auth_serv/ca.pem",
4071 private_key="auth_serv/user.pkcs12",
4072 private_key_passwd="whatever",
4073 domain_suffix_match="erver3.w1.fi",
4076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4078 raise Exception("Timeout on EAP failure report")
4079 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4081 raise Exception("Timeout on EAP failure report (2)")
4083 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4084 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4085 check_domain_match(dev[0])
4086 params = int_eap_server_params()
4087 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4088 params["private_key"] = "auth_serv/server-no-dnsname.key"
4089 hostapd.add_ap(apdev[0]['ifname'], params)
4090 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4091 identity="tls user", ca_cert="auth_serv/ca.pem",
4092 private_key="auth_serv/user.pkcs12",
4093 private_key_passwd="whatever",
4094 domain_match="example.com",
4097 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4098 identity="tls user", ca_cert="auth_serv/ca.pem",
4099 private_key="auth_serv/user.pkcs12",
4100 private_key_passwd="whatever",
4101 domain_match="w1.fi",
4104 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4106 raise Exception("Timeout on EAP failure report")
4107 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4109 raise Exception("Timeout on EAP failure report (2)")
4111 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4112 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4113 skip_with_fips(dev[0])
4114 params = int_eap_server_params()
4115 params["server_cert"] = "auth_serv/server-expired.pem"
4116 params["private_key"] = "auth_serv/server-expired.key"
4117 hostapd.add_ap(apdev[0]['ifname'], params)
4118 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4119 identity="mschap user", password="password",
4120 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4123 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4125 raise Exception("Timeout on EAP certificate error report")
4126 if "reason=4" not in ev or "certificate has expired" not in ev:
4127 raise Exception("Unexpected failure reason: " + ev)
4128 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4130 raise Exception("Timeout on EAP failure report")
4132 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4133 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4134 skip_with_fips(dev[0])
4135 params = int_eap_server_params()
4136 params["server_cert"] = "auth_serv/server-expired.pem"
4137 params["private_key"] = "auth_serv/server-expired.key"
4138 hostapd.add_ap(apdev[0]['ifname'], params)
4139 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4140 identity="mschap user", password="password",
4141 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4142 phase1="tls_disable_time_checks=1",
4145 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4146 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4147 skip_with_fips(dev[0])
4148 params = int_eap_server_params()
4149 params["server_cert"] = "auth_serv/server-long-duration.pem"
4150 params["private_key"] = "auth_serv/server-long-duration.key"
4151 hostapd.add_ap(apdev[0]['ifname'], params)
4152 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4153 identity="mschap user", password="password",
4154 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4157 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4158 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4159 skip_with_fips(dev[0])
4160 params = int_eap_server_params()
4161 params["server_cert"] = "auth_serv/server-eku-client.pem"
4162 params["private_key"] = "auth_serv/server-eku-client.key"
4163 hostapd.add_ap(apdev[0]['ifname'], params)
4164 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4165 identity="mschap user", password="password",
4166 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4169 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4171 raise Exception("Timeout on EAP failure report")
4173 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4174 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4175 skip_with_fips(dev[0])
4176 params = int_eap_server_params()
4177 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4178 params["private_key"] = "auth_serv/server-eku-client-server.key"
4179 hostapd.add_ap(apdev[0]['ifname'], params)
4180 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4181 identity="mschap user", password="password",
4182 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4185 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4186 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4187 skip_with_fips(dev[0])
4188 params = int_eap_server_params()
4189 del params["server_cert"]
4190 params["private_key"] = "auth_serv/server.pkcs12"
4191 hostapd.add_ap(apdev[0]['ifname'], params)
4192 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4193 identity="mschap user", password="password",
4194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4197 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4198 """EAP-TTLS and server PKCS#12 file with extra certs"""
4199 skip_with_fips(dev[0])
4200 params = int_eap_server_params()
4201 del params["server_cert"]
4202 params["private_key"] = "auth_serv/server-extra.pkcs12"
4203 params["private_key_passwd"] = "whatever"
4204 hostapd.add_ap(apdev[0]['ifname'], params)
4205 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4206 identity="mschap user", password="password",
4207 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4210 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4211 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4212 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4213 hostapd.add_ap(apdev[0]['ifname'], params)
4214 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4215 anonymous_identity="ttls", password="password",
4216 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4217 dh_file="auth_serv/dh.conf")
4219 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4220 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4221 check_dh_dsa_support(dev[0])
4222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4223 hostapd.add_ap(apdev[0]['ifname'], params)
4224 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4225 anonymous_identity="ttls", password="password",
4226 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4227 dh_file="auth_serv/dsaparam.pem")
4229 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4230 """EAP-TTLS and DH params file not found"""
4231 skip_with_fips(dev[0])
4232 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4233 hostapd.add_ap(apdev[0]['ifname'], params)
4234 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4235 identity="mschap user", password="password",
4236 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4237 dh_file="auth_serv/dh-no-such-file.conf",
4238 scan_freq="2412", wait_connect=False)
4239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4241 raise Exception("EAP failure timed out")
4242 dev[0].request("REMOVE_NETWORK all")
4243 dev[0].wait_disconnected()
4245 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4246 """EAP-TTLS and invalid DH params file"""
4247 skip_with_fips(dev[0])
4248 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4249 hostapd.add_ap(apdev[0]['ifname'], params)
4250 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4251 identity="mschap user", password="password",
4252 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4253 dh_file="auth_serv/ca.pem",
4254 scan_freq="2412", wait_connect=False)
4255 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4257 raise Exception("EAP failure timed out")
4258 dev[0].request("REMOVE_NETWORK all")
4259 dev[0].wait_disconnected()
4261 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4262 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4263 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4264 hostapd.add_ap(apdev[0]['ifname'], params)
4265 dh = read_pem("auth_serv/dh2.conf")
4266 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4267 raise Exception("Could not set dhparams blob")
4268 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4269 anonymous_identity="ttls", password="password",
4270 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4271 dh_file="blob://dhparams")
4273 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4274 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4275 params = int_eap_server_params()
4276 params["dh_file"] = "auth_serv/dh2.conf"
4277 hostapd.add_ap(apdev[0]['ifname'], params)
4278 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4279 anonymous_identity="ttls", password="password",
4280 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4282 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4283 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4284 params = int_eap_server_params()
4285 params["dh_file"] = "auth_serv/dsaparam.pem"
4286 hostapd.add_ap(apdev[0]['ifname'], params)
4287 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4288 anonymous_identity="ttls", password="password",
4289 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4291 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4292 """EAP-TLS server and dhparams file not found"""
4293 params = int_eap_server_params()
4294 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4295 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4296 if "FAIL" not in hapd.request("ENABLE"):
4297 raise Exception("Invalid configuration accepted")
4299 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4300 """EAP-TLS server and invalid dhparams file"""
4301 params = int_eap_server_params()
4302 params["dh_file"] = "auth_serv/ca.pem"
4303 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4304 if "FAIL" not in hapd.request("ENABLE"):
4305 raise Exception("Invalid configuration accepted")
4307 def test_ap_wpa2_eap_reauth(dev, apdev):
4308 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4310 params['eap_reauth_period'] = '2'
