1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status:
180 logger.info("Status: " + str(status))
181 raise Exception("No selectedMethod in status")
182 if method not in status["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e = "WPA2-EAP-SHA256"
187 e = "WPA2/IEEE 802.1X/EAP"
189 e = "WPA/IEEE 802.1X/EAP"
190 if status["key_mgmt"] != e:
191 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
194 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
195 dev.request("REAUTHENTICATE")
196 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
197 expect_failure=expect_failure)
199 def test_ap_wpa2_eap_sim(dev, apdev):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
204 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
205 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils.test_connectivity(dev[0], hapd)
207 eap_reauth(dev[0], "SIM")
209 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger.info("Negative test with incorrect key")
216 dev[0].request("REMOVE_NETWORK all")
217 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
218 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger.info("Invalid GSM-Milenage key")
222 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger.info("Invalid GSM-Milenage key(2)")
228 dev[0].request("REMOVE_NETWORK all")
229 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
230 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger.info("Invalid GSM-Milenage key(3)")
234 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger.info("Invalid GSM-Milenage key(4)")
240 dev[0].request("REMOVE_NETWORK all")
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger.info("Missing key configuration")
246 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
259 params['auth_server_port'] = "1814"
260 hostapd.add_ap(apdev[0]['ifname'], params)
261 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger.info("SIM fast re-authentication")
265 eap_reauth(dev[0], "SIM")
267 logger.info("SIM full auth with pseudonym")
270 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev[0], "SIM")
273 logger.info("SIM full auth with permanent identity")
276 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev[0], "SIM")
280 logger.info("SIM reauth with mismatching MK")
283 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev[0], "SIM", expect_failure=True)
285 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev[0], "SIM")
295 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger.info("SIM reauth with mismatching counter")
297 eap_reauth(dev[0], "SIM")
298 dev[0].request("REMOVE_NETWORK all")
300 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev, apdev):
309 """EAP-SIM configuration options"""
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
313 identity="1232010000000000",
314 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1="sim_min_num_chal=1",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
319 raise Exception("No EAP error message seen")
320 dev[0].request("REMOVE_NETWORK all")
322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
323 identity="1232010000000000",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1="sim_min_num_chal=4",
326 wait_connect=False, scan_freq="2412")
327 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
329 raise Exception("No EAP error message seen (2)")
330 dev[0].request("REMOVE_NETWORK all")
332 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=2")
335 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity="345678")
339 def test_ap_wpa2_eap_sim_ext(dev, apdev):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev, apdev)
344 dev[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
347 check_hlr_auc_gw_support()
348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
349 hostapd.add_ap(apdev[0]['ifname'], params)
350 dev[0].request("SET external_sim 1")
351 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
352 identity="1232010000000000",
353 wait_connect=False, scan_freq="2412")
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
356 raise Exception("Network connected timed out")
358 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid = p[0].split('-')[3]
367 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 raise Exception("EAP failure not reported")
373 dev[0].request("DISCONNECT")
374 dev[0].wait_disconnected()
377 dev[0].select_network(id, freq="2412")
378 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid = p[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 raise Exception("EAP failure not reported")
391 dev[0].request("DISCONNECT")
392 dev[0].wait_disconnected()
395 dev[0].select_network(id, freq="2412")
396 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid = p[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 raise Exception("EAP failure not reported")
409 dev[0].request("DISCONNECT")
410 dev[0].wait_disconnected()
413 dev[0].select_network(id, freq="2412")
414 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid = p[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 raise Exception("EAP failure not reported")
427 dev[0].request("DISCONNECT")
428 dev[0].wait_disconnected()
431 dev[0].select_network(id, freq="2412")
432 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid = p[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 raise Exception("EAP failure not reported")
445 dev[0].request("DISCONNECT")
446 dev[0].wait_disconnected()
449 dev[0].select_network(id, freq="2412")
450 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid = p[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 raise Exception("EAP failure not reported")
463 dev[0].request("DISCONNECT")
464 dev[0].wait_disconnected()
467 dev[0].select_network(id, freq="2412")
468 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid = p[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
487 dev[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
490 check_hlr_auc_gw_support()
491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
492 hostapd.add_ap(apdev[0]['ifname'], params)
493 dev[0].request("SET external_sim 1")
494 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
495 identity="1232010000000000",
496 wait_connect=False, scan_freq="2412")
498 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid = p[0].split('-')[3]
505 rand = p[2].split(' ')[0]
507 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand])
511 if "GSM-AUTH-RESP" not in res:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp = res.split(' ')[2].rstrip()
515 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
516 dev[0].wait_connected(timeout=15)
517 dev[0].request("DISCONNECT")
518 dev[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev[0].select_network(id, freq="2412")
524 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid = p[0].split('-')[3]
531 rand = p[2].split(' ')[0]
533 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand])
537 if "GSM-AUTH-RESP" not in res:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp = res.split(' ')[2].rstrip()
541 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 raise Exception("EAP-Failure not reported")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
553 dev[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
556 check_hlr_auc_gw_support()
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 hostapd.add_ap(apdev[0]['ifname'], params)
559 dev[0].request("SET external_sim 1")
560 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
561 identity="1232010000000000",
562 wait_connect=False, scan_freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 rand = p[2].split(' ')[0]
573 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand])
577 if "GSM-AUTH-RESP" not in res:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp = res.split(' ')[2].rstrip()
581 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
582 dev[0].wait_connected(timeout=15)
583 dev[0].request("DISCONNECT")
584 dev[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev[0].set_network(id, "anonymous_identity", "NULL")
589 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 rand = p[2].split(' ')[0]
600 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand])
604 if "GSM-AUTH-RESP" not in res:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp = res.split(' ')[2].rstrip()
608 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
609 dev[0].wait_connected()
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
618 dev[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
621 check_hlr_auc_gw_support()
622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
623 hostapd.add_ap(apdev[0]['ifname'], params)
624 dev[0].request("SET external_sim 1")
625 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
626 wait_connect=False, scan_freq="2412")
628 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid = ev.split(':')[0].split('-')[-1]
632 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
634 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid = p[0].split('-')[3]
641 rand = p[2].split(' ')[0]
643 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand])
647 if "GSM-AUTH-RESP" not in res:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp = res.split(' ')[2].rstrip()
651 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
652 dev[0].wait_connected(timeout=15)
653 dev[0].request("DISCONNECT")
654 dev[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev[0].set_network(id, "identity", "NULL")
658 dev[0].set_network(id, "anonymous_identity", "NULL")
659 dev[0].select_network(id, freq="2412")
661 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid = ev.split(':')[0].split('-')[-1]
665 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
667 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid = p[0].split('-')[3]
674 rand = p[2].split(' ')[0]
676 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand])
680 if "GSM-AUTH-RESP" not in res:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp = res.split(' ')[2].rstrip()
684 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
685 dev[0].wait_connected()
686 dev[0].request("DISCONNECT")
687 dev[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
694 dev[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
697 check_hlr_auc_gw_support()
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hostapd.add_ap(apdev[0]['ifname'], params)
700 dev[0].request("SET external_sim 1")
701 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
702 identity="1232010000000000",
703 wait_connect=False, scan_freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid = p[0].split('-')[3]
710 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
713 raise Exception("EAP failure not reported")
714 dev[0].request("REMOVE_NETWORK all")
715 dev[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_oom(dev, apdev):
718 """EAP-SIM and OOM"""
719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
720 hostapd.add_ap(apdev[0]['ifname'], params)
721 tests = [ (1, "milenage_f2345"),
722 (2, "milenage_f2345"),
723 (3, "milenage_f2345"),
724 (4, "milenage_f2345"),
725 (5, "milenage_f2345"),
726 (6, "milenage_f2345"),
727 (7, "milenage_f2345"),
728 (8, "milenage_f2345"),
729 (9, "milenage_f2345"),
730 (10, "milenage_f2345"),
731 (11, "milenage_f2345"),
732 (12, "milenage_f2345") ]
733 for count, func in tests:
734 with fail_test(dev[0], count, func):
735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
736 identity="1232010000000000",
737 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
738 wait_connect=False, scan_freq="2412")
739 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
741 raise Exception("EAP method not selected")
742 dev[0].wait_disconnected()
743 dev[0].request("REMOVE_NETWORK all")
745 def test_ap_wpa2_eap_aka(dev, apdev):
746 """WPA2-Enterprise connection using EAP-AKA"""
747 check_hlr_auc_gw_support()
748 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
749 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
750 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
751 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
752 hwsim_utils.test_connectivity(dev[0], hapd)
753 eap_reauth(dev[0], "AKA")
755 logger.info("Negative test with incorrect key")
756 dev[0].request("REMOVE_NETWORK all")
757 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
758 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
761 logger.info("Invalid Milenage key")
762 dev[0].request("REMOVE_NETWORK all")
763 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
764 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
767 logger.info("Invalid Milenage key(2)")
768 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
769 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
772 logger.info("Invalid Milenage key(3)")
773 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
774 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
777 logger.info("Invalid Milenage key(4)")
778 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
779 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
782 logger.info("Invalid Milenage key(5)")
783 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
785 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
788 logger.info("Invalid Milenage key(6)")
789 dev[0].request("REMOVE_NETWORK all")
790 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
791 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
794 logger.info("Missing key configuration")
795 dev[0].request("REMOVE_NETWORK all")
796 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
799 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
800 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
801 check_hlr_auc_gw_support()
805 raise HwsimSkip("No sqlite3 module available")
806 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
807 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
808 params['auth_server_port'] = "1814"
809 hostapd.add_ap(apdev[0]['ifname'], params)
810 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
811 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
813 logger.info("AKA fast re-authentication")
814 eap_reauth(dev[0], "AKA")
816 logger.info("AKA full auth with pseudonym")
819 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
820 eap_reauth(dev[0], "AKA")
822 logger.info("AKA full auth with permanent identity")
825 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
826 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
827 eap_reauth(dev[0], "AKA")
829 logger.info("AKA reauth with mismatching MK")
832 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
833 eap_reauth(dev[0], "AKA", expect_failure=True)
834 dev[0].request("REMOVE_NETWORK all")
836 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
837 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
840 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
841 eap_reauth(dev[0], "AKA")
844 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
845 logger.info("AKA reauth with mismatching counter")
846 eap_reauth(dev[0], "AKA")
847 dev[0].request("REMOVE_NETWORK all")
849 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
850 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
853 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
854 logger.info("AKA reauth with max reauth count reached")
855 eap_reauth(dev[0], "AKA")
857 def test_ap_wpa2_eap_aka_config(dev, apdev):
858 """EAP-AKA configuration options"""
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
862 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
863 anonymous_identity="2345678")
865 def test_ap_wpa2_eap_aka_ext(dev, apdev):
866 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
868 _test_ap_wpa2_eap_aka_ext(dev, apdev)
870 dev[0].request("SET external_sim 0")
872 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
873 check_hlr_auc_gw_support()
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hostapd.add_ap(apdev[0]['ifname'], params)
876 dev[0].request("SET external_sim 1")
877 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
878 identity="0232010000000000",
879 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
880 wait_connect=False, scan_freq="2412")
881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
883 raise Exception("Network connected timed out")
885 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
887 raise Exception("Wait for external SIM processing request timed out")
889 if p[1] != "UMTS-AUTH":
890 raise Exception("Unexpected CTRL-REQ-SIM type")
891 rid = p[0].split('-')[3]
894 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
895 # This will fail during processing, but the ctrl_iface command succeeds
896 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
899 raise Exception("EAP failure not reported")
900 dev[0].request("DISCONNECT")
901 dev[0].wait_disconnected()
903 dev[0].dump_monitor()
905 dev[0].select_network(id, freq="2412")
906 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
908 raise Exception("Wait for external SIM processing request timed out")
910 if p[1] != "UMTS-AUTH":
911 raise Exception("Unexpected CTRL-REQ-SIM type")
912 rid = p[0].split('-')[3]
913 # This will fail during UMTS auth validation
914 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
915 raise Exception("CTRL-RSP-SIM failed")
916 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
918 raise Exception("Wait for external SIM processing request timed out")
920 if p[1] != "UMTS-AUTH":
921 raise Exception("Unexpected CTRL-REQ-SIM type")
922 rid = p[0].split('-')[3]
923 # This will fail during UMTS auth validation
924 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
925 raise Exception("CTRL-RSP-SIM failed")
926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
928 raise Exception("EAP failure not reported")
929 dev[0].request("DISCONNECT")
930 dev[0].wait_disconnected()
932 dev[0].dump_monitor()
934 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
936 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
937 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
938 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
939 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
940 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
942 dev[0].select_network(id, freq="2412")
943 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
945 raise Exception("Wait for external SIM processing request timed out")
947 if p[1] != "UMTS-AUTH":
948 raise Exception("Unexpected CTRL-REQ-SIM type")
949 rid = p[0].split('-')[3]
950 # This will fail during UMTS auth validation
951 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
952 raise Exception("CTRL-RSP-SIM failed")
953 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
955 raise Exception("EAP failure not reported")
956 dev[0].request("DISCONNECT")
957 dev[0].wait_disconnected()
959 dev[0].dump_monitor()
961 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
962 """EAP-AKA with external UMTS auth and auth failing"""
964 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
966 dev[0].request("SET external_sim 0")
968 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
969 check_hlr_auc_gw_support()
970 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
971 hostapd.add_ap(apdev[0]['ifname'], params)
972 dev[0].request("SET external_sim 1")
973 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
974 identity="0232010000000000",
975 wait_connect=False, scan_freq="2412")
977 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
979 raise Exception("Wait for external SIM processing request timed out")
981 rid = p[0].split('-')[3]
982 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
985 raise Exception("EAP failure not reported")
986 dev[0].request("REMOVE_NETWORK all")
987 dev[0].wait_disconnected()
989 def test_ap_wpa2_eap_aka_prime(dev, apdev):
990 """WPA2-Enterprise connection using EAP-AKA'"""
991 check_hlr_auc_gw_support()
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
995 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
996 hwsim_utils.test_connectivity(dev[0], hapd)
997 eap_reauth(dev[0], "AKA'")
999 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1000 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1001 identity="6555444333222111@both",
1002 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1003 wait_connect=False, scan_freq="2412")
1004 dev[1].wait_connected(timeout=15)
1006 logger.info("Negative test with incorrect key")
1007 dev[0].request("REMOVE_NETWORK all")
1008 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1009 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1010 expect_failure=True)
1012 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1013 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1014 check_hlr_auc_gw_support()
1018 raise HwsimSkip("No sqlite3 module available")
1019 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1021 params['auth_server_port'] = "1814"
1022 hostapd.add_ap(apdev[0]['ifname'], params)
1023 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1024 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1026 logger.info("AKA' fast re-authentication")
1027 eap_reauth(dev[0], "AKA'")
1029 logger.info("AKA' full auth with pseudonym")
1032 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1033 eap_reauth(dev[0], "AKA'")
1035 logger.info("AKA' full auth with permanent identity")
1038 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1039 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1040 eap_reauth(dev[0], "AKA'")
1042 logger.info("AKA' reauth with mismatching k_aut")
1045 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1046 eap_reauth(dev[0], "AKA'", expect_failure=True)
1047 dev[0].request("REMOVE_NETWORK all")
1049 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1050 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1053 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1054 eap_reauth(dev[0], "AKA'")
1057 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1058 logger.info("AKA' reauth with mismatching counter")
1059 eap_reauth(dev[0], "AKA'")
1060 dev[0].request("REMOVE_NETWORK all")
1062 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1063 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1066 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1067 logger.info("AKA' reauth with max reauth count reached")
1068 eap_reauth(dev[0], "AKA'")
1070 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1071 """EAP-AKA' with external UMTS auth and auth failing"""
1073 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1075 dev[0].request("SET external_sim 0")
1077 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1078 check_hlr_auc_gw_support()
1079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1080 hostapd.add_ap(apdev[0]['ifname'], params)
1081 dev[0].request("SET external_sim 1")
1082 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1083 identity="6555444333222111",
1084 wait_connect=False, scan_freq="2412")
1086 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1088 raise Exception("Wait for external SIM processing request timed out")
1089 p = ev.split(':', 2)
1090 rid = p[0].split('-')[3]
1091 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1092 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1094 raise Exception("EAP failure not reported")
1095 dev[0].request("REMOVE_NETWORK all")
1096 dev[0].wait_disconnected()
1098 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1099 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102 key_mgmt = hapd.get_config()['key_mgmt']
1103 if key_mgmt.split(' ')[0] != "WPA-EAP":
1104 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1105 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1106 anonymous_identity="ttls", password="password",
1107 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1108 hwsim_utils.test_connectivity(dev[0], hapd)
1109 eap_reauth(dev[0], "TTLS")
1110 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1111 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1113 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1114 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1115 check_subject_match_support(dev[0])
1116 check_altsubject_match_support(dev[0])
1117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1118 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1119 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1120 anonymous_identity="ttls", password="password",
1121 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1122 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1123 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1124 eap_reauth(dev[0], "TTLS")
1126 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1127 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1129 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1130 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1131 anonymous_identity="ttls", password="wrong",
1132 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1133 expect_failure=True)
1134 eap_connect(dev[1], apdev[0], "TTLS", "user",
1135 anonymous_identity="ttls", password="password",
1136 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1137 expect_failure=True)
1139 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1140 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1141 skip_with_fips(dev[0])
1142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1144 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1145 anonymous_identity="ttls", password="password",
1146 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1147 hwsim_utils.test_connectivity(dev[0], hapd)
1148 eap_reauth(dev[0], "TTLS")
1150 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1152 skip_with_fips(dev[0])
1153 check_altsubject_match_support(dev[0])
1154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1155 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1157 anonymous_identity="ttls", password="password",
1158 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1159 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1160 eap_reauth(dev[0], "TTLS")
1162 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1163 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1164 skip_with_fips(dev[0])
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1167 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1168 anonymous_identity="ttls", password="wrong",
1169 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1170 expect_failure=True)
1171 eap_connect(dev[1], apdev[0], "TTLS", "user",
1172 anonymous_identity="ttls", password="password",
1173 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1174 expect_failure=True)
1176 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1177 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1178 skip_with_fips(dev[0])
1179 check_domain_suffix_match(dev[0])
1180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1181 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1182 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1183 anonymous_identity="ttls", password="password",
1184 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1185 domain_suffix_match="server.w1.fi")
1186 hwsim_utils.test_connectivity(dev[0], hapd)
1187 eap_reauth(dev[0], "TTLS")
1188 dev[0].request("REMOVE_NETWORK all")
1189 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1190 anonymous_identity="ttls", password="password",
1191 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1192 fragment_size="200")
1193 dev[0].request("REMOVE_NETWORK all")
1194 dev[0].wait_disconnected()
1195 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1196 anonymous_identity="ttls",
1197 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1200 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1201 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1202 skip_with_fips(dev[0])
1203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1204 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1205 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1206 anonymous_identity="ttls", password="wrong",
1207 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1208 expect_failure=True)
1209 eap_connect(dev[1], apdev[0], "TTLS", "user",
1210 anonymous_identity="ttls", password="password",
1211 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1212 expect_failure=True)
1213 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
1214 anonymous_identity="ttls", password="password",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1220 check_domain_suffix_match(dev[0])
1221 check_eap_capa(dev[0], "MSCHAPV2")
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1225 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1226 anonymous_identity="ttls", password="password",
1227 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1228 domain_suffix_match="server.w1.fi")
1229 hwsim_utils.test_connectivity(dev[0], hapd)
1230 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1231 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1232 eap_reauth(dev[0], "TTLS")
1233 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1234 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1235 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1236 raise Exception("dot1xAuthEapolFramesRx did not increase")
1237 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1238 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1239 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1240 raise Exception("backendAuthSuccesses did not increase")
1242 logger.info("Password as hash value")
1243 dev[0].request("REMOVE_NETWORK all")
1244 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1245 anonymous_identity="ttls",
1246 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1247 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1249 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1250 """EAP-TTLS with invalid phase2 parameter values"""
1251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1252 hostapd.add_ap(apdev[0]['ifname'], params)
1253 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1254 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1255 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1258 identity="DOMAIN\mschapv2 user",
1259 anonymous_identity="ttls", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2=t,
1261 wait_connect=False, scan_freq="2412")
1262 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1263 if ev is None or "method=21" not in ev:
1264 raise Exception("EAP-TTLS not started")
1265 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1266 "CTRL-EVENT-CONNECTED"], timeout=5)
1267 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1268 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1269 dev[0].request("REMOVE_NETWORK all")
1270 dev[0].wait_disconnected()
1271 dev[0].dump_monitor()
1273 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1274 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1275 check_domain_match_full(dev[0])
1276 skip_with_fips(dev[0])
1277 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1278 hostapd.add_ap(apdev[0]['ifname'], params)
1279 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1280 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1281 anonymous_identity="ttls", password="password",
1282 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1283 domain_suffix_match="w1.fi")
1284 hwsim_utils.test_connectivity(dev[0], hapd)
1285 eap_reauth(dev[0], "TTLS")
1287 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1288 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1289 check_domain_match(dev[0])
1290 skip_with_fips(dev[0])
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hostapd.add_ap(apdev[0]['ifname'], params)
1293 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1294 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1295 anonymous_identity="ttls", password="password",
1296 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1297 domain_match="Server.w1.fi")
1298 hwsim_utils.test_connectivity(dev[0], hapd)
1299 eap_reauth(dev[0], "TTLS")
1301 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1302 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1303 skip_with_fips(dev[0])
1304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1305 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1306 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1307 anonymous_identity="ttls", password="password1",
1308 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1309 expect_failure=True)
1310 eap_connect(dev[1], apdev[0], "TTLS", "user",
1311 anonymous_identity="ttls", password="password",
1312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1313 expect_failure=True)
1315 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1316 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1317 skip_with_fips(dev[0])
1318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1319 hostapd.add_ap(apdev[0]['ifname'], params)
1320 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1321 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1322 anonymous_identity="ttls", password="secret-åäö-€-password",
1323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1324 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1325 anonymous_identity="ttls",
1326 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1327 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1328 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1329 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1330 eap="TTLS", identity="utf8-user-hash",
1331 anonymous_identity="ttls", password_hex=p,
1332 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1333 wait_connect=False, scan_freq="2412")
1334 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1336 raise Exception("No failure reported")
1337 dev[2].request("REMOVE_NETWORK all")
1338 dev[2].wait_disconnected()
1340 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1341 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1343 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1344 eap_connect(dev[0], apdev[0], "TTLS", "user",
1345 anonymous_identity="ttls", password="password",
1346 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1347 hwsim_utils.test_connectivity(dev[0], hapd)
1348 eap_reauth(dev[0], "TTLS")
1350 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1351 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1353 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1354 eap_connect(dev[0], apdev[0], "TTLS", "user",
1355 anonymous_identity="ttls", password="wrong",
1356 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1357 expect_failure=True)
1359 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1360 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1361 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1362 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1363 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1364 anonymous_identity="ttls", password="password",
1365 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1366 expect_failure=True)
1368 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1369 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1370 params = int_eap_server_params()
1371 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1372 with alloc_fail(hapd, 1, "eap_gtc_init"):
1373 eap_connect(dev[0], apdev[0], "TTLS", "user",
1374 anonymous_identity="ttls", password="password",
1375 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1376 expect_failure=True)
1377 dev[0].request("REMOVE_NETWORK all")
1379 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1380 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1381 eap="TTLS", identity="user",
1382 anonymous_identity="ttls", password="password",
1383 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1384 wait_connect=False, scan_freq="2412")
1385 # This would eventually time out, but we can stop after having reached
1386 # the allocation failure.
