1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
51 def check_ocsp_support(dev):
52 tls = dev.request("GET tls_library")
53 if "BoringSSL" in tls:
54 raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
57 with open(fname, "r") as f:
68 return base64.b64decode(cert)
70 def eap_connect(dev, ap, method, identity,
71 sha256=False, expect_failure=False, local_error_report=False,
72 maybe_local_error=False, **kwargs):
73 hapd = hostapd.Hostapd(ap['ifname'])
74 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
75 eap=method, identity=identity,
76 wait_connect=False, scan_freq="2412", ieee80211w="1",
78 eap_check_auth(dev, method, True, sha256=sha256,
79 expect_failure=expect_failure,
80 local_error_report=local_error_report,
81 maybe_local_error=maybe_local_error)
84 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
86 raise Exception("No connection event received from hostapd")
89 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
90 expect_failure=False, local_error_report=False,
91 maybe_local_error=False):
92 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
94 raise Exception("Association and EAP start timed out")
95 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
96 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
98 raise Exception("EAP method selection timed out")
99 if "CTRL-EVENT-EAP-FAILURE" in ev:
100 if maybe_local_error:
102 raise Exception("Could not select EAP method")
104 raise Exception("Unexpected EAP method")
106 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
108 raise Exception("EAP failure timed out")
109 ev = dev.wait_disconnected(timeout=10)
110 if maybe_local_error and "locally_generated=1" in ev:
112 if not local_error_report:
113 if "reason=23" not in ev:
114 raise Exception("Proper reason code for disconnection not reported")
116 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
118 raise Exception("EAP success timed out")
121 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
123 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
125 raise Exception("Association with the AP timed out")
126 status = dev.get_status()
127 if status["wpa_state"] != "COMPLETED":
128 raise Exception("Connection not completed")
130 if status["suppPortStatus"] != "Authorized":
131 raise Exception("Port not authorized")
132 if method not in status["selectedMethod"]:
133 raise Exception("Incorrect EAP method status")
135 e = "WPA2-EAP-SHA256"
137 e = "WPA2/IEEE 802.1X/EAP"
139 e = "WPA/IEEE 802.1X/EAP"
140 if status["key_mgmt"] != e:
141 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
144 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
145 dev.request("REAUTHENTICATE")
146 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
147 expect_failure=expect_failure)
149 def test_ap_wpa2_eap_sim(dev, apdev):
150 """WPA2-Enterprise connection using EAP-SIM"""
151 check_hlr_auc_gw_support()
152 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
153 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
154 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
155 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156 hwsim_utils.test_connectivity(dev[0], hapd)
157 eap_reauth(dev[0], "SIM")
159 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
160 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
161 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
165 logger.info("Negative test with incorrect key")
166 dev[0].request("REMOVE_NETWORK all")
167 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
168 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
171 logger.info("Invalid GSM-Milenage key")
172 dev[0].request("REMOVE_NETWORK all")
173 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
174 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
177 logger.info("Invalid GSM-Milenage key(2)")
178 dev[0].request("REMOVE_NETWORK all")
179 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
180 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
183 logger.info("Invalid GSM-Milenage key(3)")
184 dev[0].request("REMOVE_NETWORK all")
185 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
189 logger.info("Invalid GSM-Milenage key(4)")
190 dev[0].request("REMOVE_NETWORK all")
191 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
192 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
195 logger.info("Missing key configuration")
196 dev[0].request("REMOVE_NETWORK all")
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
200 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
201 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
202 check_hlr_auc_gw_support()
206 raise HwsimSkip("No sqlite3 module available")
207 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
208 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
209 params['auth_server_port'] = "1814"
210 hostapd.add_ap(apdev[0]['ifname'], params)
211 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
214 logger.info("SIM fast re-authentication")
215 eap_reauth(dev[0], "SIM")
217 logger.info("SIM full auth with pseudonym")
220 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
221 eap_reauth(dev[0], "SIM")
223 logger.info("SIM full auth with permanent identity")
226 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
227 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
230 logger.info("SIM reauth with mismatching MK")
233 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
234 eap_reauth(dev[0], "SIM", expect_failure=True)
235 dev[0].request("REMOVE_NETWORK all")
237 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
238 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
241 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
242 eap_reauth(dev[0], "SIM")
245 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
246 logger.info("SIM reauth with mismatching counter")
247 eap_reauth(dev[0], "SIM")
248 dev[0].request("REMOVE_NETWORK all")
250 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
251 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
254 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
255 logger.info("SIM reauth with max reauth count reached")
256 eap_reauth(dev[0], "SIM")
258 def test_ap_wpa2_eap_sim_config(dev, apdev):
259 """EAP-SIM configuration options"""
260 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
261 hostapd.add_ap(apdev[0]['ifname'], params)
262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263 identity="1232010000000000",
264 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265 phase1="sim_min_num_chal=1",
266 wait_connect=False, scan_freq="2412")
267 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
269 raise Exception("No EAP error message seen")
270 dev[0].request("REMOVE_NETWORK all")
272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
273 identity="1232010000000000",
274 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
275 phase1="sim_min_num_chal=4",
276 wait_connect=False, scan_freq="2412")
277 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
279 raise Exception("No EAP error message seen (2)")
280 dev[0].request("REMOVE_NETWORK all")
282 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
283 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
284 phase1="sim_min_num_chal=2")
285 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
287 anonymous_identity="345678")
289 def test_ap_wpa2_eap_sim_ext(dev, apdev):
290 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
292 _test_ap_wpa2_eap_sim_ext(dev, apdev)
294 dev[0].request("SET external_sim 0")
296 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
297 check_hlr_auc_gw_support()
298 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
299 hostapd.add_ap(apdev[0]['ifname'], params)
300 dev[0].request("SET external_sim 1")
301 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
302 identity="1232010000000000",
303 wait_connect=False, scan_freq="2412")
304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
306 raise Exception("Network connected timed out")
308 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
310 raise Exception("Wait for external SIM processing request timed out")
312 if p[1] != "GSM-AUTH":
313 raise Exception("Unexpected CTRL-REQ-SIM type")
314 rid = p[0].split('-')[3]
317 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
318 # This will fail during processing, but the ctrl_iface command succeeds
319 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
320 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
322 raise Exception("EAP failure not reported")
323 dev[0].request("DISCONNECT")
324 dev[0].wait_disconnected()
327 dev[0].select_network(id, freq="2412")
328 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
330 raise Exception("Wait for external SIM processing request timed out")
332 if p[1] != "GSM-AUTH":
333 raise Exception("Unexpected CTRL-REQ-SIM type")
334 rid = p[0].split('-')[3]
335 # This will fail during GSM auth validation
336 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
337 raise Exception("CTRL-RSP-SIM failed")
338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
340 raise Exception("EAP failure not reported")
341 dev[0].request("DISCONNECT")
342 dev[0].wait_disconnected()
345 dev[0].select_network(id, freq="2412")
346 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
348 raise Exception("Wait for external SIM processing request timed out")
350 if p[1] != "GSM-AUTH":
351 raise Exception("Unexpected CTRL-REQ-SIM type")
352 rid = p[0].split('-')[3]
353 # This will fail during GSM auth validation
354 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
355 raise Exception("CTRL-RSP-SIM failed")
356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
358 raise Exception("EAP failure not reported")
359 dev[0].request("DISCONNECT")
360 dev[0].wait_disconnected()
363 dev[0].select_network(id, freq="2412")
364 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
366 raise Exception("Wait for external SIM processing request timed out")
368 if p[1] != "GSM-AUTH":
369 raise Exception("Unexpected CTRL-REQ-SIM type")
370 rid = p[0].split('-')[3]
371 # This will fail during GSM auth validation
372 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
373 raise Exception("CTRL-RSP-SIM failed")
374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
376 raise Exception("EAP failure not reported")
377 dev[0].request("DISCONNECT")
378 dev[0].wait_disconnected()
381 dev[0].select_network(id, freq="2412")
382 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
384 raise Exception("Wait for external SIM processing request timed out")
386 if p[1] != "GSM-AUTH":
387 raise Exception("Unexpected CTRL-REQ-SIM type")
388 rid = p[0].split('-')[3]
389 # This will fail during GSM auth validation
390 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
391 raise Exception("CTRL-RSP-SIM failed")
392 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
394 raise Exception("EAP failure not reported")
395 dev[0].request("DISCONNECT")
396 dev[0].wait_disconnected()
399 dev[0].select_network(id, freq="2412")
400 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid = p[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
412 raise Exception("EAP failure not reported")
413 dev[0].request("DISCONNECT")
414 dev[0].wait_disconnected()
417 dev[0].select_network(id, freq="2412")
418 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid = p[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
430 raise Exception("EAP failure not reported")
432 def test_ap_wpa2_eap_sim_oom(dev, apdev):
433 """EAP-SIM and OOM"""
434 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
435 hostapd.add_ap(apdev[0]['ifname'], params)
436 tests = [ (1, "milenage_f2345"),
437 (2, "milenage_f2345"),
438 (3, "milenage_f2345"),
439 (4, "milenage_f2345"),
440 (5, "milenage_f2345"),
441 (6, "milenage_f2345"),
442 (7, "milenage_f2345"),
443 (8, "milenage_f2345"),
444 (9, "milenage_f2345"),
445 (10, "milenage_f2345"),
446 (11, "milenage_f2345"),
447 (12, "milenage_f2345") ]
448 for count, func in tests:
449 with alloc_fail(dev[0], count, func):
450 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
451 identity="1232010000000000",
452 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
453 wait_connect=False, scan_freq="2412")
454 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
456 raise Exception("EAP method not selected")
457 dev[0].wait_disconnected()
458 dev[0].request("REMOVE_NETWORK all")
460 def test_ap_wpa2_eap_aka(dev, apdev):
461 """WPA2-Enterprise connection using EAP-AKA"""
462 check_hlr_auc_gw_support()
463 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
464 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
465 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
466 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
467 hwsim_utils.test_connectivity(dev[0], hapd)
468 eap_reauth(dev[0], "AKA")
470 logger.info("Negative test with incorrect key")
471 dev[0].request("REMOVE_NETWORK all")
472 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
473 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
476 logger.info("Invalid Milenage key")
477 dev[0].request("REMOVE_NETWORK all")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
482 logger.info("Invalid Milenage key(2)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
487 logger.info("Invalid Milenage key(3)")
488 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
492 logger.info("Invalid Milenage key(4)")
493 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
494 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
497 logger.info("Invalid Milenage key(5)")
498 dev[0].request("REMOVE_NETWORK all")
499 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
503 logger.info("Invalid Milenage key(6)")
504 dev[0].request("REMOVE_NETWORK all")
505 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
506 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
509 logger.info("Missing key configuration")
510 dev[0].request("REMOVE_NETWORK all")
511 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
515 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
516 check_hlr_auc_gw_support()
520 raise HwsimSkip("No sqlite3 module available")
521 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
522 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
523 params['auth_server_port'] = "1814"
524 hostapd.add_ap(apdev[0]['ifname'], params)
525 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
526 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
528 logger.info("AKA fast re-authentication")
529 eap_reauth(dev[0], "AKA")
531 logger.info("AKA full auth with pseudonym")
534 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
535 eap_reauth(dev[0], "AKA")
537 logger.info("AKA full auth with permanent identity")
540 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
541 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
542 eap_reauth(dev[0], "AKA")
544 logger.info("AKA reauth with mismatching MK")
547 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
548 eap_reauth(dev[0], "AKA", expect_failure=True)
549 dev[0].request("REMOVE_NETWORK all")
551 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
552 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
555 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
556 eap_reauth(dev[0], "AKA")
559 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
560 logger.info("AKA reauth with mismatching counter")
561 eap_reauth(dev[0], "AKA")
562 dev[0].request("REMOVE_NETWORK all")
564 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
565 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
568 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
569 logger.info("AKA reauth with max reauth count reached")
570 eap_reauth(dev[0], "AKA")
572 def test_ap_wpa2_eap_aka_config(dev, apdev):
573 """EAP-AKA configuration options"""
574 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
575 hostapd.add_ap(apdev[0]['ifname'], params)
576 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
577 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
578 anonymous_identity="2345678")
580 def test_ap_wpa2_eap_aka_ext(dev, apdev):
581 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
583 _test_ap_wpa2_eap_aka_ext(dev, apdev)
585 dev[0].request("SET external_sim 0")
587 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
588 check_hlr_auc_gw_support()
589 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
590 hostapd.add_ap(apdev[0]['ifname'], params)
591 dev[0].request("SET external_sim 1")
592 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
593 identity="0232010000000000",
594 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
595 wait_connect=False, scan_freq="2412")
596 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
598 raise Exception("Network connected timed out")
600 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
602 raise Exception("Wait for external SIM processing request timed out")
604 if p[1] != "UMTS-AUTH":
605 raise Exception("Unexpected CTRL-REQ-SIM type")
606 rid = p[0].split('-')[3]
609 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
610 # This will fail during processing, but the ctrl_iface command succeeds
611 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
612 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
614 raise Exception("EAP failure not reported")
615 dev[0].request("DISCONNECT")
616 dev[0].wait_disconnected()
619 dev[0].select_network(id, freq="2412")
620 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
622 raise Exception("Wait for external SIM processing request timed out")
624 if p[1] != "UMTS-AUTH":
625 raise Exception("Unexpected CTRL-REQ-SIM type")
626 rid = p[0].split('-')[3]
627 # This will fail during UMTS auth validation
628 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
629 raise Exception("CTRL-RSP-SIM failed")
630 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
632 raise Exception("Wait for external SIM processing request timed out")
634 if p[1] != "UMTS-AUTH":
635 raise Exception("Unexpected CTRL-REQ-SIM type")
636 rid = p[0].split('-')[3]
637 # This will fail during UMTS auth validation
638 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
639 raise Exception("CTRL-RSP-SIM failed")
640 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
642 raise Exception("EAP failure not reported")
643 dev[0].request("DISCONNECT")
644 dev[0].wait_disconnected()
647 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
649 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