4311 hostapd.add_ap(apdev[0]['ifname'], params)
4312 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4313 password_hex="0123456789abcdef0123456789abcdef")
4314 logger.info("Wait for reauthentication")
4315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4317 raise Exception("Timeout on reauthentication")
4318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4320 raise Exception("Timeout on reauthentication")
4321 for i in range(0, 20):
4322 state = dev[0].get_status_field("wpa_state")
4323 if state == "COMPLETED":
4326 if state != "COMPLETED":
4327 raise Exception("Reauthentication did not complete")
4329 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4330 """Optional displayable message in EAP Request-Identity"""
4331 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4332 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4333 hostapd.add_ap(apdev[0]['ifname'], params)
4334 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4335 password_hex="0123456789abcdef0123456789abcdef")
4337 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4338 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4339 check_hlr_auc_gw_support()
4340 params = int_eap_server_params()
4341 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4342 params['eap_sim_aka_result_ind'] = "1"
4343 hostapd.add_ap(apdev[0]['ifname'], params)
4345 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
4346 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4347 phase1="result_ind=1")
4348 eap_reauth(dev[0], "SIM")
4349 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
4350 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4352 dev[0].request("REMOVE_NETWORK all")
4353 dev[1].request("REMOVE_NETWORK all")
4355 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
4356 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4357 phase1="result_ind=1")
4358 eap_reauth(dev[0], "AKA")
4359 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
4360 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4362 dev[0].request("REMOVE_NETWORK all")
4363 dev[1].request("REMOVE_NETWORK all")
4365 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
4366 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4367 phase1="result_ind=1")
4368 eap_reauth(dev[0], "AKA'")
4369 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
4370 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4372 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4373 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4374 skip_with_fips(dev[0])
4375 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4376 hostapd.add_ap(apdev[0]['ifname'], params)
4377 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4378 eap="TTLS", identity="mschap user",
4379 wait_connect=False, scan_freq="2412", ieee80211w="1",
4380 anonymous_identity="ttls", password="password",
4381 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4383 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4385 raise Exception("EAP roundtrip limit not reached")
4387 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4388 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4389 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4390 hostapd.add_ap(apdev[0]['ifname'], params)
4391 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4392 eap="PSK", identity="vendor-test",
4393 password_hex="ff23456789abcdef0123456789abcdef",
4397 for i in range(0, 5):
4398 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4400 raise Exception("Association and EAP start timed out")
4401 if "refuse proposed method" in ev:
4405 raise Exception("Unexpected EAP status: " + ev)
4407 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4409 raise Exception("EAP failure timed out")
4411 def test_ap_wpa2_eap_sql(dev, apdev, params):
4412 """WPA2-Enterprise connection using SQLite for user DB"""
4413 skip_with_fips(dev[0])
4417 raise HwsimSkip("No sqlite3 module available")
4418 dbfile = os.path.join(params['logdir'], "eap-user.db")
4423 con = sqlite3.connect(dbfile)
4426 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4427 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4428 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4429 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4430 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4431 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4432 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4433 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4436 params = int_eap_server_params()
4437 params["eap_user_file"] = "sqlite:" + dbfile
4438 hostapd.add_ap(apdev[0]['ifname'], params)
4439 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
4440 anonymous_identity="ttls", password="password",
4441 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4442 dev[0].request("REMOVE_NETWORK all")
4443 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
4444 anonymous_identity="ttls", password="password",
4445 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4446 dev[1].request("REMOVE_NETWORK all")
4447 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
4448 anonymous_identity="ttls", password="password",
4449 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4450 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
4451 anonymous_identity="ttls", password="password",
4452 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4456 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4457 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4458 params = int_eap_server_params()
4459 hostapd.add_ap(apdev[0]['ifname'], params)
4460 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4461 identity="\x80", password="password", wait_connect=False)
4462 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4463 identity="a\x80", password="password", wait_connect=False)
4464 for i in range(0, 2):
4465 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4467 raise Exception("Association and EAP start timed out")
4468 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4470 raise Exception("EAP method selection timed out")
4472 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4473 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4474 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4475 hostapd.add_ap(apdev[0]['ifname'], params)
4476 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4477 identity="\x80", password="password", wait_connect=False)
4478 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4479 identity="a\x80", password="password", wait_connect=False)
4480 for i in range(0, 2):
4481 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4483 raise Exception("Association and EAP start timed out")
4484 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4486 raise Exception("EAP method selection timed out")
4488 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4489 """OpenSSL cipher suite configuration on wpa_supplicant"""
4490 tls = dev[0].request("GET tls_library")
4491 if not tls.startswith("OpenSSL"):
4492 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4493 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4494 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4495 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4496 anonymous_identity="ttls", password="password",
4497 openssl_ciphers="AES128",
4498 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4499 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4500 anonymous_identity="ttls", password="password",
4501 openssl_ciphers="EXPORT",
4502 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4503 expect_failure=True, maybe_local_error=True)
4504 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4505 identity="pap user", anonymous_identity="ttls",
4506 password="password",
4507 openssl_ciphers="FOO",
4508 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4510 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4512 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4513 dev[2].request("DISCONNECT")
4515 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4516 """OpenSSL cipher suite configuration on hostapd"""
4517 tls = dev[0].request("GET tls_library")
4518 if not tls.startswith("OpenSSL"):
4519 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4520 params = int_eap_server_params()
4521 params['openssl_ciphers'] = "AES256"
4522 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4523 tls = hapd.request("GET tls_library")
4524 if not tls.startswith("OpenSSL"):
4525 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4526 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4527 anonymous_identity="ttls", password="password",
4528 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4529 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4530 anonymous_identity="ttls", password="password",
4531 openssl_ciphers="AES128",
4532 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4533 expect_failure=True)
4534 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
4535 anonymous_identity="ttls", password="password",
4536 openssl_ciphers="HIGH:!ADH",
4537 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4539 params['openssl_ciphers'] = "FOO"
4540 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
4541 if "FAIL" not in hapd2.request("ENABLE"):
4542 raise Exception("Invalid openssl_ciphers value accepted")
4544 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4545 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4546 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4547 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
4548 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4549 pid = find_wpas_process(dev[0])
4550 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
4551 anonymous_identity="ttls", password=password,
4552 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4553 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4554 # event has been delivered, so verify that wpa_supplicant has returned to
4555 # eloop before reading process memory.