1389 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1392 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1393 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1395 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1397 tests = [ "eap_gtc_init",
1398 "eap_msg_alloc;eap_gtc_process" ]
1400 with alloc_fail(dev[0], 1, func):
1401 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1403 eap="TTLS", identity="user",
1404 anonymous_identity="ttls", password="password",
1405 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1407 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1408 dev[0].request("REMOVE_NETWORK all")
1409 dev[0].wait_disconnected()
1411 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1412 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1413 check_eap_capa(dev[0], "MD5")
1414 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1415 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1416 eap_connect(dev[0], apdev[0], "TTLS", "user",
1417 anonymous_identity="ttls", password="password",
1418 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1419 hwsim_utils.test_connectivity(dev[0], hapd)
1420 eap_reauth(dev[0], "TTLS")
1422 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1423 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1424 check_eap_capa(dev[0], "MD5")
1425 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1426 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1427 eap_connect(dev[0], apdev[0], "TTLS", "user",
1428 anonymous_identity="ttls", password="wrong",
1429 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1430 expect_failure=True)
1432 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1433 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1434 check_eap_capa(dev[0], "MD5")
1435 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1436 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1437 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1438 anonymous_identity="ttls", password="password",
1439 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1440 expect_failure=True)
1442 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1443 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1444 check_eap_capa(dev[0], "MD5")
1445 params = int_eap_server_params()
1446 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1447 with alloc_fail(hapd, 1, "eap_md5_init"):
1448 eap_connect(dev[0], apdev[0], "TTLS", "user",
1449 anonymous_identity="ttls", password="password",
1450 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1451 expect_failure=True)
1452 dev[0].request("REMOVE_NETWORK all")
1454 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1455 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1456 eap="TTLS", identity="user",
1457 anonymous_identity="ttls", password="password",
1458 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1459 wait_connect=False, scan_freq="2412")
1460 # This would eventually time out, but we can stop after having reached
1461 # the allocation failure.
1464 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1467 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1468 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1469 check_eap_capa(dev[0], "MSCHAPV2")
1470 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1471 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1472 eap_connect(dev[0], apdev[0], "TTLS", "user",
1473 anonymous_identity="ttls", password="password",
1474 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1475 hwsim_utils.test_connectivity(dev[0], hapd)
1476 eap_reauth(dev[0], "TTLS")
1478 logger.info("Negative test with incorrect password")
1479 dev[0].request("REMOVE_NETWORK all")
1480 eap_connect(dev[0], apdev[0], "TTLS", "user",
1481 anonymous_identity="ttls", password="password1",
1482 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1483 expect_failure=True)
1485 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1486 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1487 check_eap_capa(dev[0], "MSCHAPV2")
1488 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1489 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1490 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1491 anonymous_identity="ttls", password="password",
1492 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1493 expect_failure=True)
1495 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1496 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1497 check_eap_capa(dev[0], "MSCHAPV2")
1498 params = int_eap_server_params()
1499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1500 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1501 eap_connect(dev[0], apdev[0], "TTLS", "user",
1502 anonymous_identity="ttls", password="password",
1503 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1504 expect_failure=True)
1505 dev[0].request("REMOVE_NETWORK all")
1507 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1509 eap="TTLS", identity="user",
1510 anonymous_identity="ttls", password="password",
1511 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1512 wait_connect=False, scan_freq="2412")
1513 # This would eventually time out, but we can stop after having reached
1514 # the allocation failure.
1517 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1519 dev[0].request("REMOVE_NETWORK all")
1521 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1522 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1523 eap="TTLS", identity="user",
1524 anonymous_identity="ttls", password="password",
1525 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1526 wait_connect=False, scan_freq="2412")
1527 # This would eventually time out, but we can stop after having reached
1528 # the allocation failure.
1531 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1533 dev[0].request("REMOVE_NETWORK all")
1535 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1537 eap="TTLS", identity="user",
1538 anonymous_identity="ttls", password="wrong",
1539 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1540 wait_connect=False, scan_freq="2412")
1541 # This would eventually time out, but we can stop after having reached
1542 # the allocation failure.
1545 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1547 dev[0].request("REMOVE_NETWORK all")
1549 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1550 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1552 hostapd.add_ap(apdev[0]['ifname'], params)
1553 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1554 anonymous_identity="0232010000000000@ttls",
1555 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1556 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1558 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1559 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1561 hostapd.add_ap(apdev[0]['ifname'], params)
1562 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1563 anonymous_identity="0232010000000000@peap",
1564 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1565 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1567 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1568 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1569 check_eap_capa(dev[0], "FAST")
1570 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1571 hostapd.add_ap(apdev[0]['ifname'], params)
1572 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1573 anonymous_identity="0232010000000000@fast",
1574 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1575 phase1="fast_provisioning=2",
1576 pac_file="blob://fast_pac_auth_aka",
1577 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1579 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1580 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1581 check_eap_capa(dev[0], "MSCHAPV2")
1582 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1583 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1584 eap_connect(dev[0], apdev[0], "PEAP", "user",
1585 anonymous_identity="peap", password="password",
1586 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1587 hwsim_utils.test_connectivity(dev[0], hapd)
1588 eap_reauth(dev[0], "PEAP")
1589 dev[0].request("REMOVE_NETWORK all")
1590 eap_connect(dev[0], apdev[0], "PEAP", "user",
1591 anonymous_identity="peap", password="password",
1592 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1593 fragment_size="200")
1595 logger.info("Password as hash value")
1596 dev[0].request("REMOVE_NETWORK all")
1597 eap_connect(dev[0], apdev[0], "PEAP", "user",
1598 anonymous_identity="peap",
1599 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1600 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1602 logger.info("Negative test with incorrect password")
1603 dev[0].request("REMOVE_NETWORK all")
1604 eap_connect(dev[0], apdev[0], "PEAP", "user",
1605 anonymous_identity="peap", password="password1",
1606 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1607 expect_failure=True)
1609 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1610 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1611 check_eap_capa(dev[0], "MSCHAPV2")
1612 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1613 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1614 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1615 anonymous_identity="peap", password="password",
1616 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1617 hwsim_utils.test_connectivity(dev[0], hapd)
1618 eap_reauth(dev[0], "PEAP")
1620 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1621 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1622 check_eap_capa(dev[0], "MSCHAPV2")
1623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1624 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1625 eap_connect(dev[0], apdev[0], "PEAP", "user",
1626 anonymous_identity="peap", password="wrong",
1627 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1628 expect_failure=True)
1630 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1631 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1632 check_eap_capa(dev[0], "MSCHAPV2")
1633 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1634 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1635 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1636 ca_cert="auth_serv/ca.pem",
1637 phase1="peapver=0 crypto_binding=2",
1638 phase2="auth=MSCHAPV2")
1639 hwsim_utils.test_connectivity(dev[0], hapd)
1640 eap_reauth(dev[0], "PEAP")
1642 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1643 ca_cert="auth_serv/ca.pem",
1644 phase1="peapver=0 crypto_binding=1",
1645 phase2="auth=MSCHAPV2")
1646 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1647 ca_cert="auth_serv/ca.pem",
1648 phase1="peapver=0 crypto_binding=0",
1649 phase2="auth=MSCHAPV2")
1651 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1652 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1653 check_eap_capa(dev[0], "MSCHAPV2")
1654 params = int_eap_server_params()
1655 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1656 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1657 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1658 ca_cert="auth_serv/ca.pem",
1659 phase1="peapver=0 crypto_binding=2",
1660 phase2="auth=MSCHAPV2",
1661 expect_failure=True, local_error_report=True)
1663 def test_ap_wpa2_eap_peap_params(dev, apdev):
1664 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1665 check_eap_capa(dev[0], "MSCHAPV2")
1666 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1667 hostapd.add_ap(apdev[0]['ifname'], params)
1668 eap_connect(dev[0], apdev[0], "PEAP", "user",
1669 anonymous_identity="peap", password="password",
1670 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1671 phase1="peapver=0 peaplabel=1",
1672 expect_failure=True)
1673 dev[0].request("REMOVE_NETWORK all")
1674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1676 anonymous_identity="peap", password="password",
1677 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1678 phase1="peap_outer_success=0",
1679 wait_connect=False, scan_freq="2412")
1680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1682 raise Exception("No EAP success seen")
1683 # This won't succeed to connect with peap_outer_success=0, so stop here.
1684 dev[0].request("REMOVE_NETWORK all")
1685 dev[0].wait_disconnected()
1686 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1687 ca_cert="auth_serv/ca.pem",
1688 phase1="peap_outer_success=1",
1689 phase2="auth=MSCHAPV2")
1690 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1691 ca_cert="auth_serv/ca.pem",
1692 phase1="peap_outer_success=2",
1693 phase2="auth=MSCHAPV2")
1694 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1696 anonymous_identity="peap", password="password",
1697 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1698 phase1="peapver=1 peaplabel=1",
1699 wait_connect=False, scan_freq="2412")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1702 raise Exception("No EAP success seen")
1703 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1705 raise Exception("Unexpected connection")
1707 tests = [ ("peap-ver0", ""),
1709 ("peap-ver0", "peapver=0"),
1710 ("peap-ver1", "peapver=1") ]
1711 for anon,phase1 in tests:
1712 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1713 identity="user", anonymous_identity=anon,
1714 password="password", phase1=phase1,
1715 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1717 dev[0].request("REMOVE_NETWORK all")
1718 dev[0].wait_disconnected()
1720 tests = [ ("peap-ver0", "peapver=1"),
1721 ("peap-ver1", "peapver=0") ]
1722 for anon,phase1 in tests:
1723 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1724 identity="user", anonymous_identity=anon,
1725 password="password", phase1=phase1,
1726 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1727 wait_connect=False, scan_freq="2412")
1728 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1730 raise Exception("No EAP-Failure seen")
1731 dev[0].request("REMOVE_NETWORK all")
1732 dev[0].wait_disconnected()
1734 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1735 ca_cert="auth_serv/ca.pem",
1736 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1737 phase2="auth=MSCHAPV2")
1739 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1740 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1742 hostapd.add_ap(apdev[0]['ifname'], params)
1743 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1744 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1745 ca_cert2="auth_serv/ca.pem",
1746 client_cert2="auth_serv/user.pem",
1747 private_key2="auth_serv/user.key")
1748 eap_reauth(dev[0], "PEAP")
1750 def test_ap_wpa2_eap_tls(dev, apdev):
1751 """WPA2-Enterprise connection using EAP-TLS"""
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1755 client_cert="auth_serv/user.pem",
1756 private_key="auth_serv/user.key")
1757 eap_reauth(dev[0], "TLS")
1759 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1760 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1761 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1762 hostapd.add_ap(apdev[0]['ifname'], params)
1763 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1764 client_cert="auth_serv/user.pem",
1765 private_key="auth_serv/user.key.pkcs8",
1766 private_key_passwd="whatever")
1768 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1769 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1771 hostapd.add_ap(apdev[0]['ifname'], params)
1772 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1773 client_cert="auth_serv/user.pem",
1774 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1775 private_key_passwd="whatever")
1777 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1778 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1780 hostapd.add_ap(apdev[0]['ifname'], params)
1781 cert = read_pem("auth_serv/ca.pem")
1782 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1783 raise Exception("Could not set cacert blob")
1784 cert = read_pem("auth_serv/user.pem")
1785 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1786 raise Exception("Could not set usercert blob")
1787 key = read_pem("auth_serv/user.rsa-key")
1788 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1789 raise Exception("Could not set cacert blob")
1790 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1791 client_cert="blob://usercert",
1792 private_key="blob://userkey")
1794 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1795 """EAP-TLS and config blob missing"""
1796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1797 hostapd.add_ap(apdev[0]['ifname'], params)
1798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1799 identity="tls user",
1800 ca_cert="blob://testing-blob-does-not-exist",
1801 client_cert="blob://testing-blob-does-not-exist",
1802 private_key="blob://testing-blob-does-not-exist",
1803 wait_connect=False, scan_freq="2412")
1804 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1806 raise Exception("EAP failure not reported")
1807 dev[0].request("REMOVE_NETWORK all")
1808 dev[0].wait_disconnected()
1810 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1811 """EAP-TLS and TLS Message Length in unfragmented packets"""
1812 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1813 hostapd.add_ap(apdev[0]['ifname'], params)
1814 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1815 phase1="include_tls_length=1",
1816 client_cert="auth_serv/user.pem",
1817 private_key="auth_serv/user.key")
1819 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1820 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1821 check_pkcs12_support(dev[0])
1822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1823 hostapd.add_ap(apdev[0]['ifname'], params)
1824 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1825 private_key="auth_serv/user.pkcs12",
1826 private_key_passwd="whatever")
1827 dev[0].request("REMOVE_NETWORK all")
1828 dev[0].wait_disconnected()
1830 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1831 identity="tls user",
1832 ca_cert="auth_serv/ca.pem",
1833 private_key="auth_serv/user.pkcs12",
1834 wait_connect=False, scan_freq="2412")
1835 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1837 raise Exception("Request for private key passphrase timed out")
1838 id = ev.split(':')[0].split('-')[-1]
1839 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1840 dev[0].wait_connected(timeout=10)
1841 dev[0].request("REMOVE_NETWORK all")
1842 dev[0].wait_disconnected()
1844 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1845 # different files to cover both cases of the extra certificate being the
1846 # one that signed the client certificate and it being unrelated to the
1847 # client certificate.