650 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
651 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
652 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
653 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
668 raise Exception("EAP failure not reported")
669 dev[0].request("DISCONNECT")
670 dev[0].wait_disconnected()
673 def test_ap_wpa2_eap_aka_prime(dev, apdev):
674 """WPA2-Enterprise connection using EAP-AKA'"""
675 check_hlr_auc_gw_support()
676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
677 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
678 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
680 hwsim_utils.test_connectivity(dev[0], hapd)
681 eap_reauth(dev[0], "AKA'")
683 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
684 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
685 identity="6555444333222111@both",
686 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
687 wait_connect=False, scan_freq="2412")
688 dev[1].wait_connected(timeout=15)
690 logger.info("Negative test with incorrect key")
691 dev[0].request("REMOVE_NETWORK all")
692 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
693 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
696 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
697 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
698 check_hlr_auc_gw_support()
702 raise HwsimSkip("No sqlite3 module available")
703 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
704 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
705 params['auth_server_port'] = "1814"
706 hostapd.add_ap(apdev[0]['ifname'], params)
707 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
708 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
710 logger.info("AKA' fast re-authentication")
711 eap_reauth(dev[0], "AKA'")
713 logger.info("AKA' full auth with pseudonym")
716 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
717 eap_reauth(dev[0], "AKA'")
719 logger.info("AKA' full auth with permanent identity")
722 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
723 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
724 eap_reauth(dev[0], "AKA'")
726 logger.info("AKA' reauth with mismatching k_aut")
729 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
730 eap_reauth(dev[0], "AKA'", expect_failure=True)
731 dev[0].request("REMOVE_NETWORK all")
733 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
734 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
737 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
738 eap_reauth(dev[0], "AKA'")
741 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
742 logger.info("AKA' reauth with mismatching counter")
743 eap_reauth(dev[0], "AKA'")
744 dev[0].request("REMOVE_NETWORK all")
746 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
747 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
750 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
751 logger.info("AKA' reauth with max reauth count reached")
752 eap_reauth(dev[0], "AKA'")
754 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
755 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
756 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
757 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
758 key_mgmt = hapd.get_config()['key_mgmt']
759 if key_mgmt.split(' ')[0] != "WPA-EAP":
760 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762 anonymous_identity="ttls", password="password",
763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
764 hwsim_utils.test_connectivity(dev[0], hapd)
765 eap_reauth(dev[0], "TTLS")
766 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
767 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
769 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
770 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
771 check_subject_match_support(dev[0])
772 check_altsubject_match_support(dev[0])
773 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
774 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
775 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
776 anonymous_identity="ttls", password="password",
777 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
778 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
779 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
780 eap_reauth(dev[0], "TTLS")
782 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
783 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
784 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
785 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
786 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
787 anonymous_identity="ttls", password="wrong",
788 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 eap_connect(dev[1], apdev[0], "TTLS", "user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
795 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
796 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
797 skip_with_fips(dev[0])
798 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
799 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
800 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
801 anonymous_identity="ttls", password="password",
802 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
803 hwsim_utils.test_connectivity(dev[0], hapd)
804 eap_reauth(dev[0], "TTLS")
806 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
807 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
808 skip_with_fips(dev[0])
809 check_altsubject_match_support(dev[0])
810 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
811 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
812 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
813 anonymous_identity="ttls", password="password",
814 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
815 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
816 eap_reauth(dev[0], "TTLS")
818 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
819 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
820 skip_with_fips(dev[0])
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
823 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
824 anonymous_identity="ttls", password="wrong",
825 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
827 eap_connect(dev[1], apdev[0], "TTLS", "user",
828 anonymous_identity="ttls", password="password",
829 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
832 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
833 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
834 skip_with_fips(dev[0])
835 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
836 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
837 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
838 anonymous_identity="ttls", password="password",
839 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
840 domain_suffix_match="server.w1.fi")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
843 dev[0].request("REMOVE_NETWORK all")
844 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845 anonymous_identity="ttls", password="password",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
849 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
850 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
851 skip_with_fips(dev[0])
852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
854 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
855 anonymous_identity="ttls", password="wrong",
856 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
858 eap_connect(dev[1], apdev[0], "TTLS", "user",
859 anonymous_identity="ttls", password="password",
860 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
862 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
863 anonymous_identity="ttls", password="password",
864 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
867 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
868 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
869 check_eap_capa(dev[0], "MSCHAPV2")
870 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
871 hostapd.add_ap(apdev[0]['ifname'], params)
872 hapd = hostapd.Hostapd(apdev[0]['ifname'])
873 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
874 anonymous_identity="ttls", password="password",
875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
876 domain_suffix_match="server.w1.fi")
877 hwsim_utils.test_connectivity(dev[0], hapd)
878 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
879 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
880 eap_reauth(dev[0], "TTLS")
881 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
882 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
883 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
884 raise Exception("dot1xAuthEapolFramesRx did not increase")
885 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
886 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
887 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
888 raise Exception("backendAuthSuccesses did not increase")
890 logger.info("Password as hash value")
891 dev[0].request("REMOVE_NETWORK all")
892 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
893 anonymous_identity="ttls",
894 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
895 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
897 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
898 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
899 check_domain_match_full(dev[0])
900 skip_with_fips(dev[0])
901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
902 hostapd.add_ap(apdev[0]['ifname'], params)
903 hapd = hostapd.Hostapd(apdev[0]['ifname'])
904 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
905 anonymous_identity="ttls", password="password",
906 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
907 domain_suffix_match="w1.fi")
908 hwsim_utils.test_connectivity(dev[0], hapd)
909 eap_reauth(dev[0], "TTLS")
911 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
912 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
913 skip_with_fips(dev[0])
914 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
915 hostapd.add_ap(apdev[0]['ifname'], params)
916 hapd = hostapd.Hostapd(apdev[0]['ifname'])
917 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
918 anonymous_identity="ttls", password="password",
919 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
920 domain_match="Server.w1.fi")
921 hwsim_utils.test_connectivity(dev[0], hapd)
922 eap_reauth(dev[0], "TTLS")
924 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
925 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
926 skip_with_fips(dev[0])
927 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
928 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
929 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
930 anonymous_identity="ttls", password="password1",
931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
933 eap_connect(dev[1], apdev[0], "TTLS", "user",
934 anonymous_identity="ttls", password="password",
935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
938 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
939 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
940 skip_with_fips(dev[0])
941 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
942 hostapd.add_ap(apdev[0]['ifname'], params)
943 hapd = hostapd.Hostapd(apdev[0]['ifname'])
944 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
945 anonymous_identity="ttls", password="secret-åäö-€-password",
946 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
948 anonymous_identity="ttls",
949 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
950 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
952 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="password",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
959 hwsim_utils.test_connectivity(dev[0], hapd)
960 eap_reauth(dev[0], "TTLS")
962 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
963 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966 eap_connect(dev[0], apdev[0], "TTLS", "user",
967 anonymous_identity="ttls", password="wrong",
968 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
971 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
972 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
973 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
980 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
982 params = int_eap_server_params()
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 with alloc_fail(hapd, 1, "eap_gtc_init"):
985 eap_connect(dev[0], apdev[0], "TTLS", "user",
986 anonymous_identity="ttls", password="password",
987 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
989 dev[0].request("REMOVE_NETWORK all")
991 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
992 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993 eap="TTLS", identity="user",
994 anonymous_identity="ttls", password="password",
995 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
996 wait_connect=False, scan_freq="2412")
997 # This would eventually time out, but we can stop after having reached
998 # the allocation failure.
1001 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1004 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1006 check_eap_capa(dev[0], "MD5")
1007 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1008 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1009 eap_connect(dev[0], apdev[0], "TTLS", "user",
1010 anonymous_identity="ttls", password="password",
1011 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1012 hwsim_utils.test_connectivity(dev[0], hapd)
1013 eap_reauth(dev[0], "TTLS")
1015 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1016 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1017 check_eap_capa(dev[0], "MD5")
1018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020 eap_connect(dev[0], apdev[0], "TTLS", "user",
1021 anonymous_identity="ttls", password="wrong",
1022 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023 expect_failure=True)
1025 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1026 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1027 check_eap_capa(dev[0], "MD5")
1028 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1029 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1031 anonymous_identity="ttls", password="password",
1032 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1033 expect_failure=True)
1035 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1036 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1037 check_eap_capa(dev[0], "MD5")
1038 params = int_eap_server_params()
1039 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1040 with alloc_fail(hapd, 1, "eap_md5_init"):
1041 eap_connect(dev[0], apdev[0], "TTLS", "user",
1042 anonymous_identity="ttls", password="password",
1043 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1044 expect_failure=True)
1045 dev[0].request("REMOVE_NETWORK all")
1047 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1048 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1049 eap="TTLS", identity="user",
1050 anonymous_identity="ttls", password="password",
1051 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1052 wait_connect=False, scan_freq="2412")
1053 # This would eventually time out, but we can stop after having reached
1054 # the allocation failure.
1057 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1060 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1061 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1062 check_eap_capa(dev[0], "MSCHAPV2")
1063 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1064 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1065 eap_connect(dev[0], apdev[0], "TTLS", "user",
1066 anonymous_identity="ttls", password="password",
1067 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1068 hwsim_utils.test_connectivity(dev[0], hapd)
1069 eap_reauth(dev[0], "TTLS")
1071 logger.info("Negative test with incorrect password")
1072 dev[0].request("REMOVE_NETWORK all")
1073 eap_connect(dev[0], apdev[0], "TTLS", "user",
1074 anonymous_identity="ttls", password="password1",
1075 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076 expect_failure=True)
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1079 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1080 check_eap_capa(dev[0], "MSCHAPV2")
1081 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1082 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1084 anonymous_identity="ttls", password="password",
1085 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1086 expect_failure=True)
1088 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1089 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1090 check_eap_capa(dev[0], "MSCHAPV2")
1091 params = int_eap_server_params()
1092 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1093 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1094 eap_connect(dev[0], apdev[0], "TTLS", "user",
1095 anonymous_identity="ttls", password="password",
1096 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1097 expect_failure=True)
1098 dev[0].request("REMOVE_NETWORK all")
1100 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1101 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1102 eap="TTLS", identity="user",
1103 anonymous_identity="ttls", password="password",
1104 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1105 wait_connect=False, scan_freq="2412")
1106 # This would eventually time out, but we can stop after having reached
1107 # the allocation failure.
1110 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1112 dev[0].request("REMOVE_NETWORK all")
1114 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1115 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1116 eap="TTLS", identity="user",
1117 anonymous_identity="ttls", password="password",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1119 wait_connect=False, scan_freq="2412")
1120 # This would eventually time out, but we can stop after having reached
1121 # the allocation failure.
1124 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1126 dev[0].request("REMOVE_NETWORK all")
1128 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1129 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1130 eap="TTLS", identity="user",
1131 anonymous_identity="ttls", password="wrong",
1132 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1133 wait_connect=False, scan_freq="2412")
1134 # This would eventually time out, but we can stop after having reached
1135 # the allocation failure.