4558 buf = read_process_memory(pid, password)
4560 dev[0].request("DISCONNECT")
4561 dev[0].wait_disconnected()
4569 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4570 for l in f.readlines():
4571 if "EAP-TTLS: Derived key - hexdump" in l:
4572 val = l.strip().split(':')[3].replace(' ', '')
4573 msk = binascii.unhexlify(val)
4574 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4575 val = l.strip().split(':')[3].replace(' ', '')
4576 emsk = binascii.unhexlify(val)
4577 if "WPA: PMK - hexdump" in l:
4578 val = l.strip().split(':')[3].replace(' ', '')
4579 pmk = binascii.unhexlify(val)
4580 if "WPA: PTK - hexdump" in l:
4581 val = l.strip().split(':')[3].replace(' ', '')
4582 ptk = binascii.unhexlify(val)
4583 if "WPA: Group Key - hexdump" in l:
4584 val = l.strip().split(':')[3].replace(' ', '')
4585 gtk = binascii.unhexlify(val)
4586 if not msk or not emsk or not pmk or not ptk or not gtk:
4587 raise Exception("Could not find keys from debug log")
4589 raise Exception("Unexpected GTK length")
4595 fname = os.path.join(params['logdir'],
4596 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4598 logger.info("Checking keys in memory while associated")
4599 get_key_locations(buf, password, "Password")
4600 get_key_locations(buf, pmk, "PMK")
4601 get_key_locations(buf, msk, "MSK")
4602 get_key_locations(buf, emsk, "EMSK")
4603 if password not in buf:
4604 raise HwsimSkip("Password not found while associated")
4606 raise HwsimSkip("PMK not found while associated")
4608 raise Exception("KCK not found while associated")
4610 raise Exception("KEK not found while associated")
4612 raise Exception("TK found from memory")
4614 get_key_locations(buf, gtk, "GTK")
4615 raise Exception("GTK found from memory")
4617 logger.info("Checking keys in memory after disassociation")
4618 buf = read_process_memory(pid, password)
4620 # Note: Password is still present in network configuration
4621 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4623 get_key_locations(buf, password, "Password")
4624 get_key_locations(buf, pmk, "PMK")
4625 get_key_locations(buf, msk, "MSK")
4626 get_key_locations(buf, emsk, "EMSK")
4627 verify_not_present(buf, kck, fname, "KCK")
4628 verify_not_present(buf, kek, fname, "KEK")
4629 verify_not_present(buf, tk, fname, "TK")
4630 verify_not_present(buf, gtk, fname, "GTK")
4632 dev[0].request("PMKSA_FLUSH")
4633 dev[0].set_network_quoted(id, "identity", "foo")
4634 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4635 buf = read_process_memory(pid, password)
4636 get_key_locations(buf, password, "Password")
4637 get_key_locations(buf, pmk, "PMK")
4638 get_key_locations(buf, msk, "MSK")
4639 get_key_locations(buf, emsk, "EMSK")
4640 verify_not_present(buf, pmk, fname, "PMK")
4642 dev[0].request("REMOVE_NETWORK all")
4644 logger.info("Checking keys in memory after network profile removal")
4645 buf = read_process_memory(pid, password)
4647 get_key_locations(buf, password, "Password")
4648 get_key_locations(buf, pmk, "PMK")
4649 get_key_locations(buf, msk, "MSK")
4650 get_key_locations(buf, emsk, "EMSK")
4651 verify_not_present(buf, password, fname, "password")
4652 verify_not_present(buf, pmk, fname, "PMK")
4653 verify_not_present(buf, kck, fname, "KCK")
4654 verify_not_present(buf, kek, fname, "KEK")
4655 verify_not_present(buf, tk, fname, "TK")
4656 verify_not_present(buf, gtk, fname, "GTK")
4657 verify_not_present(buf, msk, fname, "MSK")
4658 verify_not_present(buf, emsk, fname, "EMSK")
4660 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4661 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4664 bssid = apdev[0]['bssid']
4665 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4666 anonymous_identity="ttls", password="password",
4667 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4669 # Send unexpected WEP EAPOL-Key; this gets dropped
4670 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4672 raise Exception("EAPOL_RX to wpa_supplicant failed")
4674 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4675 """WPA2-EAP and wpas interface in a bridge"""
4679 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4681 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4682 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4683 subprocess.call(['brctl', 'delbr', br_ifname])
4684 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4686 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4687 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4688 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4692 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4693 subprocess.call(['brctl', 'addbr', br_ifname])
4694 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4695 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4696 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4697 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4698 wpas.interface_add(ifname, br_ifname=br_ifname)
4701 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
4702 password_hex="0123456789abcdef0123456789abcdef")
4704 eap_reauth(wpas, "PAX")
4706 # Try again as a regression test for packet socket workaround
4707 eap_reauth(wpas, "PAX")
4709 wpas.request("DISCONNECT")
4710 wpas.wait_disconnected()
4712 wpas.request("RECONNECT")
4713 wpas.wait_connected()
4716 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4717 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4719 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4720 key_mgmt = hapd.get_config()['key_mgmt']
4721 if key_mgmt.split(' ')[0] != "WPA-EAP":
4722 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4723 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4724 anonymous_identity="ttls", password="password",
4725 ca_cert="auth_serv/ca.pem",
4726 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4727 eap_reauth(dev[0], "TTLS")
4729 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4730 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4732 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4733 key_mgmt = hapd.get_config()['key_mgmt']
4734 if key_mgmt.split(' ')[0] != "WPA-EAP":
4735 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4736 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4737 anonymous_identity="ttls", password="password",
4738 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4740 eap_reauth(dev[0], "TTLS")
4742 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4743 """EAP-TLS and server checking CRL"""
4744 params = int_eap_server_params()
4745 params['check_crl'] = '1'
4746 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4748 # check_crl=1 and no CRL available --> reject connection
4749 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4750 client_cert="auth_serv/user.pem",
4751 private_key="auth_serv/user.key", expect_failure=True)
4752 dev[0].request("REMOVE_NETWORK all")
4755 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4758 # check_crl=1 and valid CRL --> accept
4759 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4760 client_cert="auth_serv/user.pem",
4761 private_key="auth_serv/user.key")
4762 dev[0].request("REMOVE_NETWORK all")
4765 hapd.set("check_crl", "2")
4768 # check_crl=2 and valid CRL --> accept
4769 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4770 client_cert="auth_serv/user.pem",
4771 private_key="auth_serv/user.key")
4772 dev[0].request("REMOVE_NETWORK all")
4774 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4775 """EAP-TLS and OOM"""
4776 check_subject_match_support(dev[0])
4777 check_altsubject_match_support(dev[0])
4778 check_domain_match(dev[0])
4779 check_domain_match_full(dev[0])
4781 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4782 hostapd.add_ap(apdev[0]['ifname'], params)
4784 tests = [ (1, "tls_connection_set_subject_match"),
4785 (2, "tls_connection_set_subject_match"),
4786 (3, "tls_connection_set_subject_match"),
4787 (4, "tls_connection_set_subject_match") ]
4788 for count, func in tests:
4789 with alloc_fail(dev[0], count, func):
4790 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4791 identity="tls user", ca_cert="auth_serv/ca.pem",
4792 client_cert="auth_serv/user.pem",
4793 private_key="auth_serv/user.key",
4794 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4795 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4796 domain_suffix_match="server.w1.fi",
4797 domain_match="server.w1.fi",
4798 wait_connect=False, scan_freq="2412")