1848 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1850 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1851 ca_cert="auth_serv/ca.pem",
1853 private_key_passwd="whatever")
1854 dev[0].request("REMOVE_NETWORK all")
1855 dev[0].wait_disconnected()
1857 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1858 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1859 check_pkcs12_support(dev[0])
1860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861 hostapd.add_ap(apdev[0]['ifname'], params)
1862 cert = read_pem("auth_serv/ca.pem")
1863 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1864 raise Exception("Could not set cacert blob")
1865 with open("auth_serv/user.pkcs12", "rb") as f:
1866 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1867 raise Exception("Could not set pkcs12 blob")
1868 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1869 private_key="blob://pkcs12",
1870 private_key_passwd="whatever")
1872 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1873 """WPA2-Enterprise negative test - incorrect trust root"""
1874 check_eap_capa(dev[0], "MSCHAPV2")
1875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1876 hostapd.add_ap(apdev[0]['ifname'], params)
1877 cert = read_pem("auth_serv/ca-incorrect.pem")
1878 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1879 raise Exception("Could not set cacert blob")
1880 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1881 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1882 password="password", phase2="auth=MSCHAPV2",
1883 ca_cert="blob://cacert",
1884 wait_connect=False, scan_freq="2412")
1885 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1886 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1887 password="password", phase2="auth=MSCHAPV2",
1888 ca_cert="auth_serv/ca-incorrect.pem",
1889 wait_connect=False, scan_freq="2412")
1891 for dev in (dev[0], dev[1]):
1892 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1894 raise Exception("Association and EAP start timed out")
1896 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1898 raise Exception("EAP method selection timed out")
1899 if "TTLS" not in ev:
1900 raise Exception("Unexpected EAP method")
1902 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1903 "CTRL-EVENT-EAP-SUCCESS",
1904 "CTRL-EVENT-EAP-FAILURE",
1905 "CTRL-EVENT-CONNECTED",
1906 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1908 raise Exception("EAP result timed out")
1909 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1910 raise Exception("TLS certificate error not reported")
1912 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1913 "CTRL-EVENT-EAP-FAILURE",
1914 "CTRL-EVENT-CONNECTED",
1915 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1917 raise Exception("EAP result(2) timed out")
1918 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1919 raise Exception("EAP failure not reported")
1921 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1922 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1924 raise Exception("EAP result(3) timed out")
1925 if "CTRL-EVENT-DISCONNECTED" not in ev:
1926 raise Exception("Disconnection not reported")
1928 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1930 raise Exception("Network block disabling not reported")
1932 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1933 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1936 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1937 identity="pap user", anonymous_identity="ttls",
1938 password="password", phase2="auth=PAP",
1939 ca_cert="auth_serv/ca.pem",
1940 wait_connect=True, scan_freq="2412")
1941 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1942 identity="pap user", anonymous_identity="ttls",
1943 password="password", phase2="auth=PAP",
1944 ca_cert="auth_serv/ca-incorrect.pem",
1945 only_add_network=True, scan_freq="2412")
1947 dev[0].request("DISCONNECT")
1948 dev[0].wait_disconnected()
1949 dev[0].dump_monitor()
1950 dev[0].select_network(id, freq="2412")
1952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1954 raise Exception("EAP-TTLS not re-started")
1956 ev = dev[0].wait_disconnected(timeout=15)
1957 if "reason=23" not in ev:
1958 raise Exception("Proper reason code for disconnection not reported")
1960 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1961 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1962 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1963 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1964 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1965 identity="pap user", anonymous_identity="ttls",
1966 password="password", phase2="auth=PAP",
1967 wait_connect=True, scan_freq="2412")
1968 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1969 identity="pap user", anonymous_identity="ttls",
1970 password="password", phase2="auth=PAP",
1971 ca_cert="auth_serv/ca-incorrect.pem",
1972 only_add_network=True, scan_freq="2412")
1974 dev[0].request("DISCONNECT")
1975 dev[0].wait_disconnected()
1976 dev[0].dump_monitor()
1977 dev[0].select_network(id, freq="2412")
1979 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1981 raise Exception("EAP-TTLS not re-started")
1983 ev = dev[0].wait_disconnected(timeout=15)
1984 if "reason=23" not in ev:
1985 raise Exception("Proper reason code for disconnection not reported")
1987 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1988 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1989 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1990 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1991 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1992 identity="pap user", anonymous_identity="ttls",
1993 password="password", phase2="auth=PAP",
1994 ca_cert="auth_serv/ca.pem",
1995 wait_connect=True, scan_freq="2412")
1996 dev[0].request("DISCONNECT")
1997 dev[0].wait_disconnected()
1998 dev[0].dump_monitor()
1999 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2000 dev[0].select_network(id, freq="2412")
2002 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2004 raise Exception("EAP-TTLS not re-started")
2006 ev = dev[0].wait_disconnected(timeout=15)
2007 if "reason=23" not in ev:
2008 raise Exception("Proper reason code for disconnection not reported")
2010 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2011 """WPA2-Enterprise negative test - domain suffix mismatch"""
2012 check_domain_suffix_match(dev[0])
2013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2014 hostapd.add_ap(apdev[0]['ifname'], params)
2015 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2016 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2017 password="password", phase2="auth=MSCHAPV2",
2018 ca_cert="auth_serv/ca.pem",
2019 domain_suffix_match="incorrect.example.com",
2020 wait_connect=False, scan_freq="2412")
2022 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2024 raise Exception("Association and EAP start timed out")
2026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2028 raise Exception("EAP method selection timed out")
2029 if "TTLS" not in ev:
2030 raise Exception("Unexpected EAP method")
2032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2033 "CTRL-EVENT-EAP-SUCCESS",
2034 "CTRL-EVENT-EAP-FAILURE",
2035 "CTRL-EVENT-CONNECTED",
2036 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2038 raise Exception("EAP result timed out")
2039 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2040 raise Exception("TLS certificate error not reported")
2041 if "Domain suffix mismatch" not in ev:
2042 raise Exception("Domain suffix mismatch not reported")
2044 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2045 "CTRL-EVENT-EAP-FAILURE",
2046 "CTRL-EVENT-CONNECTED",
2047 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2049 raise Exception("EAP result(2) timed out")
2050 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2051 raise Exception("EAP failure not reported")
2053 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2054 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2056 raise Exception("EAP result(3) timed out")
2057 if "CTRL-EVENT-DISCONNECTED" not in ev:
2058 raise Exception("Disconnection not reported")
2060 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2062 raise Exception("Network block disabling not reported")
2064 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2065 """WPA2-Enterprise negative test - domain mismatch"""
2066 check_domain_match(dev[0])
2067 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2068 hostapd.add_ap(apdev[0]['ifname'], params)
2069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2070 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2071 password="password", phase2="auth=MSCHAPV2",
2072 ca_cert="auth_serv/ca.pem",
2073 domain_match="w1.fi",
2074 wait_connect=False, scan_freq="2412")
2076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2078 raise Exception("Association and EAP start timed out")
2080 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2082 raise Exception("EAP method selection timed out")
2083 if "TTLS" not in ev:
2084 raise Exception("Unexpected EAP method")
2086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2087 "CTRL-EVENT-EAP-SUCCESS",
2088 "CTRL-EVENT-EAP-FAILURE",
2089 "CTRL-EVENT-CONNECTED",
2090 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2092 raise Exception("EAP result timed out")
2093 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2094 raise Exception("TLS certificate error not reported")
2095 if "Domain mismatch" not in ev:
2096 raise Exception("Domain mismatch not reported")
2098 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2099 "CTRL-EVENT-EAP-FAILURE",
2100 "CTRL-EVENT-CONNECTED",
2101 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2103 raise Exception("EAP result(2) timed out")
2104 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2105 raise Exception("EAP failure not reported")
2107 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2108 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2110 raise Exception("EAP result(3) timed out")
2111 if "CTRL-EVENT-DISCONNECTED" not in ev:
2112 raise Exception("Disconnection not reported")
2114 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2116 raise Exception("Network block disabling not reported")
2118 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2119 """WPA2-Enterprise negative test - subject mismatch"""
2120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2121 hostapd.add_ap(apdev[0]['ifname'], params)
2122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2123 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2124 password="password", phase2="auth=MSCHAPV2",
2125 ca_cert="auth_serv/ca.pem",
2126 subject_match="/C=FI/O=w1.fi/CN=example.com",
2127 wait_connect=False, scan_freq="2412")
2129 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2131 raise Exception("Association and EAP start timed out")
2133 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2134 "EAP: Failed to initialize EAP method"], timeout=10)
2136 raise Exception("EAP method selection timed out")
2137 if "EAP: Failed to initialize EAP method" in ev:
2138 tls = dev[0].request("GET tls_library")
2139 if tls.startswith("OpenSSL"):
2140 raise Exception("Failed to select EAP method")
2141 logger.info("subject_match not supported - connection failed, so test succeeded")
2143 if "TTLS" not in ev:
2144 raise Exception("Unexpected EAP method")
2146 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2147 "CTRL-EVENT-EAP-SUCCESS",
2148 "CTRL-EVENT-EAP-FAILURE",
2149 "CTRL-EVENT-CONNECTED",
2150 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2152 raise Exception("EAP result timed out")
2153 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2154 raise Exception("TLS certificate error not reported")
2155 if "Subject mismatch" not in ev:
2156 raise Exception("Subject mismatch not reported")
2158 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2159 "CTRL-EVENT-EAP-FAILURE",
2160 "CTRL-EVENT-CONNECTED",
2161 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2163 raise Exception("EAP result(2) timed out")
2164 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2165 raise Exception("EAP failure not reported")
2167 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2168 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2170 raise Exception("EAP result(3) timed out")
2171 if "CTRL-EVENT-DISCONNECTED" not in ev:
2172 raise Exception("Disconnection not reported")
2174 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2176 raise Exception("Network block disabling not reported")
2178 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2179 """WPA2-Enterprise negative test - altsubject mismatch"""
2180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2181 hostapd.add_ap(apdev[0]['ifname'], params)
2183 tests = [ "incorrect.example.com",
2184 "DNS:incorrect.example.com",
2188 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2190 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2191 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2192 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2193 password="password", phase2="auth=MSCHAPV2",
2194 ca_cert="auth_serv/ca.pem",
2195 altsubject_match=match,
2196 wait_connect=False, scan_freq="2412")
2198 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2200 raise Exception("Association and EAP start timed out")
2202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2203 "EAP: Failed to initialize EAP method"], timeout=10)
2205 raise Exception("EAP method selection timed out")
2206 if "EAP: Failed to initialize EAP method" in ev:
2207 tls = dev[0].request("GET tls_library")
2208 if tls.startswith("OpenSSL"):
2209 raise Exception("Failed to select EAP method")
2210 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2212 if "TTLS" not in ev:
2213 raise Exception("Unexpected EAP method")
2215 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2216 "CTRL-EVENT-EAP-SUCCESS",
2217 "CTRL-EVENT-EAP-FAILURE",
2218 "CTRL-EVENT-CONNECTED",
2219 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2221 raise Exception("EAP result timed out")
2222 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2223 raise Exception("TLS certificate error not reported")
2224 if "AltSubject mismatch" not in ev:
2225 raise Exception("altsubject mismatch not reported")
2227 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2228 "CTRL-EVENT-EAP-FAILURE",
2229 "CTRL-EVENT-CONNECTED",
2230 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2232 raise Exception("EAP result(2) timed out")
2233 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2234 raise Exception("EAP failure not reported")
2236 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2237 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2239 raise Exception("EAP result(3) timed out")
2240 if "CTRL-EVENT-DISCONNECTED" not in ev:
2241 raise Exception("Disconnection not reported")
2243 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2245 raise Exception("Network block disabling not reported")
2247 dev[0].request("REMOVE_NETWORK all")
2249 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2250 """WPA2-Enterprise connection using UNAUTH-TLS"""
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252 hostapd.add_ap(apdev[0]['ifname'], params)
2253 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
2254 ca_cert="auth_serv/ca.pem")
2255 eap_reauth(dev[0], "UNAUTH-TLS")
2257 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2258 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2259 check_cert_probe_support(dev[0])
2260 skip_with_fips(dev[0])
2261 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2263 hostapd.add_ap(apdev[0]['ifname'], params)
2264 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2265 identity="probe", ca_cert="probe://",
2266 wait_connect=False, scan_freq="2412")
2267 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2269 raise Exception("Association and EAP start timed out")
2270 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2272 raise Exception("No peer server certificate event seen")
2273 if "hash=" + srv_cert_hash not in ev:
2274 raise Exception("Expected server certificate hash not reported")
2275 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2277 raise Exception("EAP result timed out")
2278 if "Server certificate chain probe" not in ev:
2279 raise Exception("Server certificate probe not reported")
2280 dev[0].wait_disconnected(timeout=10)
2281 dev[0].request("REMOVE_NETWORK all")
2283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2284 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2285 password="password", phase2="auth=MSCHAPV2",
2286 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2287 wait_connect=False, scan_freq="2412")
2288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2290 raise Exception("Association and EAP start timed out")
2291 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2293 raise Exception("EAP result timed out")
2294 if "Server certificate mismatch" not in ev:
2295 raise Exception("Server certificate mismatch not reported")
2296 dev[0].wait_disconnected(timeout=10)
2297 dev[0].request("REMOVE_NETWORK all")
2299 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
2300 anonymous_identity="ttls", password="password",
2301 ca_cert="hash://server/sha256/" + srv_cert_hash,
2302 phase2="auth=MSCHAPV2")
2304 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2305 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2307 hostapd.add_ap(apdev[0]['ifname'], params)
2308 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2309 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2310 password="password", phase2="auth=MSCHAPV2",
2311 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2312 wait_connect=False, scan_freq="2412")
2313 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2314 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2315 password="password", phase2="auth=MSCHAPV2",
2316 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2317 wait_connect=False, scan_freq="2412")
2318 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2319 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2320 password="password", phase2="auth=MSCHAPV2",
2321 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2322 wait_connect=False, scan_freq="2412")
2323 for i in range(0, 3):
2324 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2326 raise Exception("Association and EAP start timed out")
2327 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2329 raise Exception("Did not report EAP method initialization failure")
2331 def test_ap_wpa2_eap_pwd(dev, apdev):
2332 """WPA2-Enterprise connection using EAP-pwd"""
2333 check_eap_capa(dev[0], "PWD")
2334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2335 hostapd.add_ap(apdev[0]['ifname'], params)
2336 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2337 eap_reauth(dev[0], "PWD")
2338 dev[0].request("REMOVE_NETWORK all")
2340 eap_connect(dev[1], apdev[0], "PWD",
2341 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2342 password="secret password",
2345 logger.info("Negative test with incorrect password")
2346 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2347 expect_failure=True, local_error_report=True)
2349 eap_connect(dev[0], apdev[0], "PWD",
2350 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2351 password="secret password",
2354 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2355 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2356 check_eap_capa(dev[0], "PWD")
2357 skip_with_fips(dev[0])
2358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359 hostapd.add_ap(apdev[0]['ifname'], params)
2360 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2361 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2362 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2363 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2364 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2365 expect_failure=True, local_error_report=True)
2367 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2368 """WPA2-Enterprise connection using various EAP-pwd groups"""
2369 check_eap_capa(dev[0], "PWD")
2370 tls = dev[0].request("GET tls_library")
2371 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2372 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2373 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2374 groups = [ 19, 20, 21, 25, 26 ]
2375 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2376 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2377 groups += [ 27, 28, 29, 30 ]
2379 logger.info("Group %d" % i)
2380 params['pwd_group'] = str(i)
2381 hostapd.add_ap(apdev[0]['ifname'], params)
2383 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2384 password="secret password")
2385 dev[0].request("REMOVE_NETWORK all")
2386 dev[0].wait_disconnected()
2387 dev[0].dump_monitor()
2389 if "BoringSSL" in tls and i in [ 25 ]:
2390 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2391 dev[0].request("DISCONNECT")
2393 dev[0].request("REMOVE_NETWORK all")
2394 dev[0].dump_monitor()
2398 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2399 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2400 check_eap_capa(dev[0], "PWD")
2401 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2402 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2403 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2404 params['pwd_group'] = "0"
2405 hostapd.add_ap(apdev[0]['ifname'], params)
2406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2407 identity="pwd user", password="secret password",
2408 scan_freq="2412", wait_connect=False)
2409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2411 raise Exception("Timeout on EAP failure report")
2413 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2415 check_eap_capa(dev[0], "PWD")
2416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2417 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2418 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2419 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2420 "pwd_group": "19", "fragment_size": "40" }
2421 hostapd.add_ap(apdev[0]['ifname'], params)
2422 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2424 def test_ap_wpa2_eap_gpsk(dev, apdev):
2425 """WPA2-Enterprise connection using EAP-GPSK"""
2426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2427 hostapd.add_ap(apdev[0]['ifname'], params)
2428 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2429 password="abcdefghijklmnop0123456789abcdef")
2430 eap_reauth(dev[0], "GPSK")
2432 logger.info("Test forced algorithm selection")
2433 for phase1 in [ "cipher=1", "cipher=2" ]:
2434 dev[0].set_network_quoted(id, "phase1", phase1)
2435 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2437 raise Exception("EAP success timed out")
2438 dev[0].wait_connected(timeout=10)
2440 logger.info("Test failed algorithm negotiation")
2441 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2444 raise Exception("EAP failure timed out")
2446 logger.info("Negative test with incorrect password")
2447 dev[0].request("REMOVE_NETWORK all")
2448 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2449 password="ffcdefghijklmnop0123456789abcdef",
2450 expect_failure=True)
2452 def test_ap_wpa2_eap_sake(dev, apdev):
2453 """WPA2-Enterprise connection using EAP-SAKE"""
2454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2455 hostapd.add_ap(apdev[0]['ifname'], params)
2456 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2457 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2458 eap_reauth(dev[0], "SAKE")
2460 logger.info("Negative test with incorrect password")
2461 dev[0].request("REMOVE_NETWORK all")
2462 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2463 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2464 expect_failure=True)
2466 def test_ap_wpa2_eap_eke(dev, apdev):
2467 """WPA2-Enterprise connection using EAP-EKE"""
2468 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2469 hostapd.add_ap(apdev[0]['ifname'], params)
2470 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2471 eap_reauth(dev[0], "EKE")
2473 logger.info("Test forced algorithm selection")
2474 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2475 "dhgroup=4 encr=1 prf=2 mac=2",
2476 "dhgroup=3 encr=1 prf=2 mac=2",
2477 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2478 dev[0].set_network_quoted(id, "phase1", phase1)
2479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2481 raise Exception("EAP success timed out")
2482 dev[0].wait_connected(timeout=10)
2484 logger.info("Test failed algorithm negotiation")
2485 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2486 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2488 raise Exception("EAP failure timed out")
2490 logger.info("Negative test with incorrect password")
2491 dev[0].request("REMOVE_NETWORK all")
2492 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2493 expect_failure=True)
2495 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2496 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2497 if not params['long']:
2498 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2499 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2500 hostapd.add_ap(apdev[0]['ifname'], params)
2503 for i in range(100):
2505 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2506 identity="eke user", password="hello",
2507 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2508 scan_freq="2412", wait_connect=False)
2510 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2511 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2513 raise Exception("No connected/disconnected event")
2514 if "CTRL-EVENT-DISCONNECTED" in ev:
2516 # The RADIUS server limits on active sessions can be hit when
2517 # going through this test case, so try to give some more time
2518 # for the server to remove sessions.