1138 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1140 dev[0].request("REMOVE_NETWORK all")
1142 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145 hostapd.add_ap(apdev[0]['ifname'], params)
1146 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1147 anonymous_identity="0232010000000000@ttls",
1148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1149 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1151 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1152 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154 hostapd.add_ap(apdev[0]['ifname'], params)
1155 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1156 anonymous_identity="0232010000000000@peap",
1157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1160 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1161 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1162 check_eap_capa(dev[0], "FAST")
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1166 anonymous_identity="0232010000000000@fast",
1167 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1168 phase1="fast_provisioning=2",
1169 pac_file="blob://fast_pac_auth_aka",
1170 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1172 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1173 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1174 check_eap_capa(dev[0], "MSCHAPV2")
1175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1177 eap_connect(dev[0], apdev[0], "PEAP", "user",
1178 anonymous_identity="peap", password="password",
1179 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1180 hwsim_utils.test_connectivity(dev[0], hapd)
1181 eap_reauth(dev[0], "PEAP")
1182 dev[0].request("REMOVE_NETWORK all")
1183 eap_connect(dev[0], apdev[0], "PEAP", "user",
1184 anonymous_identity="peap", password="password",
1185 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1186 fragment_size="200")
1188 logger.info("Password as hash value")
1189 dev[0].request("REMOVE_NETWORK all")
1190 eap_connect(dev[0], apdev[0], "PEAP", "user",
1191 anonymous_identity="peap",
1192 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1193 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1195 logger.info("Negative test with incorrect password")
1196 dev[0].request("REMOVE_NETWORK all")
1197 eap_connect(dev[0], apdev[0], "PEAP", "user",
1198 anonymous_identity="peap", password="password1",
1199 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1200 expect_failure=True)
1202 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1203 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1204 check_eap_capa(dev[0], "MSCHAPV2")
1205 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1207 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1208 anonymous_identity="peap", password="password",
1209 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1210 hwsim_utils.test_connectivity(dev[0], hapd)
1211 eap_reauth(dev[0], "PEAP")
1213 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1214 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1215 check_eap_capa(dev[0], "MSCHAPV2")
1216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218 eap_connect(dev[0], apdev[0], "PEAP", "user",
1219 anonymous_identity="peap", password="wrong",
1220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1221 expect_failure=True)
1223 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1225 check_eap_capa(dev[0], "MSCHAPV2")
1226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1228 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1229 ca_cert="auth_serv/ca.pem",
1230 phase1="peapver=0 crypto_binding=2",
1231 phase2="auth=MSCHAPV2")
1232 hwsim_utils.test_connectivity(dev[0], hapd)
1233 eap_reauth(dev[0], "PEAP")
1235 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1236 ca_cert="auth_serv/ca.pem",
1237 phase1="peapver=0 crypto_binding=1",
1238 phase2="auth=MSCHAPV2")
1239 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1240 ca_cert="auth_serv/ca.pem",
1241 phase1="peapver=0 crypto_binding=0",
1242 phase2="auth=MSCHAPV2")
1244 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1245 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1246 check_eap_capa(dev[0], "MSCHAPV2")
1247 params = int_eap_server_params()
1248 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1249 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1250 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1251 ca_cert="auth_serv/ca.pem",
1252 phase1="peapver=0 crypto_binding=2",
1253 phase2="auth=MSCHAPV2",
1254 expect_failure=True, local_error_report=True)
1256 def test_ap_wpa2_eap_peap_params(dev, apdev):
1257 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1258 check_eap_capa(dev[0], "MSCHAPV2")
1259 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1260 hostapd.add_ap(apdev[0]['ifname'], params)
1261 eap_connect(dev[0], apdev[0], "PEAP", "user",
1262 anonymous_identity="peap", password="password",
1263 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1264 phase1="peapver=0 peaplabel=1",
1265 expect_failure=True)
1266 dev[0].request("REMOVE_NETWORK all")
1267 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1268 ca_cert="auth_serv/ca.pem",
1269 phase1="peap_outer_success=1",
1270 phase2="auth=MSCHAPV2")
1271 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1272 ca_cert="auth_serv/ca.pem",
1273 phase1="peap_outer_success=2",
1274 phase2="auth=MSCHAPV2")
1275 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1277 anonymous_identity="peap", password="password",
1278 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1279 phase1="peapver=1 peaplabel=1",
1280 wait_connect=False, scan_freq="2412")
1281 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1283 raise Exception("No EAP success seen")
1284 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1286 raise Exception("Unexpected connection")
1288 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hostapd.add_ap(apdev[0]['ifname'], params)
1292 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1293 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1294 ca_cert2="auth_serv/ca.pem",
1295 client_cert2="auth_serv/user.pem",
1296 private_key2="auth_serv/user.key")
1297 eap_reauth(dev[0], "PEAP")
1299 def test_ap_wpa2_eap_tls(dev, apdev):
1300 """WPA2-Enterprise connection using EAP-TLS"""
1301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302 hostapd.add_ap(apdev[0]['ifname'], params)
1303 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1304 client_cert="auth_serv/user.pem",
1305 private_key="auth_serv/user.key")
1306 eap_reauth(dev[0], "TLS")
1308 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1309 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1311 hostapd.add_ap(apdev[0]['ifname'], params)
1312 cert = read_pem("auth_serv/ca.pem")
1313 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1314 raise Exception("Could not set cacert blob")
1315 cert = read_pem("auth_serv/user.pem")
1316 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1317 raise Exception("Could not set usercert blob")
1318 key = read_pem("auth_serv/user.rsa-key")
1319 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1320 raise Exception("Could not set cacert blob")
1321 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1322 client_cert="blob://usercert",
1323 private_key="blob://userkey")
1325 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1326 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1327 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1328 hostapd.add_ap(apdev[0]['ifname'], params)
1329 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1330 private_key="auth_serv/user.pkcs12",
1331 private_key_passwd="whatever")
1332 dev[0].request("REMOVE_NETWORK all")
1333 dev[0].wait_disconnected()
1335 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1336 identity="tls user",
1337 ca_cert="auth_serv/ca.pem",
1338 private_key="auth_serv/user.pkcs12",
1339 wait_connect=False, scan_freq="2412")
1340 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1342 raise Exception("Request for private key passphrase timed out")
1343 id = ev.split(':')[0].split('-')[-1]
1344 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1345 dev[0].wait_connected(timeout=10)
1346 dev[0].request("REMOVE_NETWORK all")
1347 dev[0].wait_disconnected()
1349 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1350 # different files to cover both cases of the extra certificate being the
1351 # one that signed the client certificate and it being unrelated to the
1352 # client certificate.
1353 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1355 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1356 ca_cert="auth_serv/ca.pem",
1358 private_key_passwd="whatever")
1359 dev[0].request("REMOVE_NETWORK all")
1360 dev[0].wait_disconnected()
1362 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1363 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1365 hostapd.add_ap(apdev[0]['ifname'], params)
1366 cert = read_pem("auth_serv/ca.pem")
1367 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1368 raise Exception("Could not set cacert blob")
1369 with open("auth_serv/user.pkcs12", "rb") as f:
1370 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1371 raise Exception("Could not set pkcs12 blob")
1372 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1373 private_key="blob://pkcs12",
1374 private_key_passwd="whatever")
1376 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1377 """WPA2-Enterprise negative test - incorrect trust root"""
1378 check_eap_capa(dev[0], "MSCHAPV2")
1379 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1380 hostapd.add_ap(apdev[0]['ifname'], params)
1381 cert = read_pem("auth_serv/ca-incorrect.pem")
1382 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1383 raise Exception("Could not set cacert blob")
1384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1386 password="password", phase2="auth=MSCHAPV2",
1387 ca_cert="blob://cacert",
1388 wait_connect=False, scan_freq="2412")
1389 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1391 password="password", phase2="auth=MSCHAPV2",
1392 ca_cert="auth_serv/ca-incorrect.pem",
1393 wait_connect=False, scan_freq="2412")
1395 for dev in (dev[0], dev[1]):
1396 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1398 raise Exception("Association and EAP start timed out")
1400 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1402 raise Exception("EAP method selection timed out")
1403 if "TTLS" not in ev:
1404 raise Exception("Unexpected EAP method")
1406 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1407 "CTRL-EVENT-EAP-SUCCESS",
1408 "CTRL-EVENT-EAP-FAILURE",
1409 "CTRL-EVENT-CONNECTED",
1410 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1412 raise Exception("EAP result timed out")
1413 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1414 raise Exception("TLS certificate error not reported")
1416 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1417 "CTRL-EVENT-EAP-FAILURE",
1418 "CTRL-EVENT-CONNECTED",
1419 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1421 raise Exception("EAP result(2) timed out")
1422 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1423 raise Exception("EAP failure not reported")
1425 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1426 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1428 raise Exception("EAP result(3) timed out")
1429 if "CTRL-EVENT-DISCONNECTED" not in ev:
1430 raise Exception("Disconnection not reported")
1432 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1434 raise Exception("Network block disabling not reported")
1436 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1437 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1438 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1439 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441 identity="pap user", anonymous_identity="ttls",
1442 password="password", phase2="auth=PAP",
1443 ca_cert="auth_serv/ca.pem",
1444 wait_connect=True, scan_freq="2412")
1445 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1446 identity="pap user", anonymous_identity="ttls",
1447 password="password", phase2="auth=PAP",
1448 ca_cert="auth_serv/ca-incorrect.pem",
1449 only_add_network=True, scan_freq="2412")
1451 dev[0].request("DISCONNECT")
1452 dev[0].wait_disconnected()
1453 dev[0].dump_monitor()
1454 dev[0].select_network(id, freq="2412")
1456 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1458 raise Exception("EAP-TTLS not re-started")
1460 ev = dev[0].wait_disconnected(timeout=15)
1461 if "reason=23" not in ev:
1462 raise Exception("Proper reason code for disconnection not reported")
1464 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1465 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1469 identity="pap user", anonymous_identity="ttls",
1470 password="password", phase2="auth=PAP",
1471 wait_connect=True, scan_freq="2412")
1472 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1473 identity="pap user", anonymous_identity="ttls",
1474 password="password", phase2="auth=PAP",
1475 ca_cert="auth_serv/ca-incorrect.pem",
1476 only_add_network=True, scan_freq="2412")
1478 dev[0].request("DISCONNECT")
1479 dev[0].wait_disconnected()
1480 dev[0].dump_monitor()
1481 dev[0].select_network(id, freq="2412")
1483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1485 raise Exception("EAP-TTLS not re-started")
1487 ev = dev[0].wait_disconnected(timeout=15)
1488 if "reason=23" not in ev:
1489 raise Exception("Proper reason code for disconnection not reported")
1491 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1492 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1493 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1494 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1495 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1496 identity="pap user", anonymous_identity="ttls",
1497 password="password", phase2="auth=PAP",
1498 ca_cert="auth_serv/ca.pem",
1499 wait_connect=True, scan_freq="2412")
1500 dev[0].request("DISCONNECT")
1501 dev[0].wait_disconnected()
1502 dev[0].dump_monitor()
1503 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1504 dev[0].select_network(id, freq="2412")
1506 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1508 raise Exception("EAP-TTLS not re-started")
1510 ev = dev[0].wait_disconnected(timeout=15)
1511 if "reason=23" not in ev:
1512 raise Exception("Proper reason code for disconnection not reported")
1514 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1515 """WPA2-Enterprise negative test - domain suffix mismatch"""
1516 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1517 hostapd.add_ap(apdev[0]['ifname'], params)
1518 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1519 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1520 password="password", phase2="auth=MSCHAPV2",
1521 ca_cert="auth_serv/ca.pem",
1522 domain_suffix_match="incorrect.example.com",
1523 wait_connect=False, scan_freq="2412")
1525 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1527 raise Exception("Association and EAP start timed out")
1529 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1531 raise Exception("EAP method selection timed out")
1532 if "TTLS" not in ev:
1533 raise Exception("Unexpected EAP method")
1535 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1536 "CTRL-EVENT-EAP-SUCCESS",
1537 "CTRL-EVENT-EAP-FAILURE",
1538 "CTRL-EVENT-CONNECTED",
1539 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1541 raise Exception("EAP result timed out")
1542 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1543 raise Exception("TLS certificate error not reported")
1544 if "Domain suffix mismatch" not in ev:
1545 raise Exception("Domain suffix mismatch not reported")
1547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1548 "CTRL-EVENT-EAP-FAILURE",
1549 "CTRL-EVENT-CONNECTED",
1550 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1552 raise Exception("EAP result(2) timed out")
1553 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1554 raise Exception("EAP failure not reported")
1556 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1557 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1559 raise Exception("EAP result(3) timed out")
1560 if "CTRL-EVENT-DISCONNECTED" not in ev:
1561 raise Exception("Disconnection not reported")
1563 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1565 raise Exception("Network block disabling not reported")
1567 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1568 """WPA2-Enterprise negative test - domain mismatch"""
1569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1570 hostapd.add_ap(apdev[0]['ifname'], params)
1571 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1572 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1573 password="password", phase2="auth=MSCHAPV2",
1574 ca_cert="auth_serv/ca.pem",
1575 domain_match="w1.fi",
1576 wait_connect=False, scan_freq="2412")
1578 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1580 raise Exception("Association and EAP start timed out")
1582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1584 raise Exception("EAP method selection timed out")
1585 if "TTLS" not in ev:
1586 raise Exception("Unexpected EAP method")
1588 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1589 "CTRL-EVENT-EAP-SUCCESS",
1590 "CTRL-EVENT-EAP-FAILURE",
1591 "CTRL-EVENT-CONNECTED",
1592 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1594 raise Exception("EAP result timed out")
1595 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1596 raise Exception("TLS certificate error not reported")
1597 if "Domain mismatch" not in ev:
1598 raise Exception("Domain mismatch not reported")