4799 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4800 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4802 raise Exception("No passphrase request")
4803 dev[0].request("REMOVE_NETWORK all")
4804 dev[0].wait_disconnected()
4806 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4807 """WPA2-Enterprise connection using MAC ACL"""
4808 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4809 params["macaddr_acl"] = "2"
4810 hostapd.add_ap(apdev[0]['ifname'], params)
4811 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4812 client_cert="auth_serv/user.pem",
4813 private_key="auth_serv/user.key")
4815 def test_ap_wpa2_eap_oom(dev, apdev):
4816 """EAP server and OOM"""
4817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4819 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4821 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4822 # The first attempt fails, but STA will send EAPOL-Start to retry and
4824 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4825 identity="tls user", ca_cert="auth_serv/ca.pem",
4826 client_cert="auth_serv/user.pem",
4827 private_key="auth_serv/user.key",
4830 def check_tls_ver(dev, ap, phase1, expected):
4831 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4832 client_cert="auth_serv/user.pem",
4833 private_key="auth_serv/user.key",
4835 ver = dev.get_status_field("eap_tls_version")
4837 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4839 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4840 """EAP-TLS and TLS version configuration"""
4841 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4842 hostapd.add_ap(apdev[0]['ifname'], params)
4844 tls = dev[0].request("GET tls_library")
4845 if tls.startswith("OpenSSL"):
4846 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4847 check_tls_ver(dev[0], apdev[0],
4848 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4850 elif tls.startswith("internal"):
4851 check_tls_ver(dev[0], apdev[0],
4852 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4853 check_tls_ver(dev[1], apdev[0],
4854 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4855 check_tls_ver(dev[2], apdev[0],
4856 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4858 def test_rsn_ie_proto_eap_sta(dev, apdev):
4859 """RSN element protocol testing for EAP cases on STA side"""
4860 bssid = apdev[0]['bssid']
4861 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4862 # This is the RSN element used normally by hostapd
4863 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4864 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4865 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4866 identity="gpsk user",
4867 password="abcdefghijklmnop0123456789abcdef",
4870 tests = [ ('No RSN Capabilities field',
4871 '30120100000fac040100000fac040100000fac01'),
4872 ('No AKM Suite fields',
4873 '300c0100000fac040100000fac04'),
4874 ('No Pairwise Cipher Suite fields',
4875 '30060100000fac04'),
4876 ('No Group Data Cipher Suite field',
4878 for txt,ie in tests:
4879 dev[0].request("DISCONNECT")
4880 dev[0].wait_disconnected()
4883 hapd.set('own_ie_override', ie)
4885 dev[0].request("BSS_FLUSH 0")
4886 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4887 dev[0].select_network(id, freq=2412)
4888 dev[0].wait_connected()
4890 dev[0].request("DISCONNECT")
4891 dev[0].wait_disconnected()
4892 dev[0].flush_scan_cache()
4894 def check_tls_session_resumption_capa(dev, hapd):
4895 tls = hapd.request("GET tls_library")
4896 if not tls.startswith("OpenSSL"):
4897 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4899 tls = dev.request("GET tls_library")
4900 if not tls.startswith("OpenSSL"):
4901 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4903 def test_eap_ttls_pap_session_resumption(dev, apdev):
4904 """EAP-TTLS/PAP session resumption"""
4905 params = int_eap_server_params()
4906 params['tls_session_lifetime'] = '60'
4907 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4908 check_tls_session_resumption_capa(dev[0], hapd)
4909 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4910 anonymous_identity="ttls", password="password",
4911 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4913 if dev[0].get_status_field("tls_session_reused") != '0':
4914 raise Exception("Unexpected session resumption on the first connection")
4916 dev[0].request("REAUTHENTICATE")
4917 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4919 raise Exception("EAP success timed out")
4920 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4922 raise Exception("Key handshake with the AP timed out")
4923 if dev[0].get_status_field("tls_session_reused") != '1':
4924 raise Exception("Session resumption not used on the second connection")
4926 def test_eap_ttls_chap_session_resumption(dev, apdev):
4927 """EAP-TTLS/CHAP session resumption"""
4928 params = int_eap_server_params()
4929 params['tls_session_lifetime'] = '60'
4930 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4931 check_tls_session_resumption_capa(dev[0], hapd)
4932 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
4933 anonymous_identity="ttls", password="password",
4934 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
4935 if dev[0].get_status_field("tls_session_reused") != '0':
4936 raise Exception("Unexpected session resumption on the first connection")
4938 dev[0].request("REAUTHENTICATE")
4939 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4941 raise Exception("EAP success timed out")
4942 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4944 raise Exception("Key handshake with the AP timed out")
4945 if dev[0].get_status_field("tls_session_reused") != '1':
4946 raise Exception("Session resumption not used on the second connection")
4948 def test_eap_ttls_mschap_session_resumption(dev, apdev):
4949 """EAP-TTLS/MSCHAP session resumption"""
4950 check_domain_suffix_match(dev[0])
4951 params = int_eap_server_params()
4952 params['tls_session_lifetime'] = '60'
4953 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4954 check_tls_session_resumption_capa(dev[0], hapd)
4955 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
4956 anonymous_identity="ttls", password="password",
4957 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4958 domain_suffix_match="server.w1.fi")
4959 if dev[0].get_status_field("tls_session_reused") != '0':
4960 raise Exception("Unexpected session resumption on the first connection")
4962 dev[0].request("REAUTHENTICATE")
4963 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4965 raise Exception("EAP success timed out")
4966 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4968 raise Exception("Key handshake with the AP timed out")
4969 if dev[0].get_status_field("tls_session_reused") != '1':
4970 raise Exception("Session resumption not used on the second connection")
4972 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
4973 """EAP-TTLS/MSCHAPv2 session resumption"""
4974 check_domain_suffix_match(dev[0])
4975 check_eap_capa(dev[0], "MSCHAPV2")
4976 params = int_eap_server_params()
4977 params['tls_session_lifetime'] = '60'
4978 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4979 check_tls_session_resumption_capa(dev[0], hapd)
4980 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
4981 anonymous_identity="ttls", password="password",
4982 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4983 domain_suffix_match="server.w1.fi")
4984 if dev[0].get_status_field("tls_session_reused") != '0':
4985 raise Exception("Unexpected session resumption on the first connection")
4987 dev[0].request("REAUTHENTICATE")
4988 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4990 raise Exception("EAP success timed out")
4991 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4993 raise Exception("Key handshake with the AP timed out")
4994 if dev[0].get_status_field("tls_session_reused") != '1':
4995 raise Exception("Session resumption not used on the second connection")
4997 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
4998 """EAP-TTLS/EAP-GTC session resumption"""
4999 params = int_eap_server_params()
5000 params['tls_session_lifetime'] = '60'
5001 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5002 check_tls_session_resumption_capa(dev[0], hapd)
5003 eap_connect(dev[0], apdev[0], "TTLS", "user",
5004 anonymous_identity="ttls", password="password",
5005 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5006 if dev[0].get_status_field("tls_session_reused") != '0':