2519 logger.info("Failed to connect i=%d j=%d" % (i, j))
2520 dev[j].request("REMOVE_NETWORK all")
2524 dev[j].request("REMOVE_NETWORK all")
2525 dev[j].wait_disconnected()
2526 dev[j].dump_monitor()
2527 logger.info("Total success=%d failure=%d" % (success, fail))
2529 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2530 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2531 params = int_eap_server_params()
2532 params['server_id'] = 'example.server@w1.fi'
2533 hostapd.add_ap(apdev[0]['ifname'], params)
2534 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2536 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2537 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2538 params = int_eap_server_params()
2539 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2540 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2542 for count,func in [ (1, "eap_eke_build_commit"),
2543 (2, "eap_eke_build_commit"),
2544 (3, "eap_eke_build_commit"),
2545 (1, "eap_eke_build_confirm"),
2546 (2, "eap_eke_build_confirm"),
2547 (1, "eap_eke_process_commit"),
2548 (2, "eap_eke_process_commit"),
2549 (1, "eap_eke_process_confirm"),
2550 (1, "eap_eke_process_identity"),
2551 (2, "eap_eke_process_identity"),
2552 (3, "eap_eke_process_identity"),
2553 (4, "eap_eke_process_identity") ]:
2554 with alloc_fail(hapd, count, func):
2555 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2556 expect_failure=True)
2557 dev[0].request("REMOVE_NETWORK all")
2559 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2560 (1, "eap_eke_get_session_id", "hello"),
2561 (1, "eap_eke_getKey", "hello"),
2562 (1, "eap_eke_build_msg", "hello"),
2563 (1, "eap_eke_build_failure", "wrong"),
2564 (1, "eap_eke_build_identity", "hello"),
2565 (2, "eap_eke_build_identity", "hello") ]:
2566 with alloc_fail(hapd, count, func):
2567 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2568 eap="EKE", identity="eke user", password=pw,
2569 wait_connect=False, scan_freq="2412")
2570 # This would eventually time out, but we can stop after having
2571 # reached the allocation failure.
2574 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2576 dev[0].request("REMOVE_NETWORK all")
2578 for count in range(1, 1000):
2580 with alloc_fail(hapd, count, "eap_server_sm_step"):
2581 dev[0].connect("test-wpa2-eap",
2582 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2583 eap="EKE", identity="eke user", password=pw,
2584 wait_connect=False, scan_freq="2412")
2585 # This would eventually time out, but we can stop after having
2586 # reached the allocation failure.
2589 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2591 dev[0].request("REMOVE_NETWORK all")
2592 except Exception, e:
2593 if str(e) == "Allocation failure did not trigger":
2595 raise Exception("Too few allocation failures")
2596 logger.info("%d allocation failures tested" % (count - 1))
2600 def test_ap_wpa2_eap_ikev2(dev, apdev):
2601 """WPA2-Enterprise connection using EAP-IKEv2"""
2602 check_eap_capa(dev[0], "IKEV2")
2603 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2604 hostapd.add_ap(apdev[0]['ifname'], params)
2605 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2606 password="ike password")
2607 eap_reauth(dev[0], "IKEV2")
2608 dev[0].request("REMOVE_NETWORK all")
2609 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2610 password="ike password", fragment_size="50")
2612 logger.info("Negative test with incorrect password")
2613 dev[0].request("REMOVE_NETWORK all")
2614 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2615 password="ike-password", expect_failure=True)
2616 dev[0].request("REMOVE_NETWORK all")
2618 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2619 password="ike password", fragment_size="0")
2620 dev[0].request("REMOVE_NETWORK all")
2621 dev[0].wait_disconnected()
2623 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2624 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2625 check_eap_capa(dev[0], "IKEV2")
2626 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2627 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2628 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2629 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2630 "fragment_size": "50" }
2631 hostapd.add_ap(apdev[0]['ifname'], params)
2632 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2633 password="ike password")
2634 eap_reauth(dev[0], "IKEV2")
2636 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2637 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2638 check_eap_capa(dev[0], "IKEV2")
2639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2640 hostapd.add_ap(apdev[0]['ifname'], params)
2642 tests = [ (1, "dh_init"),
2644 (1, "dh_derive_shared") ]
2645 for count, func in tests:
2646 with alloc_fail(dev[0], count, func):
2647 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2648 identity="ikev2 user", password="ike password",
2649 wait_connect=False, scan_freq="2412")
2650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2652 raise Exception("EAP method not selected")
2654 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2657 dev[0].request("REMOVE_NETWORK all")
2659 tests = [ (1, "os_get_random;dh_init") ]
2660 for count, func in tests:
2661 with fail_test(dev[0], count, func):
2662 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2663 identity="ikev2 user", password="ike password",
2664 wait_connect=False, scan_freq="2412")
2665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2667 raise Exception("EAP method not selected")
2669 if "0:" in dev[0].request("GET_FAIL"):
2672 dev[0].request("REMOVE_NETWORK all")
2674 def test_ap_wpa2_eap_pax(dev, apdev):
2675 """WPA2-Enterprise connection using EAP-PAX"""
2676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2677 hostapd.add_ap(apdev[0]['ifname'], params)
2678 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2679 password_hex="0123456789abcdef0123456789abcdef")
2680 eap_reauth(dev[0], "PAX")
2682 logger.info("Negative test with incorrect password")
2683 dev[0].request("REMOVE_NETWORK all")
2684 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2685 password_hex="ff23456789abcdef0123456789abcdef",
2686 expect_failure=True)
2688 def test_ap_wpa2_eap_psk(dev, apdev):
2689 """WPA2-Enterprise connection using EAP-PSK"""
2690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2691 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2692 params["ieee80211w"] = "2"
2693 hostapd.add_ap(apdev[0]['ifname'], params)
2694 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2695 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2696 eap_reauth(dev[0], "PSK", sha256=True)
2697 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2698 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2700 bss = dev[0].get_bss(apdev[0]['bssid'])
2701 if 'flags' not in bss:
2702 raise Exception("Could not get BSS flags from BSS table")
2703 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2704 raise Exception("Unexpected BSS flags: " + bss['flags'])
2706 logger.info("Negative test with incorrect password")
2707 dev[0].request("REMOVE_NETWORK all")
2708 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2709 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2710 expect_failure=True)
2712 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2713 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2714 skip_with_fips(dev[0])
2715 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2716 hostapd.add_ap(apdev[0]['ifname'], params)
2717 tests = [ (1, "=aes_128_eax_encrypt"),
2718 (1, "=aes_128_eax_decrypt") ]
2719 for count, func in tests:
2720 with alloc_fail(dev[0], count, func):
2721 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2722 identity="psk.user@example.com",
2723 password_hex="0123456789abcdef0123456789abcdef",
2724 wait_connect=False, scan_freq="2412")
2725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2727 raise Exception("EAP method not selected")
2728 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2729 note="Failure not triggered: %d:%s" % (count, func))
2730 dev[0].request("REMOVE_NETWORK all")
2731 dev[0].wait_disconnected()
2733 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2734 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2735 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2736 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2737 (1, "omac1_aes_vector"),
2738 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2739 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2740 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2741 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2742 for count, func in tests:
2743 with fail_test(dev[0], count, func):
2744 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2745 identity="psk.user@example.com",
2746 password_hex="0123456789abcdef0123456789abcdef",
2747 wait_connect=False, scan_freq="2412")
2748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2750 raise Exception("EAP method not selected")
2751 wait_fail_trigger(dev[0], "GET_FAIL",
2752 note="Failure not triggered: %d:%s" % (count, func))
2753 dev[0].request("REMOVE_NETWORK all")
2754 dev[0].wait_disconnected()
2756 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2757 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2758 identity="psk.user@example.com",
2759 password_hex="0123456789abcdef0123456789abcdef",
2760 wait_connect=False, scan_freq="2412")
2761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2763 raise Exception("EAP method failure not reported")
2764 dev[0].request("REMOVE_NETWORK all")
2765 dev[0].wait_disconnected()
2767 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2768 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2769 check_eap_capa(dev[0], "MSCHAPV2")
2770 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2772 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2773 identity="user", password="password", phase2="auth=MSCHAPV2",
2774 ca_cert="auth_serv/ca.pem", wait_connect=False,
2776 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2777 hwsim_utils.test_connectivity(dev[0], hapd)
2778 eap_reauth(dev[0], "PEAP", rsn=False)
2779 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2780 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2781 status = dev[0].get_status(extra="VERBOSE")
2782 if 'portControl' not in status:
2783 raise Exception("portControl missing from STATUS-VERBOSE")
2784 if status['portControl'] != 'Auto':
2785 raise Exception("Unexpected portControl value: " + status['portControl'])
2786 if 'eap_session_id' not in status:
2787 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2788 if not status['eap_session_id'].startswith("19"):
2789 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2791 def test_ap_wpa2_eap_interactive(dev, apdev):
2792 """WPA2-Enterprise connection using interactive identity/password entry"""
2793 check_eap_capa(dev[0], "MSCHAPV2")
2794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2795 hostapd.add_ap(apdev[0]['ifname'], params)
2796 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2798 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2799 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2801 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2802 "TTLS", "ttls", None, "auth=MSCHAPV2",
2803 "DOMAIN\mschapv2 user", "password"),
2804 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2805 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2806 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2807 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2808 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2809 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2810 ("Connection with dynamic PEAP/EAP-GTC password entry",
2811 "PEAP", None, "user", "auth=GTC", None, "password") ]
2812 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2814 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2815 anonymous_identity=anon, identity=identity,
2816 ca_cert="auth_serv/ca.pem", phase2=phase2,
2817 wait_connect=False, scan_freq="2412")
2819 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2821 raise Exception("Request for identity timed out")
2822 id = ev.split(':')[0].split('-')[-1]
2823 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2824 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2826 raise Exception("Request for password timed out")
2827 id = ev.split(':')[0].split('-')[-1]
2828 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2829 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2830 dev[0].wait_connected(timeout=10)
2831 dev[0].request("REMOVE_NETWORK all")
2833 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2834 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2835 check_eap_capa(dev[0], "MSCHAPV2")
2836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2837 hostapd.add_ap(apdev[0]['ifname'], params)
2838 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2840 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2841 only_add_network=True)
2843 req_id = "DOMAIN\mschapv2 user"
2844 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2845 anonymous_identity="ttls", identity=None,
2846 password="password",
2847 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2848 wait_connect=False, scan_freq="2412")
2849 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2851 raise Exception("Request for identity timed out")
2852 id = ev.split(':')[0].split('-')[-1]
2853 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2854 dev[0].wait_connected(timeout=10)
2856 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2857 raise Exception("Failed to enable network")
2858 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2860 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2861 dev[0].request("REMOVE_NETWORK all")
2863 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2864 """WPA2-Enterprise connection using EAP vendor test"""
2865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2866 hostapd.add_ap(apdev[0]['ifname'], params)
2867 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2868 eap_reauth(dev[0], "VENDOR-TEST")
2869 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2872 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2873 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2875 hostapd.add_ap(apdev[0]['ifname'], params)
2877 tests = [ "eap_vendor_test_init",
2878 "eap_msg_alloc;eap_vendor_test_process",
2879 "eap_vendor_test_getKey" ]
2881 with alloc_fail(dev[0], 1, func):
2882 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2884 eap="VENDOR-TEST", identity="vendor-test",
2886 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2887 dev[0].request("REMOVE_NETWORK all")
2888 dev[0].wait_disconnected()
2890 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2891 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2892 check_eap_capa(dev[0], "FAST")
2893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2894 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2895 eap_connect(dev[0], apdev[0], "FAST", "user",
2896 anonymous_identity="FAST", password="password",
2897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2898 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2899 hwsim_utils.test_connectivity(dev[0], hapd)
2900 res = eap_reauth(dev[0], "FAST")
2901 if res['tls_session_reused'] != '1':
2902 raise Exception("EAP-FAST could not use PAC session ticket")
2904 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2905 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2906 check_eap_capa(dev[0], "FAST")
2907 pac_file = os.path.join(params['logdir'], "fast.pac")
2908 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2910 hostapd.add_ap(apdev[0]['ifname'], params)
2913 eap_connect(dev[0], apdev[0], "FAST", "user",
2914 anonymous_identity="FAST", password="password",
2915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2916 phase1="fast_provisioning=1", pac_file=pac_file)
2917 with open(pac_file, "r") as f:
2919 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2920 raise Exception("PAC file header missing")
2921 if "PAC-Key=" not in data:
2922 raise Exception("PAC-Key missing from PAC file")
2923 dev[0].request("REMOVE_NETWORK all")
2924 eap_connect(dev[0], apdev[0], "FAST", "user",
2925 anonymous_identity="FAST", password="password",
2926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2929 eap_connect(dev[1], apdev[0], "FAST", "user",
2930 anonymous_identity="FAST", password="password",
2931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2932 phase1="fast_provisioning=1 fast_pac_format=binary",
2934 dev[1].request("REMOVE_NETWORK all")
2935 eap_connect(dev[1], apdev[0], "FAST", "user",
2936 anonymous_identity="FAST", password="password",
2937 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2938 phase1="fast_pac_format=binary",
2946 os.remove(pac_file2)
2950 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2951 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2952 check_eap_capa(dev[0], "FAST")
2953 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2954 hostapd.add_ap(apdev[0]['ifname'], params)
2955 eap_connect(dev[0], apdev[0], "FAST", "user",
2956 anonymous_identity="FAST", password="password",
2957 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2958 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2959 pac_file="blob://fast_pac_bin")
2960 res = eap_reauth(dev[0], "FAST")
2961 if res['tls_session_reused'] != '1':
2962 raise Exception("EAP-FAST could not use PAC session ticket")
2964 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2965 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2966 check_eap_capa(dev[0], "FAST")
2967 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2968 hostapd.add_ap(apdev[0]['ifname'], params)
2970 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2971 identity="user", anonymous_identity="FAST",
2972 password="password",
2973 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2974 pac_file="blob://fast_pac_not_in_use",
2975 wait_connect=False, scan_freq="2412")
2976 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2978 raise Exception("Timeout on EAP failure report")
2979 dev[0].request("REMOVE_NETWORK all")
2981 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2982 identity="user", anonymous_identity="FAST",
2983 password="password",
2984 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2985 wait_connect=False, scan_freq="2412")
2986 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2988 raise Exception("Timeout on EAP failure report")
2990 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
2991 """EAP-FAST and binary PAC errors"""
2992 check_eap_capa(dev[0], "FAST")
2993 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2994 hostapd.add_ap(apdev[0]['ifname'], params)
2996 tests = [ (1, "=eap_fast_save_pac_bin"),
2997 (1, "eap_fast_write_pac"),
2998 (2, "eap_fast_write_pac"), ]
2999 for count, func in tests:
3000 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3001 raise Exception("Could not set blob")
3003 with alloc_fail(dev[0], count, func):
3004 eap_connect(dev[0], apdev[0], "FAST", "user",
3005 anonymous_identity="FAST", password="password",
3006 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3007 phase1="fast_provisioning=1 fast_pac_format=binary",
3008 pac_file="blob://fast_pac_bin_errors")
3009 dev[0].request("REMOVE_NETWORK all")
3010 dev[0].wait_disconnected()
3012 tests = [ "00", "000000000000", "6ae4920c0001",
3014 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3015 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3016 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3017 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3019 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3020 raise Exception("Could not set blob")
3022 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3023 identity="user", anonymous_identity="FAST",
3024 password="password",
3025 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3026 phase1="fast_provisioning=1 fast_pac_format=binary",
3027 pac_file="blob://fast_pac_bin_errors",
3028 scan_freq="2412", wait_connect=False)
3029 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3032 raise Exception("Failure not reported")
3033 dev[0].request("REMOVE_NETWORK all")
3034 dev[0].wait_disconnected()
3036 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3037 tests = [ (1, "eap_fast_load_pac_bin"),
3038 (2, "eap_fast_load_pac_bin"),
3039 (3, "eap_fast_load_pac_bin") ]
3040 for count, func in tests:
3041 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3042 raise Exception("Could not set blob")
3044 with alloc_fail(dev[0], count, func):
3045 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3046 identity="user", anonymous_identity="FAST",
3047 password="password",
3048 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3049 phase1="fast_provisioning=1 fast_pac_format=binary",
3050 pac_file="blob://fast_pac_bin_errors",
3051 scan_freq="2412", wait_connect=False)
3052 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3055 raise Exception("Failure not reported")
3056 dev[0].request("REMOVE_NETWORK all")
3057 dev[0].wait_disconnected()
3059 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3060 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3061 raise Exception("Could not set blob")
3063 eap_connect(dev[0], apdev[0], "FAST", "user",
3064 anonymous_identity="FAST", password="password",
3065 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3066 phase1="fast_provisioning=1 fast_pac_format=binary",
3067 pac_file="blob://fast_pac_bin_errors")
3068 dev[0].request("REMOVE_NETWORK all")
3069 dev[0].wait_disconnected()
3071 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3072 tests = [ (1, "eap_fast_pac_get_a_id"),
3073 (2, "eap_fast_pac_get_a_id") ]
3074 for count, func in tests:
3075 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3076 raise Exception("Could not set blob")
3077 with alloc_fail(dev[0], count, func):
3078 eap_connect(dev[0], apdev[0], "FAST", "user",
3079 anonymous_identity="FAST", password="password",
3080 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3081 phase1="fast_provisioning=1 fast_pac_format=binary",
3082 pac_file="blob://fast_pac_bin_errors")
3083 dev[0].request("REMOVE_NETWORK all")
3084 dev[0].wait_disconnected()
3086 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3087 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3088 check_eap_capa(dev[0], "FAST")
3089 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3090 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3091 eap_connect(dev[0], apdev[0], "FAST", "user",
3092 anonymous_identity="FAST", password="password",
3093 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3094 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3095 hwsim_utils.test_connectivity(dev[0], hapd)
3096 res = eap_reauth(dev[0], "FAST")
3097 if res['tls_session_reused'] != '1':
3098 raise Exception("EAP-FAST could not use PAC session ticket")
3100 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3101 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3102 check_eap_capa(dev[0], "FAST")