1600 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1601 "CTRL-EVENT-EAP-FAILURE",
1602 "CTRL-EVENT-CONNECTED",
1603 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1605 raise Exception("EAP result(2) timed out")
1606 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1607 raise Exception("EAP failure not reported")
1609 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1610 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1612 raise Exception("EAP result(3) timed out")
1613 if "CTRL-EVENT-DISCONNECTED" not in ev:
1614 raise Exception("Disconnection not reported")
1616 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1618 raise Exception("Network block disabling not reported")
1620 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1621 """WPA2-Enterprise negative test - subject mismatch"""
1622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1623 hostapd.add_ap(apdev[0]['ifname'], params)
1624 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1625 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1626 password="password", phase2="auth=MSCHAPV2",
1627 ca_cert="auth_serv/ca.pem",
1628 subject_match="/C=FI/O=w1.fi/CN=example.com",
1629 wait_connect=False, scan_freq="2412")
1631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1633 raise Exception("Association and EAP start timed out")
1635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1636 "EAP: Failed to initialize EAP method"], timeout=10)
1638 raise Exception("EAP method selection timed out")
1639 if "EAP: Failed to initialize EAP method" in ev:
1640 tls = dev[0].request("GET tls_library")
1641 if tls.startswith("OpenSSL"):
1642 raise Exception("Failed to select EAP method")
1643 logger.info("subject_match not supported - connection failed, so test succeeded")
1645 if "TTLS" not in ev:
1646 raise Exception("Unexpected EAP method")
1648 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1649 "CTRL-EVENT-EAP-SUCCESS",
1650 "CTRL-EVENT-EAP-FAILURE",
1651 "CTRL-EVENT-CONNECTED",
1652 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1654 raise Exception("EAP result timed out")
1655 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1656 raise Exception("TLS certificate error not reported")
1657 if "Subject mismatch" not in ev:
1658 raise Exception("Subject mismatch not reported")
1660 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1661 "CTRL-EVENT-EAP-FAILURE",
1662 "CTRL-EVENT-CONNECTED",
1663 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1665 raise Exception("EAP result(2) timed out")
1666 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1667 raise Exception("EAP failure not reported")
1669 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1670 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1672 raise Exception("EAP result(3) timed out")
1673 if "CTRL-EVENT-DISCONNECTED" not in ev:
1674 raise Exception("Disconnection not reported")
1676 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1678 raise Exception("Network block disabling not reported")
1680 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1681 """WPA2-Enterprise negative test - altsubject mismatch"""
1682 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1683 hostapd.add_ap(apdev[0]['ifname'], params)
1685 tests = [ "incorrect.example.com",
1686 "DNS:incorrect.example.com",
1690 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1692 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1693 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1694 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1695 password="password", phase2="auth=MSCHAPV2",
1696 ca_cert="auth_serv/ca.pem",
1697 altsubject_match=match,
1698 wait_connect=False, scan_freq="2412")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1702 raise Exception("Association and EAP start timed out")
1704 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1705 "EAP: Failed to initialize EAP method"], timeout=10)
1707 raise Exception("EAP method selection timed out")
1708 if "EAP: Failed to initialize EAP method" in ev:
1709 tls = dev[0].request("GET tls_library")
1710 if tls.startswith("OpenSSL"):
1711 raise Exception("Failed to select EAP method")
1712 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1714 if "TTLS" not in ev:
1715 raise Exception("Unexpected EAP method")
1717 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1718 "CTRL-EVENT-EAP-SUCCESS",
1719 "CTRL-EVENT-EAP-FAILURE",
1720 "CTRL-EVENT-CONNECTED",
1721 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1723 raise Exception("EAP result timed out")
1724 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1725 raise Exception("TLS certificate error not reported")
1726 if "AltSubject mismatch" not in ev:
1727 raise Exception("altsubject mismatch not reported")
1729 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1730 "CTRL-EVENT-EAP-FAILURE",
1731 "CTRL-EVENT-CONNECTED",
1732 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1734 raise Exception("EAP result(2) timed out")
1735 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1736 raise Exception("EAP failure not reported")
1738 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1739 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1741 raise Exception("EAP result(3) timed out")
1742 if "CTRL-EVENT-DISCONNECTED" not in ev:
1743 raise Exception("Disconnection not reported")
1745 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1747 raise Exception("Network block disabling not reported")
1749 dev[0].request("REMOVE_NETWORK all")
1751 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1752 """WPA2-Enterprise connection using UNAUTH-TLS"""
1753 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1754 hostapd.add_ap(apdev[0]['ifname'], params)
1755 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1756 ca_cert="auth_serv/ca.pem")
1757 eap_reauth(dev[0], "UNAUTH-TLS")
1759 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1760 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1761 check_cert_probe_support(dev[0])
1762 skip_with_fips(dev[0])
1763 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1764 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1765 hostapd.add_ap(apdev[0]['ifname'], params)
1766 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1767 identity="probe", ca_cert="probe://",
1768 wait_connect=False, scan_freq="2412")
1769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1771 raise Exception("Association and EAP start timed out")
1772 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1774 raise Exception("No peer server certificate event seen")
1775 if "hash=" + srv_cert_hash not in ev:
1776 raise Exception("Expected server certificate hash not reported")
1777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1779 raise Exception("EAP result timed out")
1780 if "Server certificate chain probe" not in ev:
1781 raise Exception("Server certificate probe not reported")
1782 dev[0].wait_disconnected(timeout=10)
1783 dev[0].request("REMOVE_NETWORK all")
1785 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1786 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1787 password="password", phase2="auth=MSCHAPV2",
1788 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1789 wait_connect=False, scan_freq="2412")
1790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1792 raise Exception("Association and EAP start timed out")
1793 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1795 raise Exception("EAP result timed out")
1796 if "Server certificate mismatch" not in ev:
1797 raise Exception("Server certificate mismatch not reported")
1798 dev[0].wait_disconnected(timeout=10)
1799 dev[0].request("REMOVE_NETWORK all")
1801 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1802 anonymous_identity="ttls", password="password",
1803 ca_cert="hash://server/sha256/" + srv_cert_hash,
1804 phase2="auth=MSCHAPV2")
1806 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1807 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1808 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1809 hostapd.add_ap(apdev[0]['ifname'], params)
1810 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1811 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1812 password="password", phase2="auth=MSCHAPV2",
1813 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1814 wait_connect=False, scan_freq="2412")
1815 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1816 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1817 password="password", phase2="auth=MSCHAPV2",
1818 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1819 wait_connect=False, scan_freq="2412")
1820 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1821 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1822 password="password", phase2="auth=MSCHAPV2",
1823 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1824 wait_connect=False, scan_freq="2412")
1825 for i in range(0, 3):
1826 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1828 raise Exception("Association and EAP start timed out")
1829 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1831 raise Exception("Did not report EAP method initialization failure")
1833 def test_ap_wpa2_eap_pwd(dev, apdev):
1834 """WPA2-Enterprise connection using EAP-pwd"""
1835 check_eap_capa(dev[0], "PWD")
1836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1837 hostapd.add_ap(apdev[0]['ifname'], params)
1838 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1839 eap_reauth(dev[0], "PWD")
1840 dev[0].request("REMOVE_NETWORK all")
1842 eap_connect(dev[1], apdev[0], "PWD",
1843 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1844 password="secret password",
1847 logger.info("Negative test with incorrect password")
1848 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1849 expect_failure=True, local_error_report=True)
1851 eap_connect(dev[0], apdev[0], "PWD",
1852 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1853 password="secret password",
1856 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1857 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1858 check_eap_capa(dev[0], "PWD")
1859 skip_with_fips(dev[0])
1860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861 hostapd.add_ap(apdev[0]['ifname'], params)
1862 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1863 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1864 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1865 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1866 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1867 expect_failure=True, local_error_report=True)
1869 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1870 """WPA2-Enterprise connection using various EAP-pwd groups"""
1871 check_eap_capa(dev[0], "PWD")
1872 tls = dev[0].request("GET tls_library")
1873 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1874 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1875 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1876 for i in [ 19, 20, 21, 25, 26 ]:
1877 params['pwd_group'] = str(i)
1878 hostapd.add_ap(apdev[0]['ifname'], params)
1879 dev[0].request("REMOVE_NETWORK all")
1881 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1882 password="secret password")
1884 if "BoringSSL" in tls and i in [ 25 ]:
1885 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1886 dev[0].request("DISCONNECT")
1891 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1892 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1893 check_eap_capa(dev[0], "PWD")
1894 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1895 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1896 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1897 params['pwd_group'] = "0"
1898 hostapd.add_ap(apdev[0]['ifname'], params)
1899 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1900 identity="pwd user", password="secret password",
1901 scan_freq="2412", wait_connect=False)
1902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1904 raise Exception("Timeout on EAP failure report")
1906 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1907 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1908 check_eap_capa(dev[0], "PWD")
1909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1910 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1911 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1912 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1913 "pwd_group": "19", "fragment_size": "40" }
1914 hostapd.add_ap(apdev[0]['ifname'], params)
1915 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1917 def test_ap_wpa2_eap_gpsk(dev, apdev):
1918 """WPA2-Enterprise connection using EAP-GPSK"""
1919 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1920 hostapd.add_ap(apdev[0]['ifname'], params)
1921 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1922 password="abcdefghijklmnop0123456789abcdef")
1923 eap_reauth(dev[0], "GPSK")
1925 logger.info("Test forced algorithm selection")
1926 for phase1 in [ "cipher=1", "cipher=2" ]:
1927 dev[0].set_network_quoted(id, "phase1", phase1)
1928 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1930 raise Exception("EAP success timed out")
1931 dev[0].wait_connected(timeout=10)
1933 logger.info("Test failed algorithm negotiation")
1934 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1935 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1937 raise Exception("EAP failure timed out")
1939 logger.info("Negative test with incorrect password")
1940 dev[0].request("REMOVE_NETWORK all")
1941 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1942 password="ffcdefghijklmnop0123456789abcdef",
1943 expect_failure=True)
1945 def test_ap_wpa2_eap_sake(dev, apdev):
1946 """WPA2-Enterprise connection using EAP-SAKE"""
1947 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1948 hostapd.add_ap(apdev[0]['ifname'], params)
1949 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1950 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1951 eap_reauth(dev[0], "SAKE")
1953 logger.info("Negative test with incorrect password")
1954 dev[0].request("REMOVE_NETWORK all")
1955 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1956 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1957 expect_failure=True)
1959 def test_ap_wpa2_eap_eke(dev, apdev):
1960 """WPA2-Enterprise connection using EAP-EKE"""
1961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1962 hostapd.add_ap(apdev[0]['ifname'], params)
1963 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1964 eap_reauth(dev[0], "EKE")
1966 logger.info("Test forced algorithm selection")
1967 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1968 "dhgroup=4 encr=1 prf=2 mac=2",
1969 "dhgroup=3 encr=1 prf=2 mac=2",
1970 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1971 dev[0].set_network_quoted(id, "phase1", phase1)
1972 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1974 raise Exception("EAP success timed out")
1975 dev[0].wait_connected(timeout=10)
1977 logger.info("Test failed algorithm negotiation")
1978 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1979 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1981 raise Exception("EAP failure timed out")
1983 logger.info("Negative test with incorrect password")
1984 dev[0].request("REMOVE_NETWORK all")
1985 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1986 expect_failure=True)
1988 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1989 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1990 params = int_eap_server_params()
1991 params['server_id'] = 'example.server@w1.fi'
1992 hostapd.add_ap(apdev[0]['ifname'], params)
1993 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1995 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1996 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1997 params = int_eap_server_params()
1998 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1999 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2001 for count,func in [ (1, "eap_eke_build_commit"),
2002 (2, "eap_eke_build_commit"),
2003 (3, "eap_eke_build_commit"),
2004 (1, "eap_eke_build_confirm"),
2005 (2, "eap_eke_build_confirm"),
2006 (1, "eap_eke_process_commit"),
2007 (2, "eap_eke_process_commit"),
2008 (1, "eap_eke_process_confirm"),
2009 (1, "eap_eke_process_identity"),
2010 (2, "eap_eke_process_identity"),
2011 (3, "eap_eke_process_identity"),
2012 (4, "eap_eke_process_identity") ]:
2013 with alloc_fail(hapd, count, func):
2014 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2015 expect_failure=True)
2016 dev[0].request("REMOVE_NETWORK all")
2018 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2019 (1, "eap_eke_get_session_id", "hello"),
2020 (1, "eap_eke_getKey", "hello"),
2021 (1, "eap_eke_build_msg", "hello"),
2022 (1, "eap_eke_build_failure", "wrong"),
2023 (1, "eap_eke_build_identity", "hello"),
2024 (2, "eap_eke_build_identity", "hello") ]:
2025 with alloc_fail(hapd, count, func):
2026 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2027 eap="EKE", identity="eke user", password=pw,
2028 wait_connect=False, scan_freq="2412")
2029 # This would eventually time out, but we can stop after having
2030 # reached the allocation failure.
2033 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2035 dev[0].request("REMOVE_NETWORK all")
2037 for count in range(1, 1000):
2039 with alloc_fail(hapd, count, "eap_server_sm_step"):
2040 dev[0].connect("test-wpa2-eap",
2041 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2042 eap="EKE", identity="eke user", password=pw,
2043 wait_connect=False, scan_freq="2412")
2044 # This would eventually time out, but we can stop after having
2045 # reached the allocation failure.