5007 raise Exception("Unexpected session resumption on the first connection")
5009 dev[0].request("REAUTHENTICATE")
5010 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5012 raise Exception("EAP success timed out")
5013 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5015 raise Exception("Key handshake with the AP timed out")
5016 if dev[0].get_status_field("tls_session_reused") != '1':
5017 raise Exception("Session resumption not used on the second connection")
5019 def test_eap_ttls_no_session_resumption(dev, apdev):
5020 """EAP-TTLS session resumption disabled on server"""
5021 params = int_eap_server_params()
5022 params['tls_session_lifetime'] = '0'
5023 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5024 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
5025 anonymous_identity="ttls", password="password",
5026 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5028 if dev[0].get_status_field("tls_session_reused") != '0':
5029 raise Exception("Unexpected session resumption on the first connection")
5031 dev[0].request("REAUTHENTICATE")
5032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5034 raise Exception("EAP success timed out")
5035 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5037 raise Exception("Key handshake with the AP timed out")
5038 if dev[0].get_status_field("tls_session_reused") != '0':
5039 raise Exception("Unexpected session resumption on the second connection")
5041 def test_eap_peap_session_resumption(dev, apdev):
5042 """EAP-PEAP session resumption"""
5043 params = int_eap_server_params()
5044 params['tls_session_lifetime'] = '60'
5045 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5046 check_tls_session_resumption_capa(dev[0], hapd)
5047 eap_connect(dev[0], apdev[0], "PEAP", "user",
5048 anonymous_identity="peap", password="password",
5049 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5050 if dev[0].get_status_field("tls_session_reused") != '0':
5051 raise Exception("Unexpected session resumption on the first connection")
5053 dev[0].request("REAUTHENTICATE")
5054 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5056 raise Exception("EAP success timed out")
5057 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5059 raise Exception("Key handshake with the AP timed out")
5060 if dev[0].get_status_field("tls_session_reused") != '1':
5061 raise Exception("Session resumption not used on the second connection")
5063 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5064 """EAP-PEAP session resumption with crypto binding"""
5065 params = int_eap_server_params()
5066 params['tls_session_lifetime'] = '60'
5067 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5068 check_tls_session_resumption_capa(dev[0], hapd)
5069 eap_connect(dev[0], apdev[0], "PEAP", "user",
5070 anonymous_identity="peap", password="password",
5071 phase1="peapver=0 crypto_binding=2",
5072 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5073 if dev[0].get_status_field("tls_session_reused") != '0':
5074 raise Exception("Unexpected session resumption on the first connection")
5076 dev[0].request("REAUTHENTICATE")
5077 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5079 raise Exception("EAP success timed out")
5080 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5082 raise Exception("Key handshake with the AP timed out")
5083 if dev[0].get_status_field("tls_session_reused") != '1':
5084 raise Exception("Session resumption not used on the second connection")
5086 def test_eap_peap_no_session_resumption(dev, apdev):
5087 """EAP-PEAP session resumption disabled on server"""
5088 params = int_eap_server_params()
5089 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5090 eap_connect(dev[0], apdev[0], "PEAP", "user",
5091 anonymous_identity="peap", password="password",
5092 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5093 if dev[0].get_status_field("tls_session_reused") != '0':
5094 raise Exception("Unexpected session resumption on the first connection")
5096 dev[0].request("REAUTHENTICATE")
5097 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5099 raise Exception("EAP success timed out")
5100 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5102 raise Exception("Key handshake with the AP timed out")
5103 if dev[0].get_status_field("tls_session_reused") != '0':
5104 raise Exception("Unexpected session resumption on the second connection")
5106 def test_eap_tls_session_resumption(dev, apdev):
5107 """EAP-TLS session resumption"""
5108 params = int_eap_server_params()
5109 params['tls_session_lifetime'] = '60'
5110 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5111 check_tls_session_resumption_capa(dev[0], hapd)
5112 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5113 client_cert="auth_serv/user.pem",
5114 private_key="auth_serv/user.key")
5115 if dev[0].get_status_field("tls_session_reused") != '0':
5116 raise Exception("Unexpected session resumption on the first connection")
5118 dev[0].request("REAUTHENTICATE")
5119 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5121 raise Exception("EAP success timed out")
5122 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5124 raise Exception("Key handshake with the AP timed out")
5125 if dev[0].get_status_field("tls_session_reused") != '1':
5126 raise Exception("Session resumption not used on the second connection")
5128 dev[0].request("REAUTHENTICATE")
5129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5131 raise Exception("EAP success timed out")
5132 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5134 raise Exception("Key handshake with the AP timed out")
5135 if dev[0].get_status_field("tls_session_reused") != '1':
5136 raise Exception("Session resumption not used on the third connection")
5138 def test_eap_tls_session_resumption_expiration(dev, apdev):
5139 """EAP-TLS session resumption"""
5140 params = int_eap_server_params()
5141 params['tls_session_lifetime'] = '1'
5142 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5143 check_tls_session_resumption_capa(dev[0], hapd)
5144 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5145 client_cert="auth_serv/user.pem",
5146 private_key="auth_serv/user.key")
5147 if dev[0].get_status_field("tls_session_reused") != '0':
5148 raise Exception("Unexpected session resumption on the first connection")
5150 # Allow multiple attempts since OpenSSL may not expire the cached entry
5155 dev[0].request("REAUTHENTICATE")
5156 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5158 raise Exception("EAP success timed out")
5159 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5161 raise Exception("Key handshake with the AP timed out")
5162 if dev[0].get_status_field("tls_session_reused") == '0':
5164 if dev[0].get_status_field("tls_session_reused") != '0':
5165 raise Exception("Session resumption used after lifetime expiration")
5167 def test_eap_tls_no_session_resumption(dev, apdev):
5168 """EAP-TLS session resumption disabled on server"""
5169 params = int_eap_server_params()
5170 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5171 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5172 client_cert="auth_serv/user.pem",
5173 private_key="auth_serv/user.key")
5174 if dev[0].get_status_field("tls_session_reused") != '0':
5175 raise Exception("Unexpected session resumption on the first connection")
5177 dev[0].request("REAUTHENTICATE")
5178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5180 raise Exception("EAP success timed out")
5181 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5183 raise Exception("Key handshake with the AP timed out")
5184 if dev[0].get_status_field("tls_session_reused") != '0':
5185 raise Exception("Unexpected session resumption on the second connection")
5187 def test_eap_tls_session_resumption_radius(dev, apdev):
5188 """EAP-TLS session resumption (RADIUS)"""
5189 params = { "ssid": "as", "beacon_int": "2000",
5190 "radius_server_clients": "auth_serv/radius_clients.conf",
5191 "radius_server_auth_port": '18128',
5193 "eap_user_file": "auth_serv/eap_user.conf",
5194 "ca_cert": "auth_serv/ca.pem",
5195 "server_cert": "auth_serv/server.pem",
5196 "private_key": "auth_serv/server.key",
5197 "tls_session_lifetime": "60" }
5198 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
5199 check_tls_session_resumption_capa(dev[0], authsrv)
5201 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5202 params['auth_server_port'] = "18128"