3103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3104 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3105 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3106 anonymous_identity="FAST", password="password",
3107 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3108 phase1="fast_provisioning=2",
3109 pac_file="blob://fast_pac_auth")
3110 dev[0].set_network_quoted(id, "identity", "user2")
3111 dev[0].wait_disconnected()
3112 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3114 raise Exception("EAP-FAST not started")
3115 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3117 raise Exception("EAP failure not reported")
3118 dev[0].wait_disconnected()
3120 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3121 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3122 check_eap_capa(dev[0], "FAST")
3123 tls = dev[0].request("GET tls_library")
3124 if tls.startswith("OpenSSL"):
3125 func = "openssl_tls_prf"
3127 elif tls.startswith("internal"):
3128 func = "tls_connection_prf"
3131 raise HwsimSkip("Unsupported TLS library")
3132 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3133 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3134 with alloc_fail(dev[0], count, func):
3135 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3136 identity="user", anonymous_identity="FAST",
3137 password="password", ca_cert="auth_serv/ca.pem",
3139 phase1="fast_provisioning=2",
3140 pac_file="blob://fast_pac_auth",
3141 wait_connect=False, scan_freq="2412")
3142 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3144 raise Exception("EAP failure not reported")
3145 dev[0].request("DISCONNECT")
3147 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3148 """EAP-FAST/MSCHAPv2 and server OOM"""
3149 check_eap_capa(dev[0], "FAST")
3151 params = int_eap_server_params()
3152 params['dh_file'] = 'auth_serv/dh.conf'
3153 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3154 params['eap_fast_a_id'] = '1011'
3155 params['eap_fast_a_id_info'] = 'another test server'
3156 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3158 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3159 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3160 anonymous_identity="FAST", password="password",
3161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3162 phase1="fast_provisioning=1",
3163 pac_file="blob://fast_pac",
3164 expect_failure=True)
3165 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3167 raise Exception("No EAP failure reported")
3168 dev[0].wait_disconnected()
3169 dev[0].request("DISCONNECT")
3171 dev[0].select_network(id, freq="2412")
3173 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3174 """EAP-FAST and different TLS cipher suites"""
3175 check_eap_capa(dev[0], "FAST")
3176 tls = dev[0].request("GET tls_library")
3177 if not tls.startswith("OpenSSL"):
3178 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3180 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3181 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3183 dev[0].request("SET blob fast_pac_ciphers ")
3184 eap_connect(dev[0], apdev[0], "FAST", "user",
3185 anonymous_identity="FAST", password="password",
3186 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3187 phase1="fast_provisioning=2",
3188 pac_file="blob://fast_pac_ciphers")
3189 res = dev[0].get_status_field('EAP TLS cipher')
3190 dev[0].request("REMOVE_NETWORK all")
3191 dev[0].wait_disconnected()
3192 if res != "DHE-RSA-AES256-SHA":
3193 raise Exception("Unexpected cipher suite for provisioning: " + res)
3195 tests = [ "DHE-RSA-AES128-SHA",
3199 "DHE-RSA-AES256-SHA" ]
3200 for cipher in tests:
3201 eap_connect(dev[0], apdev[0], "FAST", "user",
3202 openssl_ciphers=cipher,
3203 anonymous_identity="FAST", password="password",
3204 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3205 pac_file="blob://fast_pac_ciphers")
3206 res = dev[0].get_status_field('EAP TLS cipher')
3207 dev[0].request("REMOVE_NETWORK all")
3208 dev[0].wait_disconnected()
3210 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3212 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3213 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3214 check_ocsp_support(dev[0])
3215 check_pkcs12_support(dev[0])
3216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3217 hostapd.add_ap(apdev[0]['ifname'], params)
3218 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3219 private_key="auth_serv/user.pkcs12",
3220 private_key_passwd="whatever", ocsp=2)
3222 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3223 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3224 check_ocsp_multi_support(dev[0])
3225 check_pkcs12_support(dev[0])
3227 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3228 hostapd.add_ap(apdev[0]['ifname'], params)
3229 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3230 private_key="auth_serv/user.pkcs12",
3231 private_key_passwd="whatever", ocsp=2)
3233 def int_eap_server_params():
3234 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3235 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3236 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3237 "ca_cert": "auth_serv/ca.pem",
3238 "server_cert": "auth_serv/server.pem",
3239 "private_key": "auth_serv/server.key",
3240 "dh_file": "auth_serv/dh.conf" }
3243 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3244 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3245 check_ocsp_support(dev[0])
3246 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3247 if not os.path.exists(ocsp):
3248 raise HwsimSkip("No OCSP response available")
3249 params = int_eap_server_params()
3250 params["ocsp_stapling_response"] = ocsp
3251 hostapd.add_ap(apdev[0]['ifname'], params)
3252 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3253 identity="tls user", ca_cert="auth_serv/ca.pem",
3254 private_key="auth_serv/user.pkcs12",
3255 private_key_passwd="whatever", ocsp=2,
3258 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3259 """EAP-TLS and CA signed OCSP response (good)"""
3260 check_ocsp_support(dev[0])
3261 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3262 if not os.path.exists(ocsp):
3263 raise HwsimSkip("No OCSP response available")
3264 params = int_eap_server_params()
3265 params["ocsp_stapling_response"] = ocsp
3266 hostapd.add_ap(apdev[0]['ifname'], params)
3267 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3268 identity="tls user", ca_cert="auth_serv/ca.pem",
3269 private_key="auth_serv/user.pkcs12",
3270 private_key_passwd="whatever", ocsp=2,
3273 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3274 """EAP-TLS and CA signed OCSP response (revoked)"""
3275 check_ocsp_support(dev[0])
3276 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3277 if not os.path.exists(ocsp):
3278 raise HwsimSkip("No OCSP response available")
3279 params = int_eap_server_params()
3280 params["ocsp_stapling_response"] = ocsp
3281 hostapd.add_ap(apdev[0]['ifname'], params)
3282 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3283 identity="tls user", ca_cert="auth_serv/ca.pem",
3284 private_key="auth_serv/user.pkcs12",
3285 private_key_passwd="whatever", ocsp=2,
3286 wait_connect=False, scan_freq="2412")
3289 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3291 raise Exception("Timeout on EAP status")
3292 if 'bad certificate status response' in ev:
3294 if 'certificate revoked' in ev:
3298 raise Exception("Unexpected number of EAP status messages")
3300 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3302 raise Exception("Timeout on EAP failure report")
3304 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3305 """EAP-TLS and CA signed OCSP response (unknown)"""
3306 check_ocsp_support(dev[0])
3307 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3308 if not os.path.exists(ocsp):
3309 raise HwsimSkip("No OCSP response available")
3310 params = int_eap_server_params()
3311 params["ocsp_stapling_response"] = ocsp
3312 hostapd.add_ap(apdev[0]['ifname'], params)
3313 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3314 identity="tls user", ca_cert="auth_serv/ca.pem",
3315 private_key="auth_serv/user.pkcs12",
3316 private_key_passwd="whatever", ocsp=2,
3317 wait_connect=False, scan_freq="2412")
3320 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3322 raise Exception("Timeout on EAP status")
3323 if 'bad certificate status response' in ev:
3327 raise Exception("Unexpected number of EAP status messages")
3329 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3331 raise Exception("Timeout on EAP failure report")
3333 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3334 """EAP-TLS and server signed OCSP response"""
3335 check_ocsp_support(dev[0])
3336 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3337 if not os.path.exists(ocsp):
3338 raise HwsimSkip("No OCSP response available")
3339 params = int_eap_server_params()
3340 params["ocsp_stapling_response"] = ocsp
3341 hostapd.add_ap(apdev[0]['ifname'], params)
3342 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3343 identity="tls user", ca_cert="auth_serv/ca.pem",
3344 private_key="auth_serv/user.pkcs12",
3345 private_key_passwd="whatever", ocsp=2,
3346 wait_connect=False, scan_freq="2412")
3349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3351 raise Exception("Timeout on EAP status")
3352 if 'bad certificate status response' in ev:
3356 raise Exception("Unexpected number of EAP status messages")
3358 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3360 raise Exception("Timeout on EAP failure report")
3362 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3363 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3364 check_ocsp_support(dev[0])
3365 params = int_eap_server_params()
3366 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3367 hostapd.add_ap(apdev[0]['ifname'], params)
3368 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3369 identity="tls user", ca_cert="auth_serv/ca.pem",
3370 private_key="auth_serv/user.pkcs12",
3371 private_key_passwd="whatever", ocsp=2,
3372 wait_connect=False, scan_freq="2412")
3375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3377 raise Exception("Timeout on EAP status")
3378 if 'bad certificate status response' in ev:
3382 raise Exception("Unexpected number of EAP status messages")
3384 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3386 raise Exception("Timeout on EAP failure report")
3388 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3389 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3390 check_ocsp_support(dev[0])
3391 params = int_eap_server_params()
3392 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3393 hostapd.add_ap(apdev[0]['ifname'], params)
3394 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3395 identity="tls user", ca_cert="auth_serv/ca.pem",
3396 private_key="auth_serv/user.pkcs12",
3397 private_key_passwd="whatever", ocsp=2,
3398 wait_connect=False, scan_freq="2412")
3401 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3403 raise Exception("Timeout on EAP status")
3404 if 'bad certificate status response' in ev:
3408 raise Exception("Unexpected number of EAP status messages")
3410 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3412 raise Exception("Timeout on EAP failure report")
3414 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3415 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3416 check_ocsp_support(dev[0])
3417 params = int_eap_server_params()
3418 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3419 hostapd.add_ap(apdev[0]['ifname'], params)
3420 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3421 identity="tls user", ca_cert="auth_serv/ca.pem",
3422 private_key="auth_serv/user.pkcs12",
3423 private_key_passwd="whatever", ocsp=2,
3424 wait_connect=False, scan_freq="2412")
3427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3429 raise Exception("Timeout on EAP status")
3430 if 'bad certificate status response' in ev:
3434 raise Exception("Unexpected number of EAP status messages")
3436 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3438 raise Exception("Timeout on EAP failure report")
3440 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3441 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3442 check_ocsp_support(dev[0])
3443 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3444 if not os.path.exists(ocsp):
3445 raise HwsimSkip("No OCSP response available")
3446 params = int_eap_server_params()
3447 params["ocsp_stapling_response"] = ocsp
3448 hostapd.add_ap(apdev[0]['ifname'], params)
3449 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3450 identity="pap user", ca_cert="auth_serv/ca.pem",
3451 anonymous_identity="ttls", password="password",
3452 phase2="auth=PAP", ocsp=2,
3453 wait_connect=False, scan_freq="2412")
3456 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3458 raise Exception("Timeout on EAP status")
3459 if 'bad certificate status response' in ev:
3461 if 'certificate revoked' in ev:
3465 raise Exception("Unexpected number of EAP status messages")
3467 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3469 raise Exception("Timeout on EAP failure report")
3471 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3472 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3473 check_ocsp_support(dev[0])
3474 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3475 if not os.path.exists(ocsp):
3476 raise HwsimSkip("No OCSP response available")
3477 params = int_eap_server_params()
3478 params["ocsp_stapling_response"] = ocsp
3479 hostapd.add_ap(apdev[0]['ifname'], params)
3480 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3481 identity="pap user", ca_cert="auth_serv/ca.pem",
3482 anonymous_identity="ttls", password="password",
3483 phase2="auth=PAP", ocsp=2,
3484 wait_connect=False, scan_freq="2412")
3487 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3489 raise Exception("Timeout on EAP status")
3490 if 'bad certificate status response' in ev:
3494 raise Exception("Unexpected number of EAP status messages")
3496 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3498 raise Exception("Timeout on EAP failure report")
3500 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3501 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3502 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3503 if not os.path.exists(ocsp):
3504 raise HwsimSkip("No OCSP response available")
3505 params = int_eap_server_params()
3506 params["ocsp_stapling_response"] = ocsp
3507 hostapd.add_ap(apdev[0]['ifname'], params)
3508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3509 identity="pap user", ca_cert="auth_serv/ca.pem",
3510 anonymous_identity="ttls", password="password",
3511 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3513 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3514 """EAP-TLS with intermediate server/user CA"""
3515 params = int_eap_server_params()
3516 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3517 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3518 params["private_key"] = "auth_serv/iCA-server/server.key"
3519 hostapd.add_ap(apdev[0]['ifname'], params)
3520 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3521 identity="tls user",
3522 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3523 client_cert="auth_serv/iCA-user/user.pem",
3524 private_key="auth_serv/iCA-user/user.key",
3527 def root_ocsp(cert):
3528 ca = "auth_serv/ca.pem"
3530 fd2, fn2 = tempfile.mkstemp()
3533 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3534 "-no_nonce", "-sha256", "-text" ]
3535 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3536 stderr=subprocess.PIPE)
3537 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3540 logger.info("OCSP request:\n" + res)
3542 fd, fn = tempfile.mkstemp()
3544 arg = [ "openssl", "ocsp", "-index", "rootCA/index.txt",
3545 "-rsigner", ca, "-rkey", "auth_serv/caa-key.pem",
3546 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3547 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3549 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3550 stderr=subprocess.PIPE)
3551 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3554 logger.info("OCSP response:\n" + res)
3559 prefix = "auth_serv/iCA-server/"
3560 ca = prefix + "cacert.pem"
3561 cert = prefix + cert
3563 fd2, fn2 = tempfile.mkstemp()
3566 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3567 "-no_nonce", "-sha256", "-text" ]
3568 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3569 stderr=subprocess.PIPE)
3570 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3573 logger.info("OCSP request:\n" + res)
3575 fd, fn = tempfile.mkstemp()
3577 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3578 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3579 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3580 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3582 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3583 stderr=subprocess.PIPE)
3584 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3587 logger.info("OCSP response:\n" + res)
3591 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3592 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3593 params = int_eap_server_params()
3594 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3595 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3596 params["private_key"] = "auth_serv/iCA-server/server.key"
3597 fn = ica_ocsp("server.pem")
3598 params["ocsp_stapling_response"] = fn
3600 hostapd.add_ap(apdev[0]['ifname'], params)
3601 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3602 identity="tls user",
3603 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3604 client_cert="auth_serv/iCA-user/user.pem",
3605 private_key="auth_serv/iCA-user/user.key",
3606 scan_freq="2412", ocsp=2)
3610 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3611 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3612 params = int_eap_server_params()
3613 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3614 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3615 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3616 fn = ica_ocsp("server-revoked.pem")
3617 params["ocsp_stapling_response"] = fn
3619 hostapd.add_ap(apdev[0]['ifname'], params)
3620 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3621 identity="tls user",
3622 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3623 client_cert="auth_serv/iCA-user/user.pem",
3624 private_key="auth_serv/iCA-user/user.key",
3625 scan_freq="2412", ocsp=1, wait_connect=False)
3628 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3629 "CTRL-EVENT-EAP-SUCCESS"])
3631 raise Exception("Timeout on EAP status")
3632 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3633 raise Exception("Unexpected EAP-Success")
3634 if 'bad certificate status response' in ev:
3636 if 'certificate revoked' in ev:
3640 raise Exception("Unexpected number of EAP status messages")
3642 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3644 raise Exception("Timeout on EAP failure report")
3645 dev[0].request("REMOVE_NETWORK all")
3646 dev[0].wait_disconnected()
3650 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3651 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3652 check_ocsp_support(dev[0])
3653 check_ocsp_multi_support(dev[0])
3655 params = int_eap_server_params()
3656 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3657 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3658 params["private_key"] = "auth_serv/iCA-server/server.key"
3659 fn = ica_ocsp("server.pem")
3660 params["ocsp_stapling_response"] = fn
3662 hostapd.add_ap(apdev[0]['ifname'], params)
3663 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3664 identity="tls user",
3665 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3666 client_cert="auth_serv/iCA-user/user.pem",
3667 private_key="auth_serv/iCA-user/user.key",
3668 scan_freq="2412", ocsp=3, wait_connect=False)
3671 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3672 "CTRL-EVENT-EAP-SUCCESS"])
3674 raise Exception("Timeout on EAP status")
3675 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3676 raise Exception("Unexpected EAP-Success")
3677 if 'bad certificate status response' in ev:
3679 if 'certificate revoked' in ev:
3683 raise Exception("Unexpected number of EAP status messages")
3685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3687 raise Exception("Timeout on EAP failure report")
3688 dev[0].request("REMOVE_NETWORK all")
3689 dev[0].wait_disconnected()
3693 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3694 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3695 check_ocsp_support(dev[0])
3696 check_ocsp_multi_support(dev[0])
3698 params = int_eap_server_params()
3699 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3700 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3701 params["private_key"] = "auth_serv/iCA-server/server.key"
3702 fn = ica_ocsp("server.pem")
3703 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
3704 params["ocsp_stapling_response"] = fn
3706 with open(fn, "r") as f:
3707 resp_server = f.read()
3708 with open(fn2, "r") as f:
3711 fd3, fn3 = tempfile.mkstemp()
3713 f = os.fdopen(fd3, 'w')
3714 f.write(struct.pack(">L", len(resp_server))[1:4])
3715 f.write(resp_server)
3716 f.write(struct.pack(">L", len(resp_ica))[1:4])
3720 params["ocsp_stapling_response_multi"] = fn3
3722 hostapd.add_ap(apdev[0]['ifname'], params)
3723 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3724 identity="tls user",
3725 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3726 client_cert="auth_serv/iCA-user/user.pem",
3727 private_key="auth_serv/iCA-user/user.key",
3728 scan_freq="2412", ocsp=3, wait_connect=False)
3731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3732 "CTRL-EVENT-EAP-SUCCESS"])
3734 raise Exception("Timeout on EAP status")
3735 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3736 raise Exception("Unexpected EAP-Success")
3737 if 'bad certificate status response' in ev:
3739 if 'certificate revoked' in ev:
3743 raise Exception("Unexpected number of EAP status messages")
3745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3747 raise Exception("Timeout on EAP failure report")
3748 dev[0].request("REMOVE_NETWORK all")
3749 dev[0].wait_disconnected()
3755 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
3756 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3757 check_ocsp_support(dev[0])
3758 check_ocsp_multi_support(dev[0])
3760 ocsp_revoked = os.path.join(params['logdir'],
3761 "ocsp-resp-ca-signed-revoked.der")
3762 if not os.path.exists(ocsp_revoked):
3763 raise HwsimSkip("No OCSP response (revoked) available")
3764 ocsp_unknown = os.path.join(params['logdir'],
3765 "ocsp-resp-ca-signed-unknown.der")
3766 if not os.path.exists(ocsp_unknown):
3767 raise HwsimSkip("No OCSP response(unknown) available")
3769 with open(ocsp_revoked, "r") as f:
3770 resp_revoked = f.read()
3771 with open(ocsp_unknown, "r") as f:
3772 resp_unknown = f.read()
3774 fd, fn = tempfile.mkstemp()
3776 # This is not really a valid order of the OCSPResponse items in the
3777 # list, but this works for now to verify parsing and processing of
3778 # multiple responses.