2048 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2050 dev[0].request("REMOVE_NETWORK all")
2051 except Exception, e:
2052 if str(e) == "Allocation failure did not trigger":
2054 raise Exception("Too few allocation failures")
2055 logger.info("%d allocation failures tested" % (count - 1))
2059 def test_ap_wpa2_eap_ikev2(dev, apdev):
2060 """WPA2-Enterprise connection using EAP-IKEv2"""
2061 check_eap_capa(dev[0], "IKEV2")
2062 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2063 hostapd.add_ap(apdev[0]['ifname'], params)
2064 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2065 password="ike password")
2066 eap_reauth(dev[0], "IKEV2")
2067 dev[0].request("REMOVE_NETWORK all")
2068 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2069 password="ike password", fragment_size="50")
2071 logger.info("Negative test with incorrect password")
2072 dev[0].request("REMOVE_NETWORK all")
2073 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2074 password="ike-password", expect_failure=True)
2076 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2077 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2078 check_eap_capa(dev[0], "IKEV2")
2079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2080 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2081 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2082 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2083 "fragment_size": "50" }
2084 hostapd.add_ap(apdev[0]['ifname'], params)
2085 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2086 password="ike password")
2087 eap_reauth(dev[0], "IKEV2")
2089 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2090 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2091 check_eap_capa(dev[0], "IKEV2")
2092 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2093 hostapd.add_ap(apdev[0]['ifname'], params)
2095 tests = [ (1, "dh_init"),
2097 (1, "dh_derive_shared") ]
2098 for count, func in tests:
2099 with alloc_fail(dev[0], count, func):
2100 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2101 identity="ikev2 user", password="ike password",
2102 wait_connect=False, scan_freq="2412")
2103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2105 raise Exception("EAP method not selected")
2107 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2110 dev[0].request("REMOVE_NETWORK all")
2112 tests = [ (1, "os_get_random;dh_init") ]
2113 for count, func in tests:
2114 with fail_test(dev[0], count, func):
2115 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2116 identity="ikev2 user", password="ike password",
2117 wait_connect=False, scan_freq="2412")
2118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2120 raise Exception("EAP method not selected")
2122 if "0:" in dev[0].request("GET_FAIL"):
2125 dev[0].request("REMOVE_NETWORK all")
2127 def test_ap_wpa2_eap_pax(dev, apdev):
2128 """WPA2-Enterprise connection using EAP-PAX"""
2129 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130 hostapd.add_ap(apdev[0]['ifname'], params)
2131 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2132 password_hex="0123456789abcdef0123456789abcdef")
2133 eap_reauth(dev[0], "PAX")
2135 logger.info("Negative test with incorrect password")
2136 dev[0].request("REMOVE_NETWORK all")
2137 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2138 password_hex="ff23456789abcdef0123456789abcdef",
2139 expect_failure=True)
2141 def test_ap_wpa2_eap_psk(dev, apdev):
2142 """WPA2-Enterprise connection using EAP-PSK"""
2143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2145 params["ieee80211w"] = "2"
2146 hostapd.add_ap(apdev[0]['ifname'], params)
2147 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2148 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2149 eap_reauth(dev[0], "PSK", sha256=True)
2150 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2151 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2153 bss = dev[0].get_bss(apdev[0]['bssid'])
2154 if 'flags' not in bss:
2155 raise Exception("Could not get BSS flags from BSS table")
2156 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2157 raise Exception("Unexpected BSS flags: " + bss['flags'])
2159 logger.info("Negative test with incorrect password")
2160 dev[0].request("REMOVE_NETWORK all")
2161 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2162 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2163 expect_failure=True)
2165 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2166 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2167 skip_with_fips(dev[0])
2168 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2169 hostapd.add_ap(apdev[0]['ifname'], params)
2170 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2171 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2172 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2173 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2174 (1, "=aes_128_eax_encrypt"),
2175 (1, "omac1_aes_vector"),
2176 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2177 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2178 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2179 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2180 (1, "=aes_128_eax_decrypt") ]
2181 for count, func in tests:
2182 with alloc_fail(dev[0], count, func):
2183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2184 identity="psk.user@example.com",
2185 password_hex="0123456789abcdef0123456789abcdef",
2186 wait_connect=False, scan_freq="2412")
2187 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2189 raise Exception("EAP method not selected")
2191 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2194 dev[0].request("REMOVE_NETWORK all")
2196 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2197 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2198 identity="psk.user@example.com",
2199 password_hex="0123456789abcdef0123456789abcdef",
2200 wait_connect=False, scan_freq="2412")
2201 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2203 raise Exception("EAP method failure not reported")
2204 dev[0].request("REMOVE_NETWORK all")
2206 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2207 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2208 check_eap_capa(dev[0], "MSCHAPV2")
2209 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2210 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2211 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2212 identity="user", password="password", phase2="auth=MSCHAPV2",
2213 ca_cert="auth_serv/ca.pem", wait_connect=False,
2215 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2216 hwsim_utils.test_connectivity(dev[0], hapd)
2217 eap_reauth(dev[0], "PEAP", rsn=False)
2218 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2219 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2220 status = dev[0].get_status(extra="VERBOSE")
2221 if 'portControl' not in status:
2222 raise Exception("portControl missing from STATUS-VERBOSE")
2223 if status['portControl'] != 'Auto':
2224 raise Exception("Unexpected portControl value: " + status['portControl'])
2225 if 'eap_session_id' not in status:
2226 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2227 if not status['eap_session_id'].startswith("19"):
2228 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2230 def test_ap_wpa2_eap_interactive(dev, apdev):
2231 """WPA2-Enterprise connection using interactive identity/password entry"""
2232 check_eap_capa(dev[0], "MSCHAPV2")
2233 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2234 hostapd.add_ap(apdev[0]['ifname'], params)
2235 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2237 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2238 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2240 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2241 "TTLS", "ttls", None, "auth=MSCHAPV2",
2242 "DOMAIN\mschapv2 user", "password"),
2243 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2244 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2245 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2246 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2247 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2248 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2249 ("Connection with dynamic PEAP/EAP-GTC password entry",
2250 "PEAP", None, "user", "auth=GTC", None, "password") ]
2251 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2253 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2254 anonymous_identity=anon, identity=identity,
2255 ca_cert="auth_serv/ca.pem", phase2=phase2,
2256 wait_connect=False, scan_freq="2412")
2258 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2260 raise Exception("Request for identity timed out")
2261 id = ev.split(':')[0].split('-')[-1]
2262 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2263 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2265 raise Exception("Request for password timed out")
2266 id = ev.split(':')[0].split('-')[-1]
2267 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2268 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2269 dev[0].wait_connected(timeout=10)
2270 dev[0].request("REMOVE_NETWORK all")
2272 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2273 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2274 check_eap_capa(dev[0], "MSCHAPV2")
2275 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2276 hostapd.add_ap(apdev[0]['ifname'], params)
2277 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2279 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2280 only_add_network=True)
2282 req_id = "DOMAIN\mschapv2 user"
2283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2284 anonymous_identity="ttls", identity=None,
2285 password="password",
2286 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2287 wait_connect=False, scan_freq="2412")
2288 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2290 raise Exception("Request for identity timed out")
2291 id = ev.split(':')[0].split('-')[-1]
2292 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2293 dev[0].wait_connected(timeout=10)
2295 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2296 raise Exception("Failed to enable network")
2297 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2299 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2300 dev[0].request("REMOVE_NETWORK all")
2302 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2303 """WPA2-Enterprise connection using EAP vendor test"""
2304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2305 hostapd.add_ap(apdev[0]['ifname'], params)
2306 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2307 eap_reauth(dev[0], "VENDOR-TEST")
2308 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2311 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2312 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2313 check_eap_capa(dev[0], "FAST")
2314 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2315 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2316 eap_connect(dev[0], apdev[0], "FAST", "user",
2317 anonymous_identity="FAST", password="password",
2318 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2319 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2320 hwsim_utils.test_connectivity(dev[0], hapd)
2321 res = eap_reauth(dev[0], "FAST")
2322 if res['tls_session_reused'] != '1':
2323 raise Exception("EAP-FAST could not use PAC session ticket")
2325 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2326 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2327 check_eap_capa(dev[0], "FAST")
2328 pac_file = os.path.join(params['logdir'], "fast.pac")
2329 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2330 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2331 hostapd.add_ap(apdev[0]['ifname'], params)
2334 eap_connect(dev[0], apdev[0], "FAST", "user",
2335 anonymous_identity="FAST", password="password",
2336 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2337 phase1="fast_provisioning=1", pac_file=pac_file)
2338 with open(pac_file, "r") as f:
2340 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2341 raise Exception("PAC file header missing")
2342 if "PAC-Key=" not in data:
2343 raise Exception("PAC-Key missing from PAC file")
2344 dev[0].request("REMOVE_NETWORK all")
2345 eap_connect(dev[0], apdev[0], "FAST", "user",
2346 anonymous_identity="FAST", password="password",
2347 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2350 eap_connect(dev[1], apdev[0], "FAST", "user",
2351 anonymous_identity="FAST", password="password",
2352 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2353 phase1="fast_provisioning=1 fast_pac_format=binary",
2355 dev[1].request("REMOVE_NETWORK all")
2356 eap_connect(dev[1], apdev[0], "FAST", "user",
2357 anonymous_identity="FAST", password="password",
2358 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2359 phase1="fast_pac_format=binary",
2367 os.remove(pac_file2)
2371 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2372 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2373 check_eap_capa(dev[0], "FAST")
2374 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2375 hostapd.add_ap(apdev[0]['ifname'], params)
2376 eap_connect(dev[0], apdev[0], "FAST", "user",
2377 anonymous_identity="FAST", password="password",
2378 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2379 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2380 pac_file="blob://fast_pac_bin")
2381 res = eap_reauth(dev[0], "FAST")
2382 if res['tls_session_reused'] != '1':
2383 raise Exception("EAP-FAST could not use PAC session ticket")
2385 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2386 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2387 check_eap_capa(dev[0], "FAST")
2388 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2389 hostapd.add_ap(apdev[0]['ifname'], params)
2391 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2392 identity="user", anonymous_identity="FAST",
2393 password="password",
2394 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2395 pac_file="blob://fast_pac_not_in_use",
2396 wait_connect=False, scan_freq="2412")
2397 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2399 raise Exception("Timeout on EAP failure report")
2400 dev[0].request("REMOVE_NETWORK all")
2402 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2403 identity="user", anonymous_identity="FAST",
2404 password="password",
2405 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2406 wait_connect=False, scan_freq="2412")
2407 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2409 raise Exception("Timeout on EAP failure report")
2411 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2412 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2413 check_eap_capa(dev[0], "FAST")
2414 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2415 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2416 eap_connect(dev[0], apdev[0], "FAST", "user",
2417 anonymous_identity="FAST", password="password",
2418 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2419 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2420 hwsim_utils.test_connectivity(dev[0], hapd)
2421 res = eap_reauth(dev[0], "FAST")
2422 if res['tls_session_reused'] != '1':
2423 raise Exception("EAP-FAST could not use PAC session ticket")
2425 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2426 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2427 check_eap_capa(dev[0], "FAST")
2428 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2429 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2430 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2431 anonymous_identity="FAST", password="password",
2432 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2433 phase1="fast_provisioning=2",
2434 pac_file="blob://fast_pac_auth")
2435 dev[0].set_network_quoted(id, "identity", "user2")
2436 dev[0].wait_disconnected()
2437 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2439 raise Exception("EAP-FAST not started")
2440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2442 raise Exception("EAP failure not reported")
2443 dev[0].wait_disconnected()
2445 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2446 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2447 check_eap_capa(dev[0], "FAST")
2448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2449 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2450 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2451 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2452 identity="user", anonymous_identity="FAST",
2453 password="password", ca_cert="auth_serv/ca.pem",
2455 phase1="fast_provisioning=2",
2456 pac_file="blob://fast_pac_auth",
2457 wait_connect=False, scan_freq="2412")
2458 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2460 raise Exception("EAP failure not reported")
2461 dev[0].request("DISCONNECT")
2463 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2464 """EAP-FAST/MSCHAPv2 and server OOM"""
2465 check_eap_capa(dev[0], "FAST")
2467 params = int_eap_server_params()
2468 params['dh_file'] = 'auth_serv/dh.conf'
2469 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2470 params['eap_fast_a_id'] = '1011'
2471 params['eap_fast_a_id_info'] = 'another test server'
2472 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2474 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2475 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2476 anonymous_identity="FAST", password="password",
2477 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2478 phase1="fast_provisioning=1",
2479 pac_file="blob://fast_pac",
2480 expect_failure=True)
2481 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2483 raise Exception("No EAP failure reported")
2484 dev[0].wait_disconnected()
2485 dev[0].request("DISCONNECT")
2487 dev[0].select_network(id, freq="2412")