5203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5204 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5205 client_cert="auth_serv/user.pem",
5206 private_key="auth_serv/user.key")
5207 if dev[0].get_status_field("tls_session_reused") != '0':
5208 raise Exception("Unexpected session resumption on the first connection")
5210 dev[0].request("REAUTHENTICATE")
5211 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5213 raise Exception("EAP success timed out")
5214 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5216 raise Exception("Key handshake with the AP timed out")
5217 if dev[0].get_status_field("tls_session_reused") != '1':
5218 raise Exception("Session resumption not used on the second connection")
5220 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5221 """EAP-TLS session resumption disabled (RADIUS)"""
5222 params = { "ssid": "as", "beacon_int": "2000",
5223 "radius_server_clients": "auth_serv/radius_clients.conf",
5224 "radius_server_auth_port": '18128',
5226 "eap_user_file": "auth_serv/eap_user.conf",
5227 "ca_cert": "auth_serv/ca.pem",
5228 "server_cert": "auth_serv/server.pem",
5229 "private_key": "auth_serv/server.key",
5230 "tls_session_lifetime": "0" }
5231 hostapd.add_ap(apdev[1]['ifname'], params)
5233 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5234 params['auth_server_port'] = "18128"
5235 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5236 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5237 client_cert="auth_serv/user.pem",
5238 private_key="auth_serv/user.key")
5239 if dev[0].get_status_field("tls_session_reused") != '0':
5240 raise Exception("Unexpected session resumption on the first connection")
5242 dev[0].request("REAUTHENTICATE")
5243 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5245 raise Exception("EAP success timed out")
5246 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5248 raise Exception("Key handshake with the AP timed out")
5249 if dev[0].get_status_field("tls_session_reused") != '0':
5250 raise Exception("Unexpected session resumption on the second connection")
5252 def test_eap_mschapv2_errors(dev, apdev):
5253 """EAP-MSCHAPv2 error cases"""
5254 check_eap_capa(dev[0], "MSCHAPV2")
5255 check_eap_capa(dev[0], "FAST")
5257 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5258 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5259 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5260 identity="phase1-user", password="password",
5262 dev[0].request("REMOVE_NETWORK all")
5263 dev[0].wait_disconnected()
5265 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5266 (1, "nt_password_hash;mschapv2_derive_response"),
5267 (1, "nt_password_hash;=mschapv2_derive_response"),
5268 (1, "generate_nt_response;mschapv2_derive_response"),
5269 (1, "generate_authenticator_response;mschapv2_derive_response"),
5270 (1, "nt_password_hash;=mschapv2_derive_response"),
5271 (1, "get_master_key;mschapv2_derive_response"),
5272 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5273 for count, func in tests:
5274 with fail_test(dev[0], count, func):
5275 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5276 identity="phase1-user", password="password",
5277 wait_connect=False, scan_freq="2412")
5278 wait_fail_trigger(dev[0], "GET_FAIL")
5279 dev[0].request("REMOVE_NETWORK all")
5280 dev[0].wait_disconnected()
5282 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5283 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5284 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5285 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5286 for count, func in tests:
5287 with fail_test(dev[0], count, func):
5288 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5289 identity="phase1-user",
5290 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5291 wait_connect=False, scan_freq="2412")
5292 wait_fail_trigger(dev[0], "GET_FAIL")
5293 dev[0].request("REMOVE_NETWORK all")
5294 dev[0].wait_disconnected()
5296 tests = [ (1, "eap_mschapv2_init"),
5297 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5298 (1, "eap_msg_alloc;eap_mschapv2_success"),
5299 (1, "eap_mschapv2_getKey") ]
5300 for count, func in tests:
5301 with alloc_fail(dev[0], count, func):
5302 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5303 identity="phase1-user", password="password",
5304 wait_connect=False, scan_freq="2412")
5305 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5306 dev[0].request("REMOVE_NETWORK all")
5307 dev[0].wait_disconnected()
5309 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5310 for count, func in tests:
5311 with alloc_fail(dev[0], count, func):
5312 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5313 identity="phase1-user", password="wrong password",
5314 wait_connect=False, scan_freq="2412")
5315 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5316 dev[0].request("REMOVE_NETWORK all")
5317 dev[0].wait_disconnected()
5319 tests = [ (2, "eap_mschapv2_init"),
5320 (3, "eap_mschapv2_init") ]
5321 for count, func in tests:
5322 with alloc_fail(dev[0], count, func):
5323 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5324 anonymous_identity="FAST", identity="user",
5325 password="password",
5326 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5327 phase1="fast_provisioning=1",
5328 pac_file="blob://fast_pac",
5329 wait_connect=False, scan_freq="2412")
5330 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5331 dev[0].request("REMOVE_NETWORK all")
5332 dev[0].wait_disconnected()
5334 def test_eap_gpsk_errors(dev, apdev):
5335 """EAP-GPSK error cases"""
5336 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5337 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5338 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5339 identity="gpsk user",
5340 password="abcdefghijklmnop0123456789abcdef",
5342 dev[0].request("REMOVE_NETWORK all")
5343 dev[0].wait_disconnected()
5345 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5346 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5348 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5350 (1, "eap_gpsk_derive_keys_helper", None),
5351 (2, "eap_gpsk_derive_keys_helper", None),
5352 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5354 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5356 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5357 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5358 (1, "eap_gpsk_derive_mid_helper", None) ]
5359 for count, func, phase1 in tests:
5360 with fail_test(dev[0], count, func):
5361 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5362 identity="gpsk user",
5363 password="abcdefghijklmnop0123456789abcdef",
5365 wait_connect=False, scan_freq="2412")
5366 wait_fail_trigger(dev[0], "GET_FAIL")
5367 dev[0].request("REMOVE_NETWORK all")
5368 dev[0].wait_disconnected()
5370 tests = [ (1, "eap_gpsk_init"),
5371 (2, "eap_gpsk_init"),
5372 (3, "eap_gpsk_init"),
5373 (1, "eap_gpsk_process_id_server"),
5374 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5375 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5376 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5377 (1, "eap_gpsk_derive_keys"),
5378 (1, "eap_gpsk_derive_keys_helper"),
5379 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5380 (1, "eap_gpsk_getKey"),
5381 (1, "eap_gpsk_get_emsk"),
5382 (1, "eap_gpsk_get_session_id") ]
5383 for count, func in tests:
5384 with alloc_fail(dev[0], count, func):
5385 dev[0].request("ERP_FLUSH")
5386 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5387 identity="gpsk user", erp="1",
5388 password="abcdefghijklmnop0123456789abcdef",
5389 wait_connect=False, scan_freq="2412")
5390 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5391 dev[0].request("REMOVE_NETWORK all")
5392 dev[0].wait_disconnected()
5394 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5395 """EAP-SIM DB error cases"""
5396 sockpath = '/tmp/hlr_auc_gw.sock-test'
5401 hparams = int_eap_server_params()
5402 hparams['eap_sim_db'] = 'unix:' + sockpath
5403 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
5405 # Initial test with hlr_auc_gw socket not available
5406 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5407 eap="SIM", identity="1232010000000000",
5408 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5409 scan_freq="2412", wait_connect=False)