3779 f = os.fdopen(fd, 'w')
3780 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3781 f.write(resp_unknown)
3782 f.write(struct.pack(">L", len(resp_revoked))[1:4])
3783 f.write(resp_revoked)
3784 f.write(struct.pack(">L", 0)[1:4])
3785 f.write(struct.pack(">L", len(resp_unknown))[1:4])
3786 f.write(resp_unknown)
3789 params = int_eap_server_params()
3790 params["ocsp_stapling_response_multi"] = fn
3791 hostapd.add_ap(apdev[0]['ifname'], params)
3792 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3793 identity="tls user", ca_cert="auth_serv/ca.pem",
3794 private_key="auth_serv/user.pkcs12",
3795 private_key_passwd="whatever", ocsp=1,
3796 wait_connect=False, scan_freq="2412")
3799 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3800 "CTRL-EVENT-EAP-SUCCESS"])
3802 raise Exception("Timeout on EAP status")
3803 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3804 raise Exception("Unexpected EAP-Success")
3805 if 'bad certificate status response' in ev:
3807 if 'certificate revoked' in ev:
3811 raise Exception("Unexpected number of EAP status messages")
3815 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
3816 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3817 check_domain_match_full(dev[0])
3818 params = int_eap_server_params()
3819 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3820 params["private_key"] = "auth_serv/server-no-dnsname.key"
3821 hostapd.add_ap(apdev[0]['ifname'], params)
3822 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3823 identity="tls user", ca_cert="auth_serv/ca.pem",
3824 private_key="auth_serv/user.pkcs12",
3825 private_key_passwd="whatever",
3826 domain_suffix_match="server3.w1.fi",
3829 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
3830 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
3831 check_domain_match(dev[0])
3832 params = int_eap_server_params()
3833 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3834 params["private_key"] = "auth_serv/server-no-dnsname.key"
3835 hostapd.add_ap(apdev[0]['ifname'], params)
3836 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3837 identity="tls user", ca_cert="auth_serv/ca.pem",
3838 private_key="auth_serv/user.pkcs12",
3839 private_key_passwd="whatever",
3840 domain_match="server3.w1.fi",
3843 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
3844 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
3845 check_domain_match_full(dev[0])
3846 params = int_eap_server_params()
3847 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3848 params["private_key"] = "auth_serv/server-no-dnsname.key"
3849 hostapd.add_ap(apdev[0]['ifname'], params)
3850 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3851 identity="tls user", ca_cert="auth_serv/ca.pem",
3852 private_key="auth_serv/user.pkcs12",
3853 private_key_passwd="whatever",
3854 domain_suffix_match="w1.fi",
3857 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3858 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3859 check_domain_suffix_match(dev[0])
3860 params = int_eap_server_params()
3861 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3862 params["private_key"] = "auth_serv/server-no-dnsname.key"
3863 hostapd.add_ap(apdev[0]['ifname'], params)
3864 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3865 identity="tls user", ca_cert="auth_serv/ca.pem",
3866 private_key="auth_serv/user.pkcs12",
3867 private_key_passwd="whatever",
3868 domain_suffix_match="example.com",
3871 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3872 identity="tls user", ca_cert="auth_serv/ca.pem",
3873 private_key="auth_serv/user.pkcs12",
3874 private_key_passwd="whatever",
3875 domain_suffix_match="erver3.w1.fi",
3878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3880 raise Exception("Timeout on EAP failure report")
3881 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3883 raise Exception("Timeout on EAP failure report (2)")
3885 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3886 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3887 check_domain_match(dev[0])
3888 params = int_eap_server_params()
3889 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3890 params["private_key"] = "auth_serv/server-no-dnsname.key"
3891 hostapd.add_ap(apdev[0]['ifname'], params)
3892 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3893 identity="tls user", ca_cert="auth_serv/ca.pem",
3894 private_key="auth_serv/user.pkcs12",
3895 private_key_passwd="whatever",
3896 domain_match="example.com",
3899 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3900 identity="tls user", ca_cert="auth_serv/ca.pem",
3901 private_key="auth_serv/user.pkcs12",
3902 private_key_passwd="whatever",
3903 domain_match="w1.fi",
3906 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3908 raise Exception("Timeout on EAP failure report")
3909 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3911 raise Exception("Timeout on EAP failure report (2)")
3913 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3914 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3915 skip_with_fips(dev[0])
3916 params = int_eap_server_params()
3917 params["server_cert"] = "auth_serv/server-expired.pem"
3918 params["private_key"] = "auth_serv/server-expired.key"
3919 hostapd.add_ap(apdev[0]['ifname'], params)
3920 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3921 identity="mschap user", password="password",
3922 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3925 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3927 raise Exception("Timeout on EAP certificate error report")
3928 if "reason=4" not in ev or "certificate has expired" not in ev:
3929 raise Exception("Unexpected failure reason: " + ev)
3930 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3932 raise Exception("Timeout on EAP failure report")
3934 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3935 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3936 skip_with_fips(dev[0])
3937 params = int_eap_server_params()
3938 params["server_cert"] = "auth_serv/server-expired.pem"
3939 params["private_key"] = "auth_serv/server-expired.key"
3940 hostapd.add_ap(apdev[0]['ifname'], params)
3941 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3942 identity="mschap user", password="password",
3943 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3944 phase1="tls_disable_time_checks=1",
3947 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3948 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3949 skip_with_fips(dev[0])
3950 params = int_eap_server_params()
3951 params["server_cert"] = "auth_serv/server-long-duration.pem"
3952 params["private_key"] = "auth_serv/server-long-duration.key"
3953 hostapd.add_ap(apdev[0]['ifname'], params)
3954 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3955 identity="mschap user", password="password",
3956 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3959 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3960 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3961 skip_with_fips(dev[0])
3962 params = int_eap_server_params()
3963 params["server_cert"] = "auth_serv/server-eku-client.pem"
3964 params["private_key"] = "auth_serv/server-eku-client.key"
3965 hostapd.add_ap(apdev[0]['ifname'], params)
3966 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3967 identity="mschap user", password="password",
3968 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3971 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3973 raise Exception("Timeout on EAP failure report")
3975 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3976 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3977 skip_with_fips(dev[0])
3978 params = int_eap_server_params()
3979 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3980 params["private_key"] = "auth_serv/server-eku-client-server.key"
3981 hostapd.add_ap(apdev[0]['ifname'], params)
3982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3983 identity="mschap user", password="password",
3984 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3987 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3988 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3989 skip_with_fips(dev[0])
3990 params = int_eap_server_params()
3991 del params["server_cert"]
3992 params["private_key"] = "auth_serv/server.pkcs12"
3993 hostapd.add_ap(apdev[0]['ifname'], params)
3994 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3995 identity="mschap user", password="password",
3996 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3999 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4000 """EAP-TTLS and server PKCS#12 file with extra certs"""
4001 skip_with_fips(dev[0])
4002 params = int_eap_server_params()
4003 del params["server_cert"]
4004 params["private_key"] = "auth_serv/server-extra.pkcs12"
4005 params["private_key_passwd"] = "whatever"
4006 hostapd.add_ap(apdev[0]['ifname'], params)
4007 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4008 identity="mschap user", password="password",
4009 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4012 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4013 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4014 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4015 hostapd.add_ap(apdev[0]['ifname'], params)
4016 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4017 anonymous_identity="ttls", password="password",
4018 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4019 dh_file="auth_serv/dh.conf")
4021 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4022 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4023 check_dh_dsa_support(dev[0])
4024 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4025 hostapd.add_ap(apdev[0]['ifname'], params)
4026 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4027 anonymous_identity="ttls", password="password",
4028 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4029 dh_file="auth_serv/dsaparam.pem")
4031 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4032 """EAP-TTLS and DH params file not found"""
4033 skip_with_fips(dev[0])
4034 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4035 hostapd.add_ap(apdev[0]['ifname'], params)
4036 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4037 identity="mschap user", password="password",
4038 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4039 dh_file="auth_serv/dh-no-such-file.conf",
4040 scan_freq="2412", wait_connect=False)
4041 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4043 raise Exception("EAP failure timed out")
4044 dev[0].request("REMOVE_NETWORK all")
4045 dev[0].wait_disconnected()
4047 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4048 """EAP-TTLS and invalid DH params file"""
4049 skip_with_fips(dev[0])
4050 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4051 hostapd.add_ap(apdev[0]['ifname'], params)
4052 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4053 identity="mschap user", password="password",
4054 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4055 dh_file="auth_serv/ca.pem",
4056 scan_freq="2412", wait_connect=False)
4057 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4059 raise Exception("EAP failure timed out")
4060 dev[0].request("REMOVE_NETWORK all")
4061 dev[0].wait_disconnected()
4063 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4064 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4065 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4066 hostapd.add_ap(apdev[0]['ifname'], params)
4067 dh = read_pem("auth_serv/dh2.conf")
4068 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4069 raise Exception("Could not set dhparams blob")
4070 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4071 anonymous_identity="ttls", password="password",
4072 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4073 dh_file="blob://dhparams")
4075 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4076 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4077 params = int_eap_server_params()
4078 params["dh_file"] = "auth_serv/dh2.conf"
4079 hostapd.add_ap(apdev[0]['ifname'], params)
4080 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4081 anonymous_identity="ttls", password="password",
4082 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4084 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4085 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4086 params = int_eap_server_params()
4087 params["dh_file"] = "auth_serv/dsaparam.pem"
4088 hostapd.add_ap(apdev[0]['ifname'], params)
4089 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4090 anonymous_identity="ttls", password="password",
4091 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4093 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4094 """EAP-TLS server and dhparams file not found"""
4095 params = int_eap_server_params()
4096 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4097 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4098 if "FAIL" not in hapd.request("ENABLE"):
4099 raise Exception("Invalid configuration accepted")
4101 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4102 """EAP-TLS server and invalid dhparams file"""
4103 params = int_eap_server_params()
4104 params["dh_file"] = "auth_serv/ca.pem"
4105 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4106 if "FAIL" not in hapd.request("ENABLE"):
4107 raise Exception("Invalid configuration accepted")
4109 def test_ap_wpa2_eap_reauth(dev, apdev):
4110 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4111 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4112 params['eap_reauth_period'] = '2'
4113 hostapd.add_ap(apdev[0]['ifname'], params)
4114 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4115 password_hex="0123456789abcdef0123456789abcdef")
4116 logger.info("Wait for reauthentication")
4117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4119 raise Exception("Timeout on reauthentication")
4120 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4122 raise Exception("Timeout on reauthentication")
4123 for i in range(0, 20):
4124 state = dev[0].get_status_field("wpa_state")
4125 if state == "COMPLETED":
4128 if state != "COMPLETED":
4129 raise Exception("Reauthentication did not complete")
4131 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4132 """Optional displayable message in EAP Request-Identity"""
4133 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4134 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4135 hostapd.add_ap(apdev[0]['ifname'], params)
4136 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4137 password_hex="0123456789abcdef0123456789abcdef")
4139 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4140 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4141 check_hlr_auc_gw_support()
4142 params = int_eap_server_params()
4143 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4144 params['eap_sim_aka_result_ind'] = "1"
4145 hostapd.add_ap(apdev[0]['ifname'], params)
4147 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
4148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4149 phase1="result_ind=1")
4150 eap_reauth(dev[0], "SIM")
4151 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
4152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4154 dev[0].request("REMOVE_NETWORK all")
4155 dev[1].request("REMOVE_NETWORK all")
4157 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
4158 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4159 phase1="result_ind=1")
4160 eap_reauth(dev[0], "AKA")
4161 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
4162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4164 dev[0].request("REMOVE_NETWORK all")
4165 dev[1].request("REMOVE_NETWORK all")
4167 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
4168 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4169 phase1="result_ind=1")
4170 eap_reauth(dev[0], "AKA'")
4171 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
4172 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4174 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4175 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4176 skip_with_fips(dev[0])
4177 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4178 hostapd.add_ap(apdev[0]['ifname'], params)
4179 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4180 eap="TTLS", identity="mschap user",
4181 wait_connect=False, scan_freq="2412", ieee80211w="1",
4182 anonymous_identity="ttls", password="password",
4183 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4185 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4187 raise Exception("EAP roundtrip limit not reached")
4189 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4190 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4191 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4192 hostapd.add_ap(apdev[0]['ifname'], params)
4193 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4194 eap="PSK", identity="vendor-test",
4195 password_hex="ff23456789abcdef0123456789abcdef",
4199 for i in range(0, 5):
4200 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4202 raise Exception("Association and EAP start timed out")
4203 if "refuse proposed method" in ev:
4207 raise Exception("Unexpected EAP status: " + ev)
4209 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4211 raise Exception("EAP failure timed out")
4213 def test_ap_wpa2_eap_sql(dev, apdev, params):
4214 """WPA2-Enterprise connection using SQLite for user DB"""
4215 skip_with_fips(dev[0])
4219 raise HwsimSkip("No sqlite3 module available")
4220 dbfile = os.path.join(params['logdir'], "eap-user.db")
4225 con = sqlite3.connect(dbfile)
4228 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4229 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4230 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4231 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4232 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4233 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4234 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4235 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4238 params = int_eap_server_params()
4239 params["eap_user_file"] = "sqlite:" + dbfile
4240 hostapd.add_ap(apdev[0]['ifname'], params)
4241 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
4242 anonymous_identity="ttls", password="password",
4243 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4244 dev[0].request("REMOVE_NETWORK all")
4245 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
4246 anonymous_identity="ttls", password="password",
4247 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4248 dev[1].request("REMOVE_NETWORK all")
4249 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
4250 anonymous_identity="ttls", password="password",
4251 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4252 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
4253 anonymous_identity="ttls", password="password",
4254 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4258 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4259 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4260 params = int_eap_server_params()
4261 hostapd.add_ap(apdev[0]['ifname'], params)
4262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4263 identity="\x80", password="password", wait_connect=False)
4264 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4265 identity="a\x80", password="password", wait_connect=False)
4266 for i in range(0, 2):
4267 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4269 raise Exception("Association and EAP start timed out")
4270 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4272 raise Exception("EAP method selection timed out")
4274 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4275 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4276 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4277 hostapd.add_ap(apdev[0]['ifname'], params)
4278 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4279 identity="\x80", password="password", wait_connect=False)
4280 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4281 identity="a\x80", password="password", wait_connect=False)
4282 for i in range(0, 2):
4283 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4285 raise Exception("Association and EAP start timed out")
4286 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4288 raise Exception("EAP method selection timed out")
4290 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4291 """OpenSSL cipher suite configuration on wpa_supplicant"""
4292 tls = dev[0].request("GET tls_library")
4293 if not tls.startswith("OpenSSL"):
4294 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4296 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4297 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4298 anonymous_identity="ttls", password="password",
4299 openssl_ciphers="AES128",
4300 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4301 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4302 anonymous_identity="ttls", password="password",
4303 openssl_ciphers="EXPORT",
4304 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4305 expect_failure=True, maybe_local_error=True)
4306 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4307 identity="pap user", anonymous_identity="ttls",
4308 password="password",
4309 openssl_ciphers="FOO",
4310 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4312 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4314 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4315 dev[2].request("DISCONNECT")
4317 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4318 """OpenSSL cipher suite configuration on hostapd"""
4319 tls = dev[0].request("GET tls_library")
4320 if not tls.startswith("OpenSSL"):
4321 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4322 params = int_eap_server_params()
4323 params['openssl_ciphers'] = "AES256"
4324 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4325 tls = hapd.request("GET tls_library")
4326 if not tls.startswith("OpenSSL"):
4327 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4328 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4329 anonymous_identity="ttls", password="password",
4330 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4331 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4332 anonymous_identity="ttls", password="password",
4333 openssl_ciphers="AES128",
4334 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4335 expect_failure=True)
4336 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
4337 anonymous_identity="ttls", password="password",
4338 openssl_ciphers="HIGH:!ADH",
4339 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4341 params['openssl_ciphers'] = "FOO"
4342 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
4343 if "FAIL" not in hapd2.request("ENABLE"):
4344 raise Exception("Invalid openssl_ciphers value accepted")
4346 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4347 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4348 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4349 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
4350 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4351 pid = find_wpas_process(dev[0])
4352 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
4353 anonymous_identity="ttls", password=password,
4354 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4355 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4356 # event has been delivered, so verify that wpa_supplicant has returned to
4357 # eloop before reading process memory.