2489 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2490 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2491 check_ocsp_support(dev[0])
2492 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2493 hostapd.add_ap(apdev[0]['ifname'], params)
2494 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2495 private_key="auth_serv/user.pkcs12",
2496 private_key_passwd="whatever", ocsp=2)
2498 def int_eap_server_params():
2499 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2500 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2501 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2502 "ca_cert": "auth_serv/ca.pem",
2503 "server_cert": "auth_serv/server.pem",
2504 "private_key": "auth_serv/server.key" }
2507 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2508 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2509 check_ocsp_support(dev[0])
2510 params = int_eap_server_params()
2511 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2512 hostapd.add_ap(apdev[0]['ifname'], params)
2513 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2514 identity="tls user", ca_cert="auth_serv/ca.pem",
2515 private_key="auth_serv/user.pkcs12",
2516 private_key_passwd="whatever", ocsp=2,
2517 wait_connect=False, scan_freq="2412")
2520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2522 raise Exception("Timeout on EAP status")
2523 if 'bad certificate status response' in ev:
2527 raise Exception("Unexpected number of EAP status messages")
2529 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2531 raise Exception("Timeout on EAP failure report")
2533 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2534 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2535 check_ocsp_support(dev[0])
2536 params = int_eap_server_params()
2537 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2538 hostapd.add_ap(apdev[0]['ifname'], params)
2539 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2540 identity="tls user", ca_cert="auth_serv/ca.pem",
2541 private_key="auth_serv/user.pkcs12",
2542 private_key_passwd="whatever", ocsp=2,
2543 wait_connect=False, scan_freq="2412")
2546 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2548 raise Exception("Timeout on EAP status")
2549 if 'bad certificate status response' in ev:
2553 raise Exception("Unexpected number of EAP status messages")
2555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2557 raise Exception("Timeout on EAP failure report")
2559 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2560 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2561 check_ocsp_support(dev[0])
2562 params = int_eap_server_params()
2563 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2564 hostapd.add_ap(apdev[0]['ifname'], params)
2565 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2566 identity="tls user", ca_cert="auth_serv/ca.pem",
2567 private_key="auth_serv/user.pkcs12",
2568 private_key_passwd="whatever", ocsp=2,
2569 wait_connect=False, scan_freq="2412")
2572 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2574 raise Exception("Timeout on EAP status")
2575 if 'bad certificate status response' in ev:
2579 raise Exception("Unexpected number of EAP status messages")
2581 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2583 raise Exception("Timeout on EAP failure report")
2585 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2586 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2587 check_ocsp_support(dev[0])
2588 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2589 if not os.path.exists(ocsp):
2590 raise HwsimSkip("No OCSP response available")
2591 params = int_eap_server_params()
2592 params["ocsp_stapling_response"] = ocsp
2593 hostapd.add_ap(apdev[0]['ifname'], params)
2594 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2595 identity="pap user", ca_cert="auth_serv/ca.pem",
2596 anonymous_identity="ttls", password="password",
2597 phase2="auth=PAP", ocsp=2,
2598 wait_connect=False, scan_freq="2412")
2601 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2603 raise Exception("Timeout on EAP status")
2604 if 'bad certificate status response' in ev:
2606 if 'certificate revoked' in ev:
2610 raise Exception("Unexpected number of EAP status messages")
2612 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2614 raise Exception("Timeout on EAP failure report")
2616 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2617 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2618 check_ocsp_support(dev[0])
2619 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2620 if not os.path.exists(ocsp):
2621 raise HwsimSkip("No OCSP response available")
2622 params = int_eap_server_params()
2623 params["ocsp_stapling_response"] = ocsp
2624 hostapd.add_ap(apdev[0]['ifname'], params)
2625 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2626 identity="pap user", ca_cert="auth_serv/ca.pem",
2627 anonymous_identity="ttls", password="password",
2628 phase2="auth=PAP", ocsp=2,
2629 wait_connect=False, scan_freq="2412")
2632 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2634 raise Exception("Timeout on EAP status")
2635 if 'bad certificate status response' in ev:
2639 raise Exception("Unexpected number of EAP status messages")
2641 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2643 raise Exception("Timeout on EAP failure report")
2645 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2646 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2647 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2648 if not os.path.exists(ocsp):
2649 raise HwsimSkip("No OCSP response available")
2650 params = int_eap_server_params()
2651 params["ocsp_stapling_response"] = ocsp
2652 hostapd.add_ap(apdev[0]['ifname'], params)
2653 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2654 identity="pap user", ca_cert="auth_serv/ca.pem",
2655 anonymous_identity="ttls", password="password",
2656 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2658 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2659 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2660 params = int_eap_server_params()
2661 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2662 params["private_key"] = "auth_serv/server-no-dnsname.key"
2663 hostapd.add_ap(apdev[0]['ifname'], params)
2664 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2665 identity="tls user", ca_cert="auth_serv/ca.pem",
2666 private_key="auth_serv/user.pkcs12",
2667 private_key_passwd="whatever",
2668 domain_suffix_match="server3.w1.fi",
2671 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2672 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2673 params = int_eap_server_params()
2674 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2675 params["private_key"] = "auth_serv/server-no-dnsname.key"
2676 hostapd.add_ap(apdev[0]['ifname'], params)
2677 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2678 identity="tls user", ca_cert="auth_serv/ca.pem",
2679 private_key="auth_serv/user.pkcs12",
2680 private_key_passwd="whatever",
2681 domain_match="server3.w1.fi",
2684 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2685 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2686 check_domain_match_full(dev[0])
2687 params = int_eap_server_params()
2688 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2689 params["private_key"] = "auth_serv/server-no-dnsname.key"
2690 hostapd.add_ap(apdev[0]['ifname'], params)
2691 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2692 identity="tls user", ca_cert="auth_serv/ca.pem",
2693 private_key="auth_serv/user.pkcs12",
2694 private_key_passwd="whatever",
2695 domain_suffix_match="w1.fi",
2698 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2699 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2700 params = int_eap_server_params()
2701 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2702 params["private_key"] = "auth_serv/server-no-dnsname.key"
2703 hostapd.add_ap(apdev[0]['ifname'], params)
2704 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2705 identity="tls user", ca_cert="auth_serv/ca.pem",
2706 private_key="auth_serv/user.pkcs12",
2707 private_key_passwd="whatever",
2708 domain_suffix_match="example.com",
2711 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2712 identity="tls user", ca_cert="auth_serv/ca.pem",
2713 private_key="auth_serv/user.pkcs12",
2714 private_key_passwd="whatever",
2715 domain_suffix_match="erver3.w1.fi",
2718 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2720 raise Exception("Timeout on EAP failure report")
2721 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2723 raise Exception("Timeout on EAP failure report (2)")
2725 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2726 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2727 params = int_eap_server_params()
2728 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2729 params["private_key"] = "auth_serv/server-no-dnsname.key"
2730 hostapd.add_ap(apdev[0]['ifname'], params)
2731 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2732 identity="tls user", ca_cert="auth_serv/ca.pem",
2733 private_key="auth_serv/user.pkcs12",
2734 private_key_passwd="whatever",
2735 domain_match="example.com",
2738 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2739 identity="tls user", ca_cert="auth_serv/ca.pem",
2740 private_key="auth_serv/user.pkcs12",
2741 private_key_passwd="whatever",
2742 domain_match="w1.fi",
2745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2747 raise Exception("Timeout on EAP failure report")
2748 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2750 raise Exception("Timeout on EAP failure report (2)")
2752 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2753 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2754 skip_with_fips(dev[0])
2755 params = int_eap_server_params()
2756 params["server_cert"] = "auth_serv/server-expired.pem"
2757 params["private_key"] = "auth_serv/server-expired.key"
2758 hostapd.add_ap(apdev[0]['ifname'], params)
2759 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2760 identity="mschap user", password="password",
2761 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2764 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2766 raise Exception("Timeout on EAP certificate error report")
2767 if "reason=4" not in ev or "certificate has expired" not in ev:
2768 raise Exception("Unexpected failure reason: " + ev)
2769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2771 raise Exception("Timeout on EAP failure report")
2773 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2774 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2775 skip_with_fips(dev[0])
2776 params = int_eap_server_params()
2777 params["server_cert"] = "auth_serv/server-expired.pem"
2778 params["private_key"] = "auth_serv/server-expired.key"
2779 hostapd.add_ap(apdev[0]['ifname'], params)
2780 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2781 identity="mschap user", password="password",
2782 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2783 phase1="tls_disable_time_checks=1",
2786 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2787 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2788 skip_with_fips(dev[0])
2789 params = int_eap_server_params()
2790 params["server_cert"] = "auth_serv/server-long-duration.pem"
2791 params["private_key"] = "auth_serv/server-long-duration.key"
2792 hostapd.add_ap(apdev[0]['ifname'], params)
2793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2794 identity="mschap user", password="password",
2795 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2798 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2799 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2800 skip_with_fips(dev[0])
2801 params = int_eap_server_params()
2802 params["server_cert"] = "auth_serv/server-eku-client.pem"
2803 params["private_key"] = "auth_serv/server-eku-client.key"
2804 hostapd.add_ap(apdev[0]['ifname'], params)
2805 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2806 identity="mschap user", password="password",
2807 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2810 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2812 raise Exception("Timeout on EAP failure report")
2814 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2815 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2816 skip_with_fips(dev[0])
2817 params = int_eap_server_params()
2818 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2819 params["private_key"] = "auth_serv/server-eku-client-server.key"
2820 hostapd.add_ap(apdev[0]['ifname'], params)
2821 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2822 identity="mschap user", password="password",
2823 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2826 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2827 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2828 skip_with_fips(dev[0])
2829 params = int_eap_server_params()
2830 del params["server_cert"]
2831 params["private_key"] = "auth_serv/server.pkcs12"
2832 hostapd.add_ap(apdev[0]['ifname'], params)
2833 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2834 identity="mschap user", password="password",
2835 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2838 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2839 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2840 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2841 hostapd.add_ap(apdev[0]['ifname'], params)
2842 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2843 anonymous_identity="ttls", password="password",
2844 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2845 dh_file="auth_serv/dh.conf")
2847 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2848 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2849 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2850 hostapd.add_ap(apdev[0]['ifname'], params)
2851 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2852 anonymous_identity="ttls", password="password",
2853 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2854 dh_file="auth_serv/dsaparam.pem")
2856 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2857 """EAP-TTLS and DH params file not found"""
2858 skip_with_fips(dev[0])
2859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2860 hostapd.add_ap(apdev[0]['ifname'], params)
2861 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2862 identity="mschap user", password="password",
2863 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2864 dh_file="auth_serv/dh-no-such-file.conf",
2865 scan_freq="2412", wait_connect=False)
2866 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2868 raise Exception("EAP failure timed out")
2869 dev[0].request("REMOVE_NETWORK all")
2870 dev[0].wait_disconnected()
2872 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2873 """EAP-TTLS and invalid DH params file"""
2874 skip_with_fips(dev[0])
2875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2876 hostapd.add_ap(apdev[0]['ifname'], params)
2877 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2878 identity="mschap user", password="password",
2879 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2880 dh_file="auth_serv/ca.pem",
2881 scan_freq="2412", wait_connect=False)
2882 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2884 raise Exception("EAP failure timed out")
2885 dev[0].request("REMOVE_NETWORK all")
2886 dev[0].wait_disconnected()
2888 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2889 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2890 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2891 hostapd.add_ap(apdev[0]['ifname'], params)
2892 dh = read_pem("auth_serv/dh2.conf")
2893 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2894 raise Exception("Could not set dhparams blob")
2895 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2896 anonymous_identity="ttls", password="password",
2897 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2898 dh_file="blob://dhparams")
2900 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2901 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2902 params = int_eap_server_params()
2903 params["dh_file"] = "auth_serv/dh2.conf"
2904 hostapd.add_ap(apdev[0]['ifname'], params)
2905 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2906 anonymous_identity="ttls", password="password",
2907 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2909 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2910 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2911 params = int_eap_server_params()
2912 params["dh_file"] = "auth_serv/dsaparam.pem"
2913 hostapd.add_ap(apdev[0]['ifname'], params)
2914 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2915 anonymous_identity="ttls", password="password",
2916 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2918 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2919 """EAP-TLS server and dhparams file not found"""
2920 params = int_eap_server_params()
2921 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2922 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2923 if "FAIL" not in hapd.request("ENABLE"):
2924 raise Exception("Invalid configuration accepted")
2926 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2927 """EAP-TLS server and invalid dhparams file"""
2928 params = int_eap_server_params()
2929 params["dh_file"] = "auth_serv/ca.pem"
2930 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2931 if "FAIL" not in hapd.request("ENABLE"):
2932 raise Exception("Invalid configuration accepted")
2934 def test_ap_wpa2_eap_reauth(dev, apdev):
2935 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2936 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2937 params['eap_reauth_period'] = '2'
2938 hostapd.add_ap(apdev[0]['ifname'], params)
2939 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2940 password_hex="0123456789abcdef0123456789abcdef")