5410 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5412 raise Exception("EAP-Failure not reported")
5413 dev[0].wait_disconnected()
5414 dev[0].request("DISCONNECT")
5416 # Test with invalid responses and response timeout
5418 class test_handler(SocketServer.DatagramRequestHandler):
5420 data = self.request[0].strip()
5421 socket = self.request[1]
5422 logger.debug("Received hlr_auc_gw request: " + data)
5423 # EAP-SIM DB: Failed to parse response string
5424 socket.sendto("FOO", self.client_address)
5425 # EAP-SIM DB: Failed to parse response string
5426 socket.sendto("FOO 1", self.client_address)
5427 # EAP-SIM DB: Unknown external response
5428 socket.sendto("FOO 1 2", self.client_address)
5429 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5431 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5434 dev[0].select_network(id)
5435 server.handle_request()
5436 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5438 raise Exception("EAP-Failure not reported")
5439 dev[0].wait_disconnected()
5440 dev[0].request("DISCONNECT")
5442 # Test with a valid response
5444 class test_handler2(SocketServer.DatagramRequestHandler):
5446 data = self.request[0].strip()
5447 socket = self.request[1]
5448 logger.debug("Received hlr_auc_gw request: " + data)
5449 fname = os.path.join(params['logdir'],
5450 'hlr_auc_gw.milenage_db')
5451 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5453 stdout=subprocess.PIPE)
5454 res = cmd.stdout.read().strip()
5456 logger.debug("hlr_auc_gw response: " + res)
5457 socket.sendto(res, self.client_address)
5459 server.RequestHandlerClass = test_handler2
5461 dev[0].select_network(id)
5462 server.handle_request()
5463 dev[0].wait_connected()
5464 dev[0].request("DISCONNECT")
5465 dev[0].wait_disconnected()
5467 def test_eap_tls_sha512(dev, apdev, params):
5468 """EAP-TLS with SHA512 signature"""
5469 params = int_eap_server_params()
5470 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5471 params["server_cert"] = "auth_serv/sha512-server.pem"
5472 params["private_key"] = "auth_serv/sha512-server.key"
5473 hostapd.add_ap(apdev[0]['ifname'], params)
5475 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5476 identity="tls user sha512",
5477 ca_cert="auth_serv/sha512-ca.pem",
5478 client_cert="auth_serv/sha512-user.pem",
5479 private_key="auth_serv/sha512-user.key",
5481 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5482 identity="tls user sha512",
5483 ca_cert="auth_serv/sha512-ca.pem",
5484 client_cert="auth_serv/sha384-user.pem",
5485 private_key="auth_serv/sha384-user.key",
5488 def test_eap_tls_sha384(dev, apdev, params):
5489 """EAP-TLS with SHA384 signature"""
5490 params = int_eap_server_params()
5491 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5492 params["server_cert"] = "auth_serv/sha384-server.pem"
5493 params["private_key"] = "auth_serv/sha384-server.key"
5494 hostapd.add_ap(apdev[0]['ifname'], params)
5496 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5497 identity="tls user sha512",
5498 ca_cert="auth_serv/sha512-ca.pem",
5499 client_cert="auth_serv/sha512-user.pem",
5500 private_key="auth_serv/sha512-user.key",
5502 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5503 identity="tls user sha512",
5504 ca_cert="auth_serv/sha512-ca.pem",
5505 client_cert="auth_serv/sha384-user.pem",
5506 private_key="auth_serv/sha384-user.key",
5509 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5510 """WPA2-Enterprise AP and association request RSN IE differences"""
5511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5512 hostapd.add_ap(apdev[0]['ifname'], params)
5514 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5515 params["ieee80211w"] = "2"
5516 hostapd.add_ap(apdev[1]['ifname'], params)
5518 # Success cases with optional RSN IE fields removed one by one
5519 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5520 "30140100000fac040100000fac040100000fac010000"),
5521 ("Extra PMKIDCount field in RSN IE",
5522 "30160100000fac040100000fac040100000fac0100000000"),
5523 ("Extra Group Management Cipher Suite in RSN IE",
5524 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5525 ("Extra undefined extension field in RSN IE",
5526 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5527 ("RSN IE without RSN Capabilities",
5528 "30120100000fac040100000fac040100000fac01"),
5529 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5530 ("RSN IE without pairwise", "30060100000fac04"),
5531 ("RSN IE without group", "30020100") ]
5532 for title, ie in tests:
5534 set_test_assoc_ie(dev[0], ie)
5535 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5536 identity="gpsk user",
5537 password="abcdefghijklmnop0123456789abcdef",
5539 dev[0].request("REMOVE_NETWORK all")
5540 dev[0].wait_disconnected()
5542 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5543 "30140100000fac040100000fac040100000fac01cc00"),
5544 ("Group management cipher included in assoc req RSN IE",
5545 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5546 for title, ie in tests:
5548 set_test_assoc_ie(dev[0], ie)
5549 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5550 eap="GPSK", identity="gpsk user",
5551 password="abcdefghijklmnop0123456789abcdef",
5553 dev[0].request("REMOVE_NETWORK all")
5554 dev[0].wait_disconnected()
5556 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5557 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5558 for title, ie, status in tests:
5560 set_test_assoc_ie(dev[0], ie)
5561 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5562 identity="gpsk user",
5563 password="abcdefghijklmnop0123456789abcdef",
5564 scan_freq="2412", wait_connect=False)
5565 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5567 raise Exception("Association rejection not reported")
5568 if "status_code=" + str(status) not in ev:
5569 raise Exception("Unexpected status code: " + ev)
5570 dev[0].request("REMOVE_NETWORK all")
5571 dev[0].dump_monitor()
5573 tests = [ ("Management frame protection not enabled",
5574 "30140100000fac040100000fac040100000fac010000", 31),
5575 ("Unsupported management group cipher",
5576 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5577 for title, ie, status in tests:
5579 set_test_assoc_ie(dev[0], ie)
5580 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5581 eap="GPSK", identity="gpsk user",
5582 password="abcdefghijklmnop0123456789abcdef",
5583 scan_freq="2412", wait_connect=False)
5584 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5586 raise Exception("Association rejection not reported")
5587 if "status_code=" + str(status) not in ev:
5588 raise Exception("Unexpected status code: " + ev)
5589 dev[0].request("REMOVE_NETWORK all")
5590 dev[0].dump_monitor()
5592 def test_eap_tls_ext_cert_check(dev, apdev):
5593 """EAP-TLS and external server certification validation"""
5594 # With internal server certificate chain validation
5595 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5596 identity="tls user",
5597 ca_cert="auth_serv/ca.pem",
5598 client_cert="auth_serv/user.pem",
5599 private_key="auth_serv/user.key",
5600 phase1="tls_ext_cert_check=1", scan_freq="2412",
5601 only_add_network=True)
5602 run_ext_cert_check(dev, apdev, id)
5604 def test_eap_ttls_ext_cert_check(dev, apdev):
5605 """EAP-TTLS and external server certification validation"""
5606 # Without internal server certificate chain validation
5607 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5608 identity="pap user", anonymous_identity="ttls",
5609 password="password", phase2="auth=PAP",
5610 phase1="tls_ext_cert_check=1", scan_freq="2412",
5611 only_add_network=True)
5612 run_ext_cert_check(dev, apdev, id)
5614 def test_eap_peap_ext_cert_check(dev, apdev):
5615 """EAP-PEAP and external server certification validation"""
5616 # With internal server certificate chain validation
5617 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5618 identity="user", anonymous_identity="peap",
5619 ca_cert="auth_serv/ca.pem",
5620 password="password", phase2="auth=MSCHAPV2",
5621 phase1="tls_ext_cert_check=1", scan_freq="2412",
5622 only_add_network=True)
5623 run_ext_cert_check(dev, apdev, id)
5625 def test_eap_fast_ext_cert_check(dev, apdev):
5626 """EAP-FAST and external server certification validation"""
5627 check_eap_capa(dev[0], "FAST")
5628 # With internal server certificate chain validation
5629 dev[0].request("SET blob fast_pac_auth_ext ")
5630 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5631 identity="user", anonymous_identity="FAST",