4360 buf = read_process_memory(pid, password)
4362 dev[0].request("DISCONNECT")
4363 dev[0].wait_disconnected()
4371 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4372 for l in f.readlines():
4373 if "EAP-TTLS: Derived key - hexdump" in l:
4374 val = l.strip().split(':')[3].replace(' ', '')
4375 msk = binascii.unhexlify(val)
4376 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4377 val = l.strip().split(':')[3].replace(' ', '')
4378 emsk = binascii.unhexlify(val)
4379 if "WPA: PMK - hexdump" in l:
4380 val = l.strip().split(':')[3].replace(' ', '')
4381 pmk = binascii.unhexlify(val)
4382 if "WPA: PTK - hexdump" in l:
4383 val = l.strip().split(':')[3].replace(' ', '')
4384 ptk = binascii.unhexlify(val)
4385 if "WPA: Group Key - hexdump" in l:
4386 val = l.strip().split(':')[3].replace(' ', '')
4387 gtk = binascii.unhexlify(val)
4388 if not msk or not emsk or not pmk or not ptk or not gtk:
4389 raise Exception("Could not find keys from debug log")
4391 raise Exception("Unexpected GTK length")
4397 fname = os.path.join(params['logdir'],
4398 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4400 logger.info("Checking keys in memory while associated")
4401 get_key_locations(buf, password, "Password")
4402 get_key_locations(buf, pmk, "PMK")
4403 get_key_locations(buf, msk, "MSK")
4404 get_key_locations(buf, emsk, "EMSK")
4405 if password not in buf:
4406 raise HwsimSkip("Password not found while associated")
4408 raise HwsimSkip("PMK not found while associated")
4410 raise Exception("KCK not found while associated")
4412 raise Exception("KEK not found while associated")
4414 raise Exception("TK found from memory")
4416 get_key_locations(buf, gtk, "GTK")
4417 raise Exception("GTK found from memory")
4419 logger.info("Checking keys in memory after disassociation")
4420 buf = read_process_memory(pid, password)
4422 # Note: Password is still present in network configuration
4423 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4425 get_key_locations(buf, password, "Password")
4426 get_key_locations(buf, pmk, "PMK")
4427 get_key_locations(buf, msk, "MSK")
4428 get_key_locations(buf, emsk, "EMSK")
4429 verify_not_present(buf, kck, fname, "KCK")
4430 verify_not_present(buf, kek, fname, "KEK")
4431 verify_not_present(buf, tk, fname, "TK")
4432 verify_not_present(buf, gtk, fname, "GTK")
4434 dev[0].request("PMKSA_FLUSH")
4435 dev[0].set_network_quoted(id, "identity", "foo")
4436 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4437 buf = read_process_memory(pid, password)
4438 get_key_locations(buf, password, "Password")
4439 get_key_locations(buf, pmk, "PMK")
4440 get_key_locations(buf, msk, "MSK")
4441 get_key_locations(buf, emsk, "EMSK")
4442 verify_not_present(buf, pmk, fname, "PMK")
4444 dev[0].request("REMOVE_NETWORK all")
4446 logger.info("Checking keys in memory after network profile removal")
4447 buf = read_process_memory(pid, password)
4449 get_key_locations(buf, password, "Password")
4450 get_key_locations(buf, pmk, "PMK")
4451 get_key_locations(buf, msk, "MSK")
4452 get_key_locations(buf, emsk, "EMSK")
4453 verify_not_present(buf, password, fname, "password")
4454 verify_not_present(buf, pmk, fname, "PMK")
4455 verify_not_present(buf, kck, fname, "KCK")
4456 verify_not_present(buf, kek, fname, "KEK")
4457 verify_not_present(buf, tk, fname, "TK")
4458 verify_not_present(buf, gtk, fname, "GTK")
4459 verify_not_present(buf, msk, fname, "MSK")
4460 verify_not_present(buf, emsk, fname, "EMSK")
4462 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4463 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4464 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4465 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4466 bssid = apdev[0]['bssid']
4467 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4468 anonymous_identity="ttls", password="password",
4469 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4471 # Send unexpected WEP EAPOL-Key; this gets dropped
4472 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4474 raise Exception("EAPOL_RX to wpa_supplicant failed")
4476 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4477 """WPA2-EAP and wpas interface in a bridge"""
4481 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4483 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4484 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4485 subprocess.call(['brctl', 'delbr', br_ifname])
4486 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4488 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4489 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4490 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4494 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4495 subprocess.call(['brctl', 'addbr', br_ifname])
4496 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4497 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4498 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4499 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4500 wpas.interface_add(ifname, br_ifname=br_ifname)
4503 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
4504 password_hex="0123456789abcdef0123456789abcdef")
4506 eap_reauth(wpas, "PAX")
4508 # Try again as a regression test for packet socket workaround
4509 eap_reauth(wpas, "PAX")
4511 wpas.request("DISCONNECT")
4512 wpas.wait_disconnected()
4514 wpas.request("RECONNECT")
4515 wpas.wait_connected()
4518 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4519 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4520 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4521 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4522 key_mgmt = hapd.get_config()['key_mgmt']
4523 if key_mgmt.split(' ')[0] != "WPA-EAP":
4524 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4525 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4526 anonymous_identity="ttls", password="password",
4527 ca_cert="auth_serv/ca.pem",
4528 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4529 eap_reauth(dev[0], "TTLS")
4531 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4532 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4533 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4534 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4535 key_mgmt = hapd.get_config()['key_mgmt']
4536 if key_mgmt.split(' ')[0] != "WPA-EAP":
4537 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4538 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4539 anonymous_identity="ttls", password="password",
4540 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4542 eap_reauth(dev[0], "TTLS")
4544 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4545 """EAP-TLS and server checking CRL"""
4546 params = int_eap_server_params()
4547 params['check_crl'] = '1'
4548 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4550 # check_crl=1 and no CRL available --> reject connection
4551 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4552 client_cert="auth_serv/user.pem",
4553 private_key="auth_serv/user.key", expect_failure=True)
4554 dev[0].request("REMOVE_NETWORK all")
4557 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4560 # check_crl=1 and valid CRL --> accept
4561 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4562 client_cert="auth_serv/user.pem",
4563 private_key="auth_serv/user.key")
4564 dev[0].request("REMOVE_NETWORK all")
4567 hapd.set("check_crl", "2")
4570 # check_crl=2 and valid CRL --> accept
4571 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4572 client_cert="auth_serv/user.pem",
4573 private_key="auth_serv/user.key")
4574 dev[0].request("REMOVE_NETWORK all")
4576 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4577 """EAP-TLS and OOM"""
4578 check_subject_match_support(dev[0])
4579 check_altsubject_match_support(dev[0])
4580 check_domain_match(dev[0])
4581 check_domain_match_full(dev[0])
4583 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4584 hostapd.add_ap(apdev[0]['ifname'], params)
4586 tests = [ (1, "tls_connection_set_subject_match"),
4587 (2, "tls_connection_set_subject_match"),
4588 (3, "tls_connection_set_subject_match"),
4589 (4, "tls_connection_set_subject_match") ]
4590 for count, func in tests:
4591 with alloc_fail(dev[0], count, func):
4592 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4593 identity="tls user", ca_cert="auth_serv/ca.pem",
4594 client_cert="auth_serv/user.pem",
4595 private_key="auth_serv/user.key",
4596 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4597 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4598 domain_suffix_match="server.w1.fi",
4599 domain_match="server.w1.fi",
4600 wait_connect=False, scan_freq="2412")
4601 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4602 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4604 raise Exception("No passphrase request")
4605 dev[0].request("REMOVE_NETWORK all")
4606 dev[0].wait_disconnected()
4608 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4609 """WPA2-Enterprise connection using MAC ACL"""
4610 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4611 params["macaddr_acl"] = "2"
4612 hostapd.add_ap(apdev[0]['ifname'], params)
4613 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4614 client_cert="auth_serv/user.pem",
4615 private_key="auth_serv/user.key")
4617 def test_ap_wpa2_eap_oom(dev, apdev):
4618 """EAP server and OOM"""
4619 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4620 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4621 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4623 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4624 # The first attempt fails, but STA will send EAPOL-Start to retry and
4626 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4627 identity="tls user", ca_cert="auth_serv/ca.pem",
4628 client_cert="auth_serv/user.pem",
4629 private_key="auth_serv/user.key",
4632 def check_tls_ver(dev, ap, phase1, expected):
4633 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4634 client_cert="auth_serv/user.pem",
4635 private_key="auth_serv/user.key",
4637 ver = dev.get_status_field("eap_tls_version")
4639 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4641 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4642 """EAP-TLS and TLS version configuration"""
4643 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4644 hostapd.add_ap(apdev[0]['ifname'], params)
4646 tls = dev[0].request("GET tls_library")
4647 if tls.startswith("OpenSSL"):
4648 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4649 check_tls_ver(dev[0], apdev[0],
4650 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4652 elif tls.startswith("internal"):
4653 check_tls_ver(dev[0], apdev[0],
4654 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4655 check_tls_ver(dev[1], apdev[0],
4656 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4657 check_tls_ver(dev[2], apdev[0],
4658 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4660 def test_rsn_ie_proto_eap_sta(dev, apdev):
4661 """RSN element protocol testing for EAP cases on STA side"""
4662 bssid = apdev[0]['bssid']
4663 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4664 # This is the RSN element used normally by hostapd
4665 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4666 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4667 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4668 identity="gpsk user",
4669 password="abcdefghijklmnop0123456789abcdef",
4672 tests = [ ('No RSN Capabilities field',
4673 '30120100000fac040100000fac040100000fac01'),
4674 ('No AKM Suite fields',
4675 '300c0100000fac040100000fac04'),
4676 ('No Pairwise Cipher Suite fields',
4677 '30060100000fac04'),
4678 ('No Group Data Cipher Suite field',
4680 for txt,ie in tests:
4681 dev[0].request("DISCONNECT")
4682 dev[0].wait_disconnected()
4685 hapd.set('own_ie_override', ie)
4687 dev[0].request("BSS_FLUSH 0")
4688 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4689 dev[0].select_network(id, freq=2412)
4690 dev[0].wait_connected()
4692 dev[0].request("DISCONNECT")
4693 dev[0].wait_disconnected()
4694 dev[0].flush_scan_cache()
4696 def check_tls_session_resumption_capa(dev, hapd):
4697 tls = hapd.request("GET tls_library")
4698 if not tls.startswith("OpenSSL"):
4699 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4701 tls = dev.request("GET tls_library")
4702 if not tls.startswith("OpenSSL"):
4703 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4705 def test_eap_ttls_pap_session_resumption(dev, apdev):
4706 """EAP-TTLS/PAP session resumption"""
4707 params = int_eap_server_params()
4708 params['tls_session_lifetime'] = '60'
4709 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4710 check_tls_session_resumption_capa(dev[0], hapd)
4711 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4712 anonymous_identity="ttls", password="password",
4713 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4715 if dev[0].get_status_field("tls_session_reused") != '0':
4716 raise Exception("Unexpected session resumption on the first connection")
4718 dev[0].request("REAUTHENTICATE")
4719 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4721 raise Exception("EAP success timed out")
4722 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4724 raise Exception("Key handshake with the AP timed out")
4725 if dev[0].get_status_field("tls_session_reused") != '1':
4726 raise Exception("Session resumption not used on the second connection")
4728 def test_eap_ttls_chap_session_resumption(dev, apdev):
4729 """EAP-TTLS/CHAP session resumption"""
4730 params = int_eap_server_params()
4731 params['tls_session_lifetime'] = '60'
4732 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4733 check_tls_session_resumption_capa(dev[0], hapd)
4734 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
4735 anonymous_identity="ttls", password="password",
4736 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
4737 if dev[0].get_status_field("tls_session_reused") != '0':
4738 raise Exception("Unexpected session resumption on the first connection")
4740 dev[0].request("REAUTHENTICATE")
4741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4743 raise Exception("EAP success timed out")
4744 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4746 raise Exception("Key handshake with the AP timed out")
4747 if dev[0].get_status_field("tls_session_reused") != '1':
4748 raise Exception("Session resumption not used on the second connection")
4750 def test_eap_ttls_mschap_session_resumption(dev, apdev):
4751 """EAP-TTLS/MSCHAP session resumption"""
4752 check_domain_suffix_match(dev[0])
4753 params = int_eap_server_params()
4754 params['tls_session_lifetime'] = '60'
4755 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4756 check_tls_session_resumption_capa(dev[0], hapd)
4757 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
4758 anonymous_identity="ttls", password="password",
4759 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4760 domain_suffix_match="server.w1.fi")
4761 if dev[0].get_status_field("tls_session_reused") != '0':
4762 raise Exception("Unexpected session resumption on the first connection")
4764 dev[0].request("REAUTHENTICATE")
4765 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4767 raise Exception("EAP success timed out")
4768 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4770 raise Exception("Key handshake with the AP timed out")
4771 if dev[0].get_status_field("tls_session_reused") != '1':
4772 raise Exception("Session resumption not used on the second connection")
4774 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
4775 """EAP-TTLS/MSCHAPv2 session resumption"""
4776 check_domain_suffix_match(dev[0])
4777 check_eap_capa(dev[0], "MSCHAPV2")
4778 params = int_eap_server_params()
4779 params['tls_session_lifetime'] = '60'
4780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4781 check_tls_session_resumption_capa(dev[0], hapd)
4782 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
4783 anonymous_identity="ttls", password="password",
4784 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4785 domain_suffix_match="server.w1.fi")
4786 if dev[0].get_status_field("tls_session_reused") != '0':
4787 raise Exception("Unexpected session resumption on the first connection")
4789 dev[0].request("REAUTHENTICATE")
4790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4792 raise Exception("EAP success timed out")
4793 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4795 raise Exception("Key handshake with the AP timed out")
4796 if dev[0].get_status_field("tls_session_reused") != '1':
4797 raise Exception("Session resumption not used on the second connection")
4799 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
4800 """EAP-TTLS/EAP-GTC session resumption"""
4801 params = int_eap_server_params()
4802 params['tls_session_lifetime'] = '60'
4803 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4804 check_tls_session_resumption_capa(dev[0], hapd)
4805 eap_connect(dev[0], apdev[0], "TTLS", "user",
4806 anonymous_identity="ttls", password="password",
4807 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
4808 if dev[0].get_status_field("tls_session_reused") != '0':
4809 raise Exception("Unexpected session resumption on the first connection")
4811 dev[0].request("REAUTHENTICATE")
4812 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4814 raise Exception("EAP success timed out")
4815 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4817 raise Exception("Key handshake with the AP timed out")
4818 if dev[0].get_status_field("tls_session_reused") != '1':
4819 raise Exception("Session resumption not used on the second connection")
4821 def test_eap_ttls_no_session_resumption(dev, apdev):
4822 """EAP-TTLS session resumption disabled on server"""
4823 params = int_eap_server_params()
4824 params['tls_session_lifetime'] = '0'
4825 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4826 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4827 anonymous_identity="ttls", password="password",
4828 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4830 if dev[0].get_status_field("tls_session_reused") != '0':
4831 raise Exception("Unexpected session resumption on the first connection")
4833 dev[0].request("REAUTHENTICATE")
4834 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4836 raise Exception("EAP success timed out")
4837 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4839 raise Exception("Key handshake with the AP timed out")
4840 if dev[0].get_status_field("tls_session_reused") != '0':
4841 raise Exception("Unexpected session resumption on the second connection")
4843 def test_eap_peap_session_resumption(dev, apdev):
4844 """EAP-PEAP session resumption"""
4845 params = int_eap_server_params()
4846 params['tls_session_lifetime'] = '60'
4847 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4848 check_tls_session_resumption_capa(dev[0], hapd)
4849 eap_connect(dev[0], apdev[0], "PEAP", "user",
4850 anonymous_identity="peap", password="password",
4851 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4852 if dev[0].get_status_field("tls_session_reused") != '0':
4853 raise Exception("Unexpected session resumption on the first connection")
4855 dev[0].request("REAUTHENTICATE")
4856 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4858 raise Exception("EAP success timed out")
4859 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4861 raise Exception("Key handshake with the AP timed out")
4862 if dev[0].get_status_field("tls_session_reused") != '1':
4863 raise Exception("Session resumption not used on the second connection")
4865 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
4866 """EAP-PEAP session resumption with crypto binding"""
4867 params = int_eap_server_params()
4868 params['tls_session_lifetime'] = '60'
4869 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4870 check_tls_session_resumption_capa(dev[0], hapd)
4871 eap_connect(dev[0], apdev[0], "PEAP", "user",
4872 anonymous_identity="peap", password="password",
4873 phase1="peapver=0 crypto_binding=2",
4874 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4875 if dev[0].get_status_field("tls_session_reused") != '0':
4876 raise Exception("Unexpected session resumption on the first connection")
4878 dev[0].request("REAUTHENTICATE")
4879 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4881 raise Exception("EAP success timed out")
4882 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4884 raise Exception("Key handshake with the AP timed out")
4885 if dev[0].get_status_field("tls_session_reused") != '1':
4886 raise Exception("Session resumption not used on the second connection")
4888 def test_eap_peap_no_session_resumption(dev, apdev):
4889 """EAP-PEAP session resumption disabled on server"""
4890 params = int_eap_server_params()
4891 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4892 eap_connect(dev[0], apdev[0], "PEAP", "user",
4893 anonymous_identity="peap", password="password",
4894 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4895 if dev[0].get_status_field("tls_session_reused") != '0':
4896 raise Exception("Unexpected session resumption on the first connection")
4898 dev[0].request("REAUTHENTICATE")
4899 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4901 raise Exception("EAP success timed out")
4902 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4904 raise Exception("Key handshake with the AP timed out")
4905 if dev[0].get_status_field("tls_session_reused") != '0':
4906 raise Exception("Unexpected session resumption on the second connection")
4908 def test_eap_tls_session_resumption(dev, apdev):
4909 """EAP-TLS session resumption"""
4910 params = int_eap_server_params()
4911 params['tls_session_lifetime'] = '60'
4912 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4913 check_tls_session_resumption_capa(dev[0], hapd)
4914 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4915 client_cert="auth_serv/user.pem",
4916 private_key="auth_serv/user.key")
4917 if dev[0].get_status_field("tls_session_reused") != '0':
4918 raise Exception("Unexpected session resumption on the first connection")
4920 dev[0].request("REAUTHENTICATE")
4921 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4923 raise Exception("EAP success timed out")
4924 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4926 raise Exception("Key handshake with the AP timed out")
4927 if dev[0].get_status_field("tls_session_reused") != '1':
4928 raise Exception("Session resumption not used on the second connection")
4930 dev[0].request("REAUTHENTICATE")
4931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4933 raise Exception("EAP success timed out")
4934 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4936 raise Exception("Key handshake with the AP timed out")
4937 if dev[0].get_status_field("tls_session_reused") != '1':
4938 raise Exception("Session resumption not used on the third connection")
4940 def test_eap_tls_session_resumption_expiration(dev, apdev):
4941 """EAP-TLS session resumption"""
4942 params = int_eap_server_params()
4943 params['tls_session_lifetime'] = '1'
4944 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4945 check_tls_session_resumption_capa(dev[0], hapd)
4946 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4947 client_cert="auth_serv/user.pem",
4948 private_key="auth_serv/user.key")
4949 if dev[0].get_status_field("tls_session_reused") != '0':
4950 raise Exception("Unexpected session resumption on the first connection")
4952 # Allow multiple attempts since OpenSSL may not expire the cached entry
4957 dev[0].request("REAUTHENTICATE")
4958 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4960 raise Exception("EAP success timed out")
4961 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4963 raise Exception("Key handshake with the AP timed out")
4964 if dev[0].get_status_field("tls_session_reused") == '0':
4966 if dev[0].get_status_field("tls_session_reused") != '0':
4967 raise Exception("Session resumption used after lifetime expiration")
4969 def test_eap_tls_no_session_resumption(dev, apdev):
4970 """EAP-TLS session resumption disabled on server"""
4971 params = int_eap_server_params()
4972 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4973 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4974 client_cert="auth_serv/user.pem",
4975 private_key="auth_serv/user.key")