2941 logger.info("Wait for reauthentication")
2942 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2944 raise Exception("Timeout on reauthentication")
2945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2947 raise Exception("Timeout on reauthentication")
2948 for i in range(0, 20):
2949 state = dev[0].get_status_field("wpa_state")
2950 if state == "COMPLETED":
2953 if state != "COMPLETED":
2954 raise Exception("Reauthentication did not complete")
2956 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2957 """Optional displayable message in EAP Request-Identity"""
2958 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2959 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2960 hostapd.add_ap(apdev[0]['ifname'], params)
2961 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2962 password_hex="0123456789abcdef0123456789abcdef")
2964 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2965 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2966 check_hlr_auc_gw_support()
2967 params = int_eap_server_params()
2968 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2969 params['eap_sim_aka_result_ind'] = "1"
2970 hostapd.add_ap(apdev[0]['ifname'], params)
2972 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2973 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2974 phase1="result_ind=1")
2975 eap_reauth(dev[0], "SIM")
2976 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2977 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2979 dev[0].request("REMOVE_NETWORK all")
2980 dev[1].request("REMOVE_NETWORK all")
2982 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2983 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2984 phase1="result_ind=1")
2985 eap_reauth(dev[0], "AKA")
2986 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2987 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2989 dev[0].request("REMOVE_NETWORK all")
2990 dev[1].request("REMOVE_NETWORK all")
2992 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2993 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2994 phase1="result_ind=1")
2995 eap_reauth(dev[0], "AKA'")
2996 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2997 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2999 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3000 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3001 skip_with_fips(dev[0])
3002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3003 hostapd.add_ap(apdev[0]['ifname'], params)
3004 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3005 eap="TTLS", identity="mschap user",
3006 wait_connect=False, scan_freq="2412", ieee80211w="1",
3007 anonymous_identity="ttls", password="password",
3008 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3010 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3012 raise Exception("EAP roundtrip limit not reached")
3014 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3015 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3016 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3017 hostapd.add_ap(apdev[0]['ifname'], params)
3018 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3019 eap="PSK", identity="vendor-test",
3020 password_hex="ff23456789abcdef0123456789abcdef",
3024 for i in range(0, 5):
3025 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3027 raise Exception("Association and EAP start timed out")
3028 if "refuse proposed method" in ev:
3032 raise Exception("Unexpected EAP status: " + ev)
3034 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3036 raise Exception("EAP failure timed out")
3038 def test_ap_wpa2_eap_sql(dev, apdev, params):
3039 """WPA2-Enterprise connection using SQLite for user DB"""
3040 skip_with_fips(dev[0])
3044 raise HwsimSkip("No sqlite3 module available")
3045 dbfile = os.path.join(params['logdir'], "eap-user.db")
3050 con = sqlite3.connect(dbfile)
3053 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3054 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3055 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3056 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3057 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3058 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3059 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3060 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3063 params = int_eap_server_params()
3064 params["eap_user_file"] = "sqlite:" + dbfile
3065 hostapd.add_ap(apdev[0]['ifname'], params)
3066 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3067 anonymous_identity="ttls", password="password",
3068 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3069 dev[0].request("REMOVE_NETWORK all")
3070 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3071 anonymous_identity="ttls", password="password",
3072 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3073 dev[1].request("REMOVE_NETWORK all")
3074 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3075 anonymous_identity="ttls", password="password",
3076 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3077 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3078 anonymous_identity="ttls", password="password",
3079 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3083 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3084 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3085 params = int_eap_server_params()
3086 hostapd.add_ap(apdev[0]['ifname'], params)
3087 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3088 identity="\x80", password="password", wait_connect=False)
3089 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3090 identity="a\x80", password="password", wait_connect=False)
3091 for i in range(0, 2):
3092 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3094 raise Exception("Association and EAP start timed out")
3095 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3097 raise Exception("EAP method selection timed out")
3099 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3100 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3101 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3102 hostapd.add_ap(apdev[0]['ifname'], params)
3103 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3104 identity="\x80", password="password", wait_connect=False)
3105 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3106 identity="a\x80", password="password", wait_connect=False)
3107 for i in range(0, 2):
3108 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3110 raise Exception("Association and EAP start timed out")
3111 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3113 raise Exception("EAP method selection timed out")
3115 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3116 """OpenSSL cipher suite configuration on wpa_supplicant"""
3117 tls = dev[0].request("GET tls_library")
3118 if not tls.startswith("OpenSSL"):
3119 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3121 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3122 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3123 anonymous_identity="ttls", password="password",
3124 openssl_ciphers="AES128",
3125 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3126 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3127 anonymous_identity="ttls", password="password",
3128 openssl_ciphers="EXPORT",
3129 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3130 expect_failure=True, maybe_local_error=True)
3131 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3132 identity="pap user", anonymous_identity="ttls",
3133 password="password",
3134 openssl_ciphers="FOO",
3135 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3137 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3139 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3140 dev[2].request("DISCONNECT")
3142 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3143 """OpenSSL cipher suite configuration on hostapd"""
3144 tls = dev[0].request("GET tls_library")
3145 if not tls.startswith("OpenSSL"):
3146 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3147 params = int_eap_server_params()
3148 params['openssl_ciphers'] = "AES256"
3149 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3150 tls = hapd.request("GET tls_library")
3151 if not tls.startswith("OpenSSL"):
3152 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3153 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3154 anonymous_identity="ttls", password="password",
3155 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3156 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3157 anonymous_identity="ttls", password="password",
3158 openssl_ciphers="AES128",
3159 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3160 expect_failure=True)
3161 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3162 anonymous_identity="ttls", password="password",
3163 openssl_ciphers="HIGH:!ADH",
3164 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3166 params['openssl_ciphers'] = "FOO"
3167 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3168 if "FAIL" not in hapd2.request("ENABLE"):
3169 raise Exception("Invalid openssl_ciphers value accepted")
3171 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3172 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3173 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3174 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3175 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3176 pid = find_wpas_process(dev[0])
3177 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3178 anonymous_identity="ttls", password=password,
3179 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3181 buf = read_process_memory(pid, password)
3183 dev[0].request("DISCONNECT")
3184 dev[0].wait_disconnected()
3192 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3193 for l in f.readlines():
3194 if "EAP-TTLS: Derived key - hexdump" in l:
3195 val = l.strip().split(':')[3].replace(' ', '')
3196 msk = binascii.unhexlify(val)
3197 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3198 val = l.strip().split(':')[3].replace(' ', '')
3199 emsk = binascii.unhexlify(val)
3200 if "WPA: PMK - hexdump" in l:
3201 val = l.strip().split(':')[3].replace(' ', '')
3202 pmk = binascii.unhexlify(val)
3203 if "WPA: PTK - hexdump" in l:
3204 val = l.strip().split(':')[3].replace(' ', '')
3205 ptk = binascii.unhexlify(val)
3206 if "WPA: Group Key - hexdump" in l:
3207 val = l.strip().split(':')[3].replace(' ', '')
3208 gtk = binascii.unhexlify(val)
3209 if not msk or not emsk or not pmk or not ptk or not gtk:
3210 raise Exception("Could not find keys from debug log")
3212 raise Exception("Unexpected GTK length")
3218 fname = os.path.join(params['logdir'],
3219 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3221 logger.info("Checking keys in memory while associated")
3222 get_key_locations(buf, password, "Password")
3223 get_key_locations(buf, pmk, "PMK")
3224 get_key_locations(buf, msk, "MSK")
3225 get_key_locations(buf, emsk, "EMSK")
3226 if password not in buf:
3227 raise HwsimSkip("Password not found while associated")
3229 raise HwsimSkip("PMK not found while associated")
3231 raise Exception("KCK not found while associated")
3233 raise Exception("KEK not found while associated")
3235 raise Exception("TK found from memory")
3237 raise Exception("GTK found from memory")
3239 logger.info("Checking keys in memory after disassociation")
3240 buf = read_process_memory(pid, password)
3242 # Note: Password is still present in network configuration
3243 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3245 get_key_locations(buf, password, "Password")
3246 get_key_locations(buf, pmk, "PMK")
3247 get_key_locations(buf, msk, "MSK")
3248 get_key_locations(buf, emsk, "EMSK")
3249 verify_not_present(buf, kck, fname, "KCK")
3250 verify_not_present(buf, kek, fname, "KEK")
3251 verify_not_present(buf, tk, fname, "TK")
3252 verify_not_present(buf, gtk, fname, "GTK")
3254 dev[0].request("PMKSA_FLUSH")
3255 dev[0].set_network_quoted(id, "identity", "foo")
3256 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3257 buf = read_process_memory(pid, password)
3258 get_key_locations(buf, password, "Password")
3259 get_key_locations(buf, pmk, "PMK")
3260 get_key_locations(buf, msk, "MSK")
3261 get_key_locations(buf, emsk, "EMSK")
3262 verify_not_present(buf, pmk, fname, "PMK")
3264 dev[0].request("REMOVE_NETWORK all")
3266 logger.info("Checking keys in memory after network profile removal")
3267 buf = read_process_memory(pid, password)
3269 get_key_locations(buf, password, "Password")
3270 get_key_locations(buf, pmk, "PMK")
3271 get_key_locations(buf, msk, "MSK")
3272 get_key_locations(buf, emsk, "EMSK")
3273 verify_not_present(buf, password, fname, "password")
3274 verify_not_present(buf, pmk, fname, "PMK")
3275 verify_not_present(buf, kck, fname, "KCK")
3276 verify_not_present(buf, kek, fname, "KEK")
3277 verify_not_present(buf, tk, fname, "TK")
3278 verify_not_present(buf, gtk, fname, "GTK")
3279 verify_not_present(buf, msk, fname, "MSK")
3280 verify_not_present(buf, emsk, fname, "EMSK")
3282 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3283 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3285 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3286 bssid = apdev[0]['bssid']
3287 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3288 anonymous_identity="ttls", password="password",
3289 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3291 # Send unexpected WEP EAPOL-Key; this gets dropped
3292 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3294 raise Exception("EAPOL_RX to wpa_supplicant failed")
3296 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3297 """WPA2-EAP and wpas interface in a bridge"""
3301 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3303 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3304 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3305 subprocess.call(['brctl', 'delbr', br_ifname])
3306 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3308 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3309 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3310 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3314 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3315 subprocess.call(['brctl', 'addbr', br_ifname])
3316 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3317 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3318 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3319 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3320 wpas.interface_add(ifname, br_ifname=br_ifname)
3322 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3323 password_hex="0123456789abcdef0123456789abcdef")
3324 eap_reauth(wpas, "PAX")
3325 # Try again as a regression test for packet socket workaround
3326 eap_reauth(wpas, "PAX")
3327 wpas.request("DISCONNECT")
3328 wpas.wait_disconnected()
3329 wpas.request("RECONNECT")
3330 wpas.wait_connected()
3332 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3333 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3335 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3336 key_mgmt = hapd.get_config()['key_mgmt']
3337 if key_mgmt.split(' ')[0] != "WPA-EAP":
3338 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3339 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3340 anonymous_identity="ttls", password="password",
3341 ca_cert="auth_serv/ca.pem",
3342 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3343 eap_reauth(dev[0], "TTLS")
3345 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3346 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3348 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3349 key_mgmt = hapd.get_config()['key_mgmt']
3350 if key_mgmt.split(' ')[0] != "WPA-EAP":
3351 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3352 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3353 anonymous_identity="ttls", password="password",
3354 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3356 eap_reauth(dev[0], "TTLS")
3358 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3359 """EAP-TLS and server checking CRL"""
3360 params = int_eap_server_params()
3361 params['check_crl'] = '1'
3362 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3364 # check_crl=1 and no CRL available --> reject connection
3365 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3366 client_cert="auth_serv/user.pem",
3367 private_key="auth_serv/user.key", expect_failure=True)
3368 dev[0].request("REMOVE_NETWORK all")
3371 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3374 # check_crl=1 and valid CRL --> accept
3375 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3376 client_cert="auth_serv/user.pem",
3377 private_key="auth_serv/user.key")
3378 dev[0].request("REMOVE_NETWORK all")
3381 hapd.set("check_crl", "2")
3384 # check_crl=2 and valid CRL --> accept
3385 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3386 client_cert="auth_serv/user.pem",
3387 private_key="auth_serv/user.key")
3388 dev[0].request("REMOVE_NETWORK all")
3390 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3391 """EAP-TLS and OOM"""
3392 check_subject_match_support(dev[0])
3393 check_altsubject_match_support(dev[0])
3394 check_domain_match_full(dev[0])
3396 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3397 hostapd.add_ap(apdev[0]['ifname'], params)
3399 tests = [ (1, "tls_connection_set_subject_match"),
3400 (2, "tls_connection_set_subject_match"),
3401 (3, "tls_connection_set_subject_match"),
3402 (4, "tls_connection_set_subject_match") ]
3403 for count, func in tests:
3404 with alloc_fail(dev[0], count, func):
3405 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3406 identity="tls user", ca_cert="auth_serv/ca.pem",
3407 client_cert="auth_serv/user.pem",
3408 private_key="auth_serv/user.key",