5632 ca_cert="auth_serv/ca.pem",
5633 password="password", phase2="auth=GTC",
5634 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5635 pac_file="blob://fast_pac_auth_ext",
5637 only_add_network=True)
5638 run_ext_cert_check(dev, apdev, id)
5640 def run_ext_cert_check(dev, apdev, net_id):
5641 check_ext_cert_check_support(dev[0])
5642 if not openssl_imported:
5643 raise HwsimSkip("OpenSSL python method not available")
5645 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5646 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5648 dev[0].select_network(net_id)
5651 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5652 "CTRL-REQ-EXT_CERT_CHECK",
5653 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5655 raise Exception("No peer server certificate event seen")
5656 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5659 vals = ev.split(' ')
5661 if v.startswith("depth="):
5662 depth = int(v.split('=')[1])
5663 elif v.startswith("cert="):
5664 cert = v.split('=')[1]
5665 if depth is not None and cert:
5666 certs[depth] = binascii.unhexlify(cert)
5667 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5668 raise Exception("Unexpected EAP-Success")
5669 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5670 id = ev.split(':')[0].split('-')[-1]
5673 raise Exception("Server certificate not received")
5675 raise Exception("Server certificate issuer not received")
5677 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5679 cn = cert.get_subject().commonName
5680 logger.info("Server certificate CN=" + cn)
5682 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5684 icn = issuer.get_subject().commonName
5685 logger.info("Issuer certificate CN=" + icn)
5687 if cn != "server.w1.fi":
5688 raise Exception("Unexpected server certificate CN: " + cn)
5689 if icn != "Root CA":
5690 raise Exception("Unexpected server certificate issuer CN: " + icn)
5692 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5694 raise Exception("Unexpected EAP-Success before external check result indication")
5696 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5697 dev[0].wait_connected()
5699 dev[0].request("DISCONNECT")
5700 dev[0].wait_disconnected()
5701 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5702 raise Exception("PMKSA_FLUSH failed")
5703 dev[0].request("SET blob fast_pac_auth_ext ")
5704 dev[0].request("RECONNECT")
5706 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5708 raise Exception("No peer server certificate event seen (2)")
5709 id = ev.split(':')[0].split('-')[-1]
5710 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5713 raise Exception("EAP-Failure not reported")
5714 dev[0].request("REMOVE_NETWORK all")
5715 dev[0].wait_disconnected()
5717 def test_eap_tls_errors(dev, apdev):
5718 """EAP-TLS error cases"""
5719 params = int_eap_server_params()
5720 params['fragment_size'] = '100'
5721 hostapd.add_ap(apdev[0]['ifname'], params)
5722 with alloc_fail(dev[0], 1,
5723 "eap_peer_tls_reassemble_fragment"):
5724 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5725 identity="tls user", ca_cert="auth_serv/ca.pem",
5726 client_cert="auth_serv/user.pem",
5727 private_key="auth_serv/user.key",
5728 wait_connect=False, scan_freq="2412")
5729 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5730 dev[0].request("REMOVE_NETWORK all")
5731 dev[0].wait_disconnected()
5733 with alloc_fail(dev[0], 1, "eap_tls_init"):
5734 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5735 identity="tls user", ca_cert="auth_serv/ca.pem",
5736 client_cert="auth_serv/user.pem",
5737 private_key="auth_serv/user.key",
5738 wait_connect=False, scan_freq="2412")
5739 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5740 dev[0].request("REMOVE_NETWORK all")
5741 dev[0].wait_disconnected()
5743 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5745 identity="tls user", ca_cert="auth_serv/ca.pem",
5746 client_cert="auth_serv/user.pem",
5747 private_key="auth_serv/user.key",
5749 wait_connect=False, scan_freq="2412")
5750 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5751 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5753 raise Exception("No CTRL-REQ-PIN seen")
5754 dev[0].request("REMOVE_NETWORK all")
5755 dev[0].wait_disconnected()
5757 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5758 "eap_peer_tls_derive_session_id;eap_tls_success",
5761 "eap_tls_get_session_id" ]
5763 with alloc_fail(dev[0], 1, func):
5764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5765 identity="tls user", ca_cert="auth_serv/ca.pem",
5766 client_cert="auth_serv/user.pem",
5767 private_key="auth_serv/user.key",
5769 wait_connect=False, scan_freq="2412")
5770 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5771 dev[0].request("REMOVE_NETWORK all")
5772 dev[0].wait_disconnected()
5774 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5775 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5776 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5777 wait_connect=False, scan_freq="2412")
5778 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5779 dev[0].request("REMOVE_NETWORK all")
5780 dev[0].wait_disconnected()
5782 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5783 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5784 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5785 wait_connect=False, scan_freq="2412")
5786 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5787 dev[0].request("REMOVE_NETWORK all")
5788 dev[0].wait_disconnected()
5790 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5791 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5792 eap="WFA-UNAUTH-TLS",
5793 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5794 wait_connect=False, scan_freq="2412")
5795 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5796 dev[0].request("REMOVE_NETWORK all")
5797 dev[0].wait_disconnected()
5799 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5800 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5801 eap="WFA-UNAUTH-TLS",
5802 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5803 wait_connect=False, scan_freq="2412")
5804 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5805 dev[0].request("REMOVE_NETWORK all")
5806 dev[0].wait_disconnected()
5808 def test_ap_wpa2_eap_status(dev, apdev):
5809 """EAP state machine status information"""
5810 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5811 hostapd.add_ap(apdev[0]['ifname'], params)
5812 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5813 identity="cert user",
5814 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
5815 ca_cert2="auth_serv/ca.pem",
5816 client_cert2="auth_serv/user.pem",
5817 private_key2="auth_serv/user.key",
5818 scan_freq="2412", wait_connect=False)
5824 selected_methods = []
5825 for i in range(100000):
5826 s = dev[0].get_status(extra="VERBOSE")
5827 if 'EAP state' in s:
5828 state = s['EAP state']
5830 if state not in states:
5831 states.append(state)
5832 if state == "SUCCESS":
5835 if 'methodState' in s:
5836 val = s['methodState']
5837 if val not in method_states:
5838 method_states.append(val)
5841 if val not in decisions:
5842 decisions.append(val)
5843 if 'reqMethod' in s:
5844 val = s['reqMethod']
5845 if val not in req_methods:
5846 req_methods.append(val)
5847 if 'selectedMethod' in s:
5848 val = s['selectedMethod']
5849 if val not in selected_methods:
5850 selected_methods.append(val)
5851 logger.info("Iterations: %d" % i)
5852 logger.info("EAP states: " + str(states))
5853 logger.info("methodStates: " + str(method_states))
5854 logger.info("decisions: " + str(decisions))
5855 logger.info("reqMethods: " + str(req_methods))
5856 logger.info("selectedMethods: " + str(selected_methods))
5858 raise Exception("EAP did not succeed")
5859 dev[0].wait_connected()
5860 dev[0].request("REMOVE_NETWORK all")
5861 dev[0].wait_disconnected()
5863 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
5864 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
5865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5866 params['wpa_ptk_rekey'] = '2'
5867 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5868 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
5869 password="abcdefghijklmnop0123456789abcdef")
5870 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
5872 raise Exception("PTK rekey timed out")
5873 hwsim_utils.test_connectivity(dev[0], hapd)