4976 if dev[0].get_status_field("tls_session_reused") != '0':
4977 raise Exception("Unexpected session resumption on the first connection")
4979 dev[0].request("REAUTHENTICATE")
4980 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4982 raise Exception("EAP success timed out")
4983 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4985 raise Exception("Key handshake with the AP timed out")
4986 if dev[0].get_status_field("tls_session_reused") != '0':
4987 raise Exception("Unexpected session resumption on the second connection")
4989 def test_eap_tls_session_resumption_radius(dev, apdev):
4990 """EAP-TLS session resumption (RADIUS)"""
4991 params = { "ssid": "as", "beacon_int": "2000",
4992 "radius_server_clients": "auth_serv/radius_clients.conf",
4993 "radius_server_auth_port": '18128',
4995 "eap_user_file": "auth_serv/eap_user.conf",
4996 "ca_cert": "auth_serv/ca.pem",
4997 "server_cert": "auth_serv/server.pem",
4998 "private_key": "auth_serv/server.key",
4999 "tls_session_lifetime": "60" }
5000 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
5001 check_tls_session_resumption_capa(dev[0], authsrv)
5003 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5004 params['auth_server_port'] = "18128"
5005 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5006 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5007 client_cert="auth_serv/user.pem",
5008 private_key="auth_serv/user.key")
5009 if dev[0].get_status_field("tls_session_reused") != '0':
5010 raise Exception("Unexpected session resumption on the first connection")
5012 dev[0].request("REAUTHENTICATE")
5013 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5015 raise Exception("EAP success timed out")
5016 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5018 raise Exception("Key handshake with the AP timed out")
5019 if dev[0].get_status_field("tls_session_reused") != '1':
5020 raise Exception("Session resumption not used on the second connection")
5022 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5023 """EAP-TLS session resumption disabled (RADIUS)"""
5024 params = { "ssid": "as", "beacon_int": "2000",
5025 "radius_server_clients": "auth_serv/radius_clients.conf",
5026 "radius_server_auth_port": '18128',
5028 "eap_user_file": "auth_serv/eap_user.conf",
5029 "ca_cert": "auth_serv/ca.pem",
5030 "server_cert": "auth_serv/server.pem",
5031 "private_key": "auth_serv/server.key",
5032 "tls_session_lifetime": "0" }
5033 hostapd.add_ap(apdev[1]['ifname'], params)
5035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5036 params['auth_server_port'] = "18128"
5037 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5038 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5039 client_cert="auth_serv/user.pem",
5040 private_key="auth_serv/user.key")
5041 if dev[0].get_status_field("tls_session_reused") != '0':
5042 raise Exception("Unexpected session resumption on the first connection")
5044 dev[0].request("REAUTHENTICATE")
5045 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5047 raise Exception("EAP success timed out")
5048 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5050 raise Exception("Key handshake with the AP timed out")
5051 if dev[0].get_status_field("tls_session_reused") != '0':
5052 raise Exception("Unexpected session resumption on the second connection")
5054 def test_eap_mschapv2_errors(dev, apdev):
5055 """EAP-MSCHAPv2 error cases"""
5056 check_eap_capa(dev[0], "MSCHAPV2")
5057 check_eap_capa(dev[0], "FAST")
5059 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5060 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5061 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5062 identity="phase1-user", password="password",
5064 dev[0].request("REMOVE_NETWORK all")
5065 dev[0].wait_disconnected()
5067 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5068 (1, "nt_password_hash;mschapv2_derive_response"),
5069 (1, "nt_password_hash;=mschapv2_derive_response"),
5070 (1, "generate_nt_response;mschapv2_derive_response"),
5071 (1, "generate_authenticator_response;mschapv2_derive_response"),
5072 (1, "nt_password_hash;=mschapv2_derive_response"),
5073 (1, "get_master_key;mschapv2_derive_response"),
5074 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5075 for count, func in tests:
5076 with fail_test(dev[0], count, func):
5077 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5078 identity="phase1-user", password="password",
5079 wait_connect=False, scan_freq="2412")
5080 wait_fail_trigger(dev[0], "GET_FAIL")
5081 dev[0].request("REMOVE_NETWORK all")
5082 dev[0].wait_disconnected()
5084 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5085 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5086 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5087 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5088 for count, func in tests:
5089 with fail_test(dev[0], count, func):
5090 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5091 identity="phase1-user",
5092 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5093 wait_connect=False, scan_freq="2412")
5094 wait_fail_trigger(dev[0], "GET_FAIL")
5095 dev[0].request("REMOVE_NETWORK all")
5096 dev[0].wait_disconnected()
5098 tests = [ (1, "eap_mschapv2_init"),
5099 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5100 (1, "eap_msg_alloc;eap_mschapv2_success"),
5101 (1, "eap_mschapv2_getKey") ]
5102 for count, func in tests:
5103 with alloc_fail(dev[0], count, func):
5104 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5105 identity="phase1-user", password="password",
5106 wait_connect=False, scan_freq="2412")
5107 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5108 dev[0].request("REMOVE_NETWORK all")
5109 dev[0].wait_disconnected()
5111 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5112 for count, func in tests:
5113 with alloc_fail(dev[0], count, func):
5114 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5115 identity="phase1-user", password="wrong password",
5116 wait_connect=False, scan_freq="2412")
5117 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5118 dev[0].request("REMOVE_NETWORK all")
5119 dev[0].wait_disconnected()
5121 tests = [ (2, "eap_mschapv2_init"),
5122 (3, "eap_mschapv2_init") ]
5123 for count, func in tests:
5124 with alloc_fail(dev[0], count, func):
5125 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5126 anonymous_identity="FAST", identity="user",
5127 password="password",
5128 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5129 phase1="fast_provisioning=1",
5130 pac_file="blob://fast_pac",
5131 wait_connect=False, scan_freq="2412")
5132 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5133 dev[0].request("REMOVE_NETWORK all")
5134 dev[0].wait_disconnected()
5136 def test_eap_gpsk_errors(dev, apdev):
5137 """EAP-GPSK error cases"""
5138 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5140 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5141 identity="gpsk user",
5142 password="abcdefghijklmnop0123456789abcdef",
5144 dev[0].request("REMOVE_NETWORK all")
5145 dev[0].wait_disconnected()
5147 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5148 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5150 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5152 (1, "eap_gpsk_derive_keys_helper", None),
5153 (2, "eap_gpsk_derive_keys_helper", None),
5154 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5156 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5158 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5159 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5160 (1, "eap_gpsk_derive_mid_helper", None) ]
5161 for count, func, phase1 in tests:
5162 with fail_test(dev[0], count, func):
5163 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5164 identity="gpsk user",
5165 password="abcdefghijklmnop0123456789abcdef",
5167 wait_connect=False, scan_freq="2412")
5168 wait_fail_trigger(dev[0], "GET_FAIL")
5169 dev[0].request("REMOVE_NETWORK all")
5170 dev[0].wait_disconnected()
5172 tests = [ (1, "eap_gpsk_init"),
5173 (2, "eap_gpsk_init"),
5174 (3, "eap_gpsk_init"),
5175 (1, "eap_gpsk_process_id_server"),
5176 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5177 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5178 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5179 (1, "eap_gpsk_derive_keys"),
5180 (1, "eap_gpsk_derive_keys_helper"),
5181 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5182 (1, "eap_gpsk_getKey"),
5183 (1, "eap_gpsk_get_emsk"),
5184 (1, "eap_gpsk_get_session_id") ]
5185 for count, func in tests:
5186 with alloc_fail(dev[0], count, func):
5187 dev[0].request("ERP_FLUSH")
5188 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5189 identity="gpsk user", erp="1",
5190 password="abcdefghijklmnop0123456789abcdef",
5191 wait_connect=False, scan_freq="2412")
5192 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5193 dev[0].request("REMOVE_NETWORK all")
5194 dev[0].wait_disconnected()
5196 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5197 """EAP-SIM DB error cases"""
5198 sockpath = '/tmp/hlr_auc_gw.sock-test'
5203 hparams = int_eap_server_params()
5204 hparams['eap_sim_db'] = 'unix:' + sockpath
5205 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
5207 # Initial test with hlr_auc_gw socket not available
5208 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5209 eap="SIM", identity="1232010000000000",
5210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5211 scan_freq="2412", wait_connect=False)
5212 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5214 raise Exception("EAP-Failure not reported")
5215 dev[0].wait_disconnected()
5216 dev[0].request("DISCONNECT")
5218 # Test with invalid responses and response timeout
5220 class test_handler(SocketServer.DatagramRequestHandler):
5222 data = self.request[0].strip()
5223 socket = self.request[1]
5224 logger.debug("Received hlr_auc_gw request: " + data)
5225 # EAP-SIM DB: Failed to parse response string
5226 socket.sendto("FOO", self.client_address)
5227 # EAP-SIM DB: Failed to parse response string
5228 socket.sendto("FOO 1", self.client_address)
5229 # EAP-SIM DB: Unknown external response
5230 socket.sendto("FOO 1 2", self.client_address)
5231 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5233 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5236 dev[0].select_network(id)
5237 server.handle_request()
5238 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5240 raise Exception("EAP-Failure not reported")
5241 dev[0].wait_disconnected()
5242 dev[0].request("DISCONNECT")
5244 # Test with a valid response
5246 class test_handler2(SocketServer.DatagramRequestHandler):
5248 data = self.request[0].strip()
5249 socket = self.request[1]
5250 logger.debug("Received hlr_auc_gw request: " + data)
5251 fname = os.path.join(params['logdir'],
5252 'hlr_auc_gw.milenage_db')
5253 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5255 stdout=subprocess.PIPE)
5256 res = cmd.stdout.read().strip()
5258 logger.debug("hlr_auc_gw response: " + res)
5259 socket.sendto(res, self.client_address)
5261 server.RequestHandlerClass = test_handler2
5263 dev[0].select_network(id)
5264 server.handle_request()
5265 dev[0].wait_connected()
5266 dev[0].request("DISCONNECT")
5267 dev[0].wait_disconnected()
5269 def test_eap_tls_sha512(dev, apdev, params):
5270 """EAP-TLS with SHA512 signature"""
5271 params = int_eap_server_params()
5272 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5273 params["server_cert"] = "auth_serv/sha512-server.pem"
5274 params["private_key"] = "auth_serv/sha512-server.key"
5275 hostapd.add_ap(apdev[0]['ifname'], params)
5277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5278 identity="tls user sha512",
5279 ca_cert="auth_serv/sha512-ca.pem",
5280 client_cert="auth_serv/sha512-user.pem",
5281 private_key="auth_serv/sha512-user.key",
5283 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5284 identity="tls user sha512",
5285 ca_cert="auth_serv/sha512-ca.pem",
5286 client_cert="auth_serv/sha384-user.pem",
5287 private_key="auth_serv/sha384-user.key",
5290 def test_eap_tls_sha384(dev, apdev, params):
5291 """EAP-TLS with SHA384 signature"""
5292 params = int_eap_server_params()
5293 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5294 params["server_cert"] = "auth_serv/sha384-server.pem"
5295 params["private_key"] = "auth_serv/sha384-server.key"
5296 hostapd.add_ap(apdev[0]['ifname'], params)
5298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5299 identity="tls user sha512",
5300 ca_cert="auth_serv/sha512-ca.pem",
5301 client_cert="auth_serv/sha512-user.pem",
5302 private_key="auth_serv/sha512-user.key",
5304 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5305 identity="tls user sha512",
5306 ca_cert="auth_serv/sha512-ca.pem",
5307 client_cert="auth_serv/sha384-user.pem",
5308 private_key="auth_serv/sha384-user.key",
5311 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5312 """WPA2-Enterprise AP and association request RSN IE differences"""
5313 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5314 hostapd.add_ap(apdev[0]['ifname'], params)
5316 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5317 params["ieee80211w"] = "2"
5318 hostapd.add_ap(apdev[1]['ifname'], params)
5320 # Success cases with optional RSN IE fields removed one by one
5321 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5322 "30140100000fac040100000fac040100000fac010000"),
5323 ("Extra PMKIDCount field in RSN IE",
5324 "30160100000fac040100000fac040100000fac0100000000"),
5325 ("Extra Group Management Cipher Suite in RSN IE",
5326 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5327 ("Extra undefined extension field in RSN IE",
5328 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5329 ("RSN IE without RSN Capabilities",
5330 "30120100000fac040100000fac040100000fac01"),
5331 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5332 ("RSN IE without pairwise", "30060100000fac04"),
5333 ("RSN IE without group", "30020100") ]
5334 for title, ie in tests:
5336 set_test_assoc_ie(dev[0], ie)
5337 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5338 identity="gpsk user",
5339 password="abcdefghijklmnop0123456789abcdef",
5341 dev[0].request("REMOVE_NETWORK all")
5342 dev[0].wait_disconnected()
5344 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5345 "30140100000fac040100000fac040100000fac01cc00"),
5346 ("Group management cipher included in assoc req RSN IE",
5347 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5348 for title, ie in tests:
5350 set_test_assoc_ie(dev[0], ie)
5351 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5352 eap="GPSK", identity="gpsk user",
5353 password="abcdefghijklmnop0123456789abcdef",
5355 dev[0].request("REMOVE_NETWORK all")
5356 dev[0].wait_disconnected()
5358 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5359 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5360 for title, ie, status in tests:
5362 set_test_assoc_ie(dev[0], ie)
5363 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5364 identity="gpsk user",
5365 password="abcdefghijklmnop0123456789abcdef",
5366 scan_freq="2412", wait_connect=False)
5367 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5369 raise Exception("Association rejection not reported")
5370 if "status_code=" + str(status) not in ev:
5371 raise Exception("Unexpected status code: " + ev)
5372 dev[0].request("REMOVE_NETWORK all")
5373 dev[0].dump_monitor()
5375 tests = [ ("Management frame protection not enabled",
5376 "30140100000fac040100000fac040100000fac010000", 31),
5377 ("Unsupported management group cipher",
5378 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5379 for title, ie, status in tests:
5381 set_test_assoc_ie(dev[0], ie)
5382 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5383 eap="GPSK", identity="gpsk user",
5384 password="abcdefghijklmnop0123456789abcdef",
5385 scan_freq="2412", wait_connect=False)
5386 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5388 raise Exception("Association rejection not reported")
5389 if "status_code=" + str(status) not in ev:
5390 raise Exception("Unexpected status code: " + ev)
5391 dev[0].request("REMOVE_NETWORK all")
5392 dev[0].dump_monitor()
5394 def test_eap_tls_ext_cert_check(dev, apdev):
5395 """EAP-TLS and external server certification validation"""
5396 # With internal server certificate chain validation
5397 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5398 identity="tls user",
5399 ca_cert="auth_serv/ca.pem",
5400 client_cert="auth_serv/user.pem",
5401 private_key="auth_serv/user.key",
5402 phase1="tls_ext_cert_check=1", scan_freq="2412",
5403 only_add_network=True)
5404 run_ext_cert_check(dev, apdev, id)
5406 def test_eap_ttls_ext_cert_check(dev, apdev):
5407 """EAP-TTLS and external server certification validation"""
5408 # Without internal server certificate chain validation
5409 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5410 identity="pap user", anonymous_identity="ttls",
5411 password="password", phase2="auth=PAP",
5412 phase1="tls_ext_cert_check=1", scan_freq="2412",
5413 only_add_network=True)
5414 run_ext_cert_check(dev, apdev, id)
5416 def test_eap_peap_ext_cert_check(dev, apdev):
5417 """EAP-PEAP and external server certification validation"""
5418 # With internal server certificate chain validation
5419 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5420 identity="user", anonymous_identity="peap",
5421 ca_cert="auth_serv/ca.pem",
5422 password="password", phase2="auth=MSCHAPV2",
5423 phase1="tls_ext_cert_check=1", scan_freq="2412",
5424 only_add_network=True)
5425 run_ext_cert_check(dev, apdev, id)
5427 def test_eap_fast_ext_cert_check(dev, apdev):
5428 """EAP-FAST and external server certification validation"""
5429 check_eap_capa(dev[0], "FAST")
5430 # With internal server certificate chain validation
5431 dev[0].request("SET blob fast_pac_auth_ext ")
5432 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5433 identity="user", anonymous_identity="FAST",
5434 ca_cert="auth_serv/ca.pem",
5435 password="password", phase2="auth=GTC",
5436 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5437 pac_file="blob://fast_pac_auth_ext",
5439 only_add_network=True)
5440 run_ext_cert_check(dev, apdev, id)
5442 def run_ext_cert_check(dev, apdev, net_id):
5443 check_ext_cert_check_support(dev[0])
5444 if not openssl_imported:
5445 raise HwsimSkip("OpenSSL python method not available")
5447 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5448 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5450 dev[0].select_network(net_id)
5453 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5454 "CTRL-REQ-EXT_CERT_CHECK",
5455 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5457 raise Exception("No peer server certificate event seen")
5458 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5461 vals = ev.split(' ')
5463 if v.startswith("depth="):
5464 depth = int(v.split('=')[1])
5465 elif v.startswith("cert="):
5466 cert = v.split('=')[1]
5467 if depth is not None and cert:
5468 certs[depth] = binascii.unhexlify(cert)
5469 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5470 raise Exception("Unexpected EAP-Success")
5471 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5472 id = ev.split(':')[0].split('-')[-1]
5475 raise Exception("Server certificate not received")
5477 raise Exception("Server certificate issuer not received")
5479 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5481 cn = cert.get_subject().commonName
5482 logger.info("Server certificate CN=" + cn)
5484 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5486 icn = issuer.get_subject().commonName
5487 logger.info("Issuer certificate CN=" + icn)
5489 if cn != "server.w1.fi":
5490 raise Exception("Unexpected server certificate CN: " + cn)
5491 if icn != "Root CA":
5492 raise Exception("Unexpected server certificate issuer CN: " + icn)
5494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5496 raise Exception("Unexpected EAP-Success before external check result indication")
5498 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5499 dev[0].wait_connected()
5501 dev[0].request("DISCONNECT")
5502 dev[0].wait_disconnected()
5503 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5504 raise Exception("PMKSA_FLUSH failed")
5505 dev[0].request("SET blob fast_pac_auth_ext ")
5506 dev[0].request("RECONNECT")
5508 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5510 raise Exception("No peer server certificate event seen (2)")
5511 id = ev.split(':')[0].split('-')[-1]
5512 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5513 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5515 raise Exception("EAP-Failure not reported")
5516 dev[0].request("REMOVE_NETWORK all")
5517 dev[0].wait_disconnected()
5519 def test_eap_tls_errors(dev, apdev):
5520 """EAP-TLS error cases"""
5521 params = int_eap_server_params()
5522 params['fragment_size'] = '100'
5523 hostapd.add_ap(apdev[0]['ifname'], params)
5524 with alloc_fail(dev[0], 1,
5525 "eap_peer_tls_reassemble_fragment"):
5526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5527 identity="tls user", ca_cert="auth_serv/ca.pem",
5528 client_cert="auth_serv/user.pem",
5529 private_key="auth_serv/user.key",
5530 wait_connect=False, scan_freq="2412")
5531 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5532 dev[0].request("REMOVE_NETWORK all")
5533 dev[0].wait_disconnected()
5535 with alloc_fail(dev[0], 1, "eap_tls_init"):
5536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5537 identity="tls user", ca_cert="auth_serv/ca.pem",
5538 client_cert="auth_serv/user.pem",
5539 private_key="auth_serv/user.key",
5540 wait_connect=False, scan_freq="2412")
5541 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5542 dev[0].request("REMOVE_NETWORK all")
5543 dev[0].wait_disconnected()
5545 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5546 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5547 identity="tls user", ca_cert="auth_serv/ca.pem",
5548 client_cert="auth_serv/user.pem",
5549 private_key="auth_serv/user.key",
5551 wait_connect=False, scan_freq="2412")
5552 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5553 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5555 raise Exception("No CTRL-REQ-PIN seen")
5556 dev[0].request("REMOVE_NETWORK all")
5557 dev[0].wait_disconnected()
5559 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5560 "eap_peer_tls_derive_session_id;eap_tls_success",
5563 "eap_tls_get_session_id" ]
5565 with alloc_fail(dev[0], 1, func):
5566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5567 identity="tls user", ca_cert="auth_serv/ca.pem",
5568 client_cert="auth_serv/user.pem",
5569 private_key="auth_serv/user.key",
5571 wait_connect=False, scan_freq="2412")
5572 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5573 dev[0].request("REMOVE_NETWORK all")
5574 dev[0].wait_disconnected()
5576 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5577 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5578 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5579 wait_connect=False, scan_freq="2412")
5580 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5581 dev[0].request("REMOVE_NETWORK all")
5582 dev[0].wait_disconnected()
5584 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5585 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5586 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5587 wait_connect=False, scan_freq="2412")
5588 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5589 dev[0].request("REMOVE_NETWORK all")
5590 dev[0].wait_disconnected()
5592 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5593 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5594 eap="WFA-UNAUTH-TLS",
5595 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5596 wait_connect=False, scan_freq="2412")
5597 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5598 dev[0].request("REMOVE_NETWORK all")
5599 dev[0].wait_disconnected()
5601 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5602 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5603 eap="WFA-UNAUTH-TLS",
5604 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5605 wait_connect=False, scan_freq="2412")
5606 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5607 dev[0].request("REMOVE_NETWORK all")
5608 dev[0].wait_disconnected()