3409 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3410 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3411 domain_suffix_match="server.w1.fi",
3412 domain_match="server.w1.fi",
3413 wait_connect=False, scan_freq="2412")
3414 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3415 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3417 raise Exception("No passphrase request")
3418 dev[0].request("REMOVE_NETWORK all")
3419 dev[0].wait_disconnected()
3421 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3422 """WPA2-Enterprise connection using MAC ACL"""
3423 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3424 params["macaddr_acl"] = "2"
3425 hostapd.add_ap(apdev[0]['ifname'], params)
3426 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3427 client_cert="auth_serv/user.pem",
3428 private_key="auth_serv/user.key")
3430 def test_ap_wpa2_eap_oom(dev, apdev):
3431 """EAP server and OOM"""
3432 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3433 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3434 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3436 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3437 # The first attempt fails, but STA will send EAPOL-Start to retry and
3439 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3440 identity="tls user", ca_cert="auth_serv/ca.pem",
3441 client_cert="auth_serv/user.pem",
3442 private_key="auth_serv/user.key",
3445 def check_tls_ver(dev, ap, phase1, expected):
3446 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3447 client_cert="auth_serv/user.pem",
3448 private_key="auth_serv/user.key",
3450 ver = dev.get_status_field("eap_tls_version")
3452 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3454 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3455 """EAP-TLS and TLS version configuration"""
3456 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3457 hostapd.add_ap(apdev[0]['ifname'], params)
3459 tls = dev[0].request("GET tls_library")
3460 if tls.startswith("OpenSSL"):
3461 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3462 check_tls_ver(dev[0], apdev[0],
3463 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3465 check_tls_ver(dev[1], apdev[0],
3466 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3467 check_tls_ver(dev[2], apdev[0],
3468 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3470 def test_rsn_ie_proto_eap_sta(dev, apdev):
3471 """RSN element protocol testing for EAP cases on STA side"""
3472 bssid = apdev[0]['bssid']
3473 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3474 # This is the RSN element used normally by hostapd
3475 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3476 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3477 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3478 identity="gpsk user",
3479 password="abcdefghijklmnop0123456789abcdef",
3482 tests = [ ('No RSN Capabilities field',
3483 '30120100000fac040100000fac040100000fac01'),
3484 ('No AKM Suite fields',
3485 '300c0100000fac040100000fac04'),
3486 ('No Pairwise Cipher Suite fields',
3487 '30060100000fac04'),
3488 ('No Group Data Cipher Suite field',
3490 for txt,ie in tests:
3491 dev[0].request("DISCONNECT")
3492 dev[0].wait_disconnected()
3495 hapd.set('own_ie_override', ie)
3497 dev[0].request("BSS_FLUSH 0")
3498 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3499 dev[0].select_network(id, freq=2412)
3500 dev[0].wait_connected()
3502 def check_tls_session_resumption_capa(dev, hapd):
3503 tls = hapd.request("GET tls_library")
3504 if not tls.startswith("OpenSSL"):
3505 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3507 tls = dev.request("GET tls_library")
3508 if not tls.startswith("OpenSSL"):
3509 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3511 def test_eap_ttls_pap_session_resumption(dev, apdev):
3512 """EAP-TTLS/PAP session resumption"""
3513 params = int_eap_server_params()
3514 params['tls_session_lifetime'] = '60'
3515 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3516 check_tls_session_resumption_capa(dev[0], hapd)
3517 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3518 anonymous_identity="ttls", password="password",
3519 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3521 if dev[0].get_status_field("tls_session_reused") != '0':
3522 raise Exception("Unexpected session resumption on the first connection")
3524 dev[0].request("REAUTHENTICATE")
3525 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3527 raise Exception("EAP success timed out")
3528 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3530 raise Exception("Key handshake with the AP timed out")
3531 if dev[0].get_status_field("tls_session_reused") != '1':
3532 raise Exception("Session resumption not used on the second connection")
3534 def test_eap_ttls_chap_session_resumption(dev, apdev):
3535 """EAP-TTLS/CHAP session resumption"""
3536 params = int_eap_server_params()
3537 params['tls_session_lifetime'] = '60'
3538 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3539 check_tls_session_resumption_capa(dev[0], hapd)
3540 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3541 anonymous_identity="ttls", password="password",
3542 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3543 if dev[0].get_status_field("tls_session_reused") != '0':
3544 raise Exception("Unexpected session resumption on the first connection")
3546 dev[0].request("REAUTHENTICATE")
3547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3549 raise Exception("EAP success timed out")
3550 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3552 raise Exception("Key handshake with the AP timed out")
3553 if dev[0].get_status_field("tls_session_reused") != '1':
3554 raise Exception("Session resumption not used on the second connection")
3556 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3557 """EAP-TTLS/MSCHAP session resumption"""
3558 params = int_eap_server_params()
3559 params['tls_session_lifetime'] = '60'
3560 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3561 check_tls_session_resumption_capa(dev[0], hapd)
3562 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3563 anonymous_identity="ttls", password="password",
3564 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3565 domain_suffix_match="server.w1.fi")
3566 if dev[0].get_status_field("tls_session_reused") != '0':
3567 raise Exception("Unexpected session resumption on the first connection")
3569 dev[0].request("REAUTHENTICATE")
3570 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3572 raise Exception("EAP success timed out")
3573 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3575 raise Exception("Key handshake with the AP timed out")
3576 if dev[0].get_status_field("tls_session_reused") != '1':
3577 raise Exception("Session resumption not used on the second connection")
3579 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3580 """EAP-TTLS/MSCHAPv2 session resumption"""
3581 check_eap_capa(dev[0], "MSCHAPV2")
3582 params = int_eap_server_params()
3583 params['tls_session_lifetime'] = '60'
3584 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3585 check_tls_session_resumption_capa(dev[0], hapd)
3586 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3587 anonymous_identity="ttls", password="password",
3588 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3589 domain_suffix_match="server.w1.fi")
3590 if dev[0].get_status_field("tls_session_reused") != '0':
3591 raise Exception("Unexpected session resumption on the first connection")
3593 dev[0].request("REAUTHENTICATE")
3594 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3596 raise Exception("EAP success timed out")
3597 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3599 raise Exception("Key handshake with the AP timed out")
3600 if dev[0].get_status_field("tls_session_reused") != '1':
3601 raise Exception("Session resumption not used on the second connection")
3603 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3604 """EAP-TTLS/EAP-GTC session resumption"""
3605 params = int_eap_server_params()
3606 params['tls_session_lifetime'] = '60'
3607 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3608 check_tls_session_resumption_capa(dev[0], hapd)
3609 eap_connect(dev[0], apdev[0], "TTLS", "user",
3610 anonymous_identity="ttls", password="password",
3611 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3612 if dev[0].get_status_field("tls_session_reused") != '0':
3613 raise Exception("Unexpected session resumption on the first connection")
3615 dev[0].request("REAUTHENTICATE")
3616 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3618 raise Exception("EAP success timed out")
3619 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3621 raise Exception("Key handshake with the AP timed out")
3622 if dev[0].get_status_field("tls_session_reused") != '1':
3623 raise Exception("Session resumption not used on the second connection")
3625 def test_eap_ttls_no_session_resumption(dev, apdev):
3626 """EAP-TTLS session resumption disabled on server"""
3627 params = int_eap_server_params()
3628 params['tls_session_lifetime'] = '0'
3629 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3630 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3631 anonymous_identity="ttls", password="password",
3632 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3634 if dev[0].get_status_field("tls_session_reused") != '0':
3635 raise Exception("Unexpected session resumption on the first connection")
3637 dev[0].request("REAUTHENTICATE")
3638 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3640 raise Exception("EAP success timed out")
3641 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3643 raise Exception("Key handshake with the AP timed out")
3644 if dev[0].get_status_field("tls_session_reused") != '0':
3645 raise Exception("Unexpected session resumption on the second connection")
3647 def test_eap_peap_session_resumption(dev, apdev):
3648 """EAP-PEAP session resumption"""
3649 params = int_eap_server_params()
3650 params['tls_session_lifetime'] = '60'
3651 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3652 check_tls_session_resumption_capa(dev[0], hapd)
3653 eap_connect(dev[0], apdev[0], "PEAP", "user",
3654 anonymous_identity="peap", password="password",
3655 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3656 if dev[0].get_status_field("tls_session_reused") != '0':
3657 raise Exception("Unexpected session resumption on the first connection")
3659 dev[0].request("REAUTHENTICATE")
3660 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3662 raise Exception("EAP success timed out")
3663 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3665 raise Exception("Key handshake with the AP timed out")
3666 if dev[0].get_status_field("tls_session_reused") != '1':
3667 raise Exception("Session resumption not used on the second connection")
3669 def test_eap_peap_no_session_resumption(dev, apdev):
3670 """EAP-PEAP session resumption disabled on server"""
3671 params = int_eap_server_params()
3672 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3673 eap_connect(dev[0], apdev[0], "PEAP", "user",
3674 anonymous_identity="peap", password="password",
3675 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3676 if dev[0].get_status_field("tls_session_reused") != '0':
3677 raise Exception("Unexpected session resumption on the first connection")
3679 dev[0].request("REAUTHENTICATE")
3680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3682 raise Exception("EAP success timed out")
3683 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3685 raise Exception("Key handshake with the AP timed out")
3686 if dev[0].get_status_field("tls_session_reused") != '0':
3687 raise Exception("Unexpected session resumption on the second connection")
3689 def test_eap_tls_session_resumption(dev, apdev):
3690 """EAP-TLS session resumption"""
3691 params = int_eap_server_params()
3692 params['tls_session_lifetime'] = '60'
3693 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3694 check_tls_session_resumption_capa(dev[0], hapd)
3695 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3696 client_cert="auth_serv/user.pem",
3697 private_key="auth_serv/user.key")
3698 if dev[0].get_status_field("tls_session_reused") != '0':
3699 raise Exception("Unexpected session resumption on the first connection")
3701 dev[0].request("REAUTHENTICATE")
3702 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3704 raise Exception("EAP success timed out")
3705 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3707 raise Exception("Key handshake with the AP timed out")
3708 if dev[0].get_status_field("tls_session_reused") != '1':
3709 raise Exception("Session resumption not used on the second connection")
3711 dev[0].request("REAUTHENTICATE")
3712 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3714 raise Exception("EAP success timed out")
3715 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3717 raise Exception("Key handshake with the AP timed out")
3718 if dev[0].get_status_field("tls_session_reused") != '1':
3719 raise Exception("Session resumption not used on the third connection")
3721 def test_eap_tls_session_resumption_expiration(dev, apdev):
3722 """EAP-TLS session resumption"""
3723 params = int_eap_server_params()
3724 params['tls_session_lifetime'] = '1'
3725 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3726 check_tls_session_resumption_capa(dev[0], hapd)
3727 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3728 client_cert="auth_serv/user.pem",
3729 private_key="auth_serv/user.key")
3730 if dev[0].get_status_field("tls_session_reused") != '0':
3731 raise Exception("Unexpected session resumption on the first connection")
3733 # Allow multiple attempts since OpenSSL may not expire the cached entry
3738 dev[0].request("REAUTHENTICATE")
3739 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3741 raise Exception("EAP success timed out")
3742 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3744 raise Exception("Key handshake with the AP timed out")
3745 if dev[0].get_status_field("tls_session_reused") == '0':
3747 if dev[0].get_status_field("tls_session_reused") != '0':
3748 raise Exception("Session resumption used after lifetime expiration")
3750 def test_eap_tls_no_session_resumption(dev, apdev):
3751 """EAP-TLS session resumption disabled on server"""
3752 params = int_eap_server_params()
3753 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3754 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3755 client_cert="auth_serv/user.pem",
3756 private_key="auth_serv/user.key")
3757 if dev[0].get_status_field("tls_session_reused") != '0':
3758 raise Exception("Unexpected session resumption on the first connection")
3760 dev[0].request("REAUTHENTICATE")
3761 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3763 raise Exception("EAP success timed out")
3764 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3766 raise Exception("Key handshake with the AP timed out")
3767 if dev[0].get_status_field("tls_session_reused") != '0':
3768 raise Exception("Unexpected session resumption on the second connection")
3770 def test_eap_tls_session_resumption_radius(dev, apdev):
3771 """EAP-TLS session resumption (RADIUS)"""
3772 params = { "ssid": "as", "beacon_int": "2000",
3773 "radius_server_clients": "auth_serv/radius_clients.conf",
3774 "radius_server_auth_port": '18128',
3776 "eap_user_file": "auth_serv/eap_user.conf",
3777 "ca_cert": "auth_serv/ca.pem",
3778 "server_cert": "auth_serv/server.pem",
3779 "private_key": "auth_serv/server.key",
3780 "tls_session_lifetime": "60" }
3781 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
3782 check_tls_session_resumption_capa(dev[0], authsrv)
3784 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3785 params['auth_server_port'] = "18128"
3786 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3787 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3788 client_cert="auth_serv/user.pem",
3789 private_key="auth_serv/user.key")
3790 if dev[0].get_status_field("tls_session_reused") != '0':
3791 raise Exception("Unexpected session resumption on the first connection")
3793 dev[0].request("REAUTHENTICATE")
3794 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3796 raise Exception("EAP success timed out")
3797 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3799 raise Exception("Key handshake with the AP timed out")
3800 if dev[0].get_status_field("tls_session_reused") != '1':
3801 raise Exception("Session resumption not used on the second connection")
3803 def test_eap_tls_no_session_resumption_radius(dev, apdev):
3804 """EAP-TLS session resumption disabled (RADIUS)"""
3805 params = { "ssid": "as", "beacon_int": "2000",
3806 "radius_server_clients": "auth_serv/radius_clients.conf",
3807 "radius_server_auth_port": '18128',
3809 "eap_user_file": "auth_serv/eap_user.conf",
3810 "ca_cert": "auth_serv/ca.pem",
3811 "server_cert": "auth_serv/server.pem",
3812 "private_key": "auth_serv/server.key",
3813 "tls_session_lifetime": "0" }
3814 hostapd.add_ap(apdev[1]['ifname'], params)
3816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3817 params['auth_server_port'] = "18128"
3818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3819 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3820 client_cert="auth_serv/user.pem",
3821 private_key="auth_serv/user.key")
3822 if dev[0].get_status_field("tls_session_reused") != '0':
3823 raise Exception("Unexpected session resumption on the first connection")
3825 dev[0].request("REAUTHENTICATE")
3826 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3828 raise Exception("EAP success timed out")
3829 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3831 raise Exception("Key handshake with the AP timed out")
3832 if dev[0].get_status_field("tls_session_reused") != '0':
3833 raise Exception("Unexpected session resumption on the second connection")