projects / mech_eap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Updated through tag hostap_2_5 from git://w1.fi/hostap.git
[mech_eap.git] / libeap / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15
16 import hwsim_utils
17 import hostapd
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
21
22 def check_hlr_auc_gw_support():
23     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24         raise HwsimSkip("No hlr_auc_gw available")
25
26 def check_eap_capa(dev, method):
27     res = dev.get_capability("eap")
28     if method not in res:
29         raise HwsimSkip("EAP method %s not supported in the build" % method)
30
31 def check_subject_match_support(dev):
32     tls = dev.request("GET tls_library")
33     if not tls.startswith("OpenSSL"):
34         raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
35
36 def check_altsubject_match_support(dev):
37     tls = dev.request("GET tls_library")
38     if not tls.startswith("OpenSSL"):
39         raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
40
41 def check_domain_match_full(dev):
42     tls = dev.request("GET tls_library")
43     if not tls.startswith("OpenSSL"):
44         raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
45
46 def check_cert_probe_support(dev):
47     tls = dev.request("GET tls_library")
48     if not tls.startswith("OpenSSL"):
49         raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
50
51 def check_ocsp_support(dev):
52     tls = dev.request("GET tls_library")
53     if "BoringSSL" in tls:
54         raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
55
56 def read_pem(fname):
57     with open(fname, "r") as f:
58         lines = f.readlines()
59         copy = False
60         cert = ""
61         for l in lines:
62             if "-----END" in l:
63                 break
64             if copy:
65                 cert = cert + l
66             if "-----BEGIN" in l:
67                 copy = True
68     return base64.b64decode(cert)
69
70 def eap_connect(dev, ap, method, identity,
71                 sha256=False, expect_failure=False, local_error_report=False,
72                 maybe_local_error=False, **kwargs):
73     hapd = hostapd.Hostapd(ap['ifname'])
74     id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
75                      eap=method, identity=identity,
76                      wait_connect=False, scan_freq="2412", ieee80211w="1",
77                      **kwargs)
78     eap_check_auth(dev, method, True, sha256=sha256,
79                    expect_failure=expect_failure,
80                    local_error_report=local_error_report,
81                    maybe_local_error=maybe_local_error)
82     if expect_failure:
83         return id
84     ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
85     if ev is None:
86         raise Exception("No connection event received from hostapd")
87     return id
88
89 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
90                    expect_failure=False, local_error_report=False,
91                    maybe_local_error=False):
92     ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
93     if ev is None:
94         raise Exception("Association and EAP start timed out")
95     ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
96                          "CTRL-EVENT-EAP-FAILURE"], timeout=10)
97     if ev is None:
98         raise Exception("EAP method selection timed out")
99     if "CTRL-EVENT-EAP-FAILURE" in ev:
100         if maybe_local_error:
101             return
102         raise Exception("Could not select EAP method")
103     if method not in ev:
104         raise Exception("Unexpected EAP method")
105     if expect_failure:
106         ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
107         if ev is None:
108             raise Exception("EAP failure timed out")
109         ev = dev.wait_disconnected(timeout=10)
110         if maybe_local_error and "locally_generated=1" in ev:
111             return
112         if not local_error_report:
113             if "reason=23" not in ev:
114                 raise Exception("Proper reason code for disconnection not reported")
115         return
116     ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
117     if ev is None:
118         raise Exception("EAP success timed out")
119
120     if initial:
121         ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
122     else:
123         ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
124     if ev is None:
125         raise Exception("Association with the AP timed out")
126     status = dev.get_status()
127     if status["wpa_state"] != "COMPLETED":
128         raise Exception("Connection not completed")
129
130     if status["suppPortStatus"] != "Authorized":
131         raise Exception("Port not authorized")
132     if method not in status["selectedMethod"]:
133         raise Exception("Incorrect EAP method status")
134     if sha256:
135         e = "WPA2-EAP-SHA256"
136     elif rsn:
137         e = "WPA2/IEEE 802.1X/EAP"
138     else:
139         e = "WPA/IEEE 802.1X/EAP"
140     if status["key_mgmt"] != e:
141         raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
142     return status
143
144 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
145     dev.request("REAUTHENTICATE")
146     return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
147                           expect_failure=expect_failure)
148
149 def test_ap_wpa2_eap_sim(dev, apdev):
150     """WPA2-Enterprise connection using EAP-SIM"""
151     check_hlr_auc_gw_support()
152     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
153     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
154     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
155                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156     hwsim_utils.test_connectivity(dev[0], hapd)
157     eap_reauth(dev[0], "SIM")
158
159     eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
160                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
161     eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
162                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
163                 expect_failure=True)
164
165     logger.info("Negative test with incorrect key")
166     dev[0].request("REMOVE_NETWORK all")
167     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
168                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
169                 expect_failure=True)
170
171     logger.info("Invalid GSM-Milenage key")
172     dev[0].request("REMOVE_NETWORK all")
173     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
174                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
175                 expect_failure=True)
176
177     logger.info("Invalid GSM-Milenage key(2)")
178     dev[0].request("REMOVE_NETWORK all")
179     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
180                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
181                 expect_failure=True)
182
183     logger.info("Invalid GSM-Milenage key(3)")
184     dev[0].request("REMOVE_NETWORK all")
185     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
187                 expect_failure=True)
188
189     logger.info("Invalid GSM-Milenage key(4)")
190     dev[0].request("REMOVE_NETWORK all")
191     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
192                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
193                 expect_failure=True)
194
195     logger.info("Missing key configuration")
196     dev[0].request("REMOVE_NETWORK all")
197     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198                 expect_failure=True)
199
200 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
201     """WPA2-Enterprise connection using EAP-SIM (SQL)"""
202     check_hlr_auc_gw_support()
203     try:
204         import sqlite3
205     except ImportError:
206         raise HwsimSkip("No sqlite3 module available")
207     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
208     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
209     params['auth_server_port'] = "1814"
210     hostapd.add_ap(apdev[0]['ifname'], params)
211     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
212                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
213
214     logger.info("SIM fast re-authentication")
215     eap_reauth(dev[0], "SIM")
216
217     logger.info("SIM full auth with pseudonym")
218     with con:
219         cur = con.cursor()
220         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
221     eap_reauth(dev[0], "SIM")
222
223     logger.info("SIM full auth with permanent identity")
224     with con:
225         cur = con.cursor()
226         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
227         cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
228     eap_reauth(dev[0], "SIM")
229
230     logger.info("SIM reauth with mismatching MK")
231     with con:
232         cur = con.cursor()
233         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
234     eap_reauth(dev[0], "SIM", expect_failure=True)
235     dev[0].request("REMOVE_NETWORK all")
236
237     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
238                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
239     with con:
240         cur = con.cursor()
241         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
242     eap_reauth(dev[0], "SIM")
243     with con:
244         cur = con.cursor()
245         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
246     logger.info("SIM reauth with mismatching counter")
247     eap_reauth(dev[0], "SIM")
248     dev[0].request("REMOVE_NETWORK all")
249
250     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
251                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
252     with con:
253         cur = con.cursor()
254         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
255     logger.info("SIM reauth with max reauth count reached")
256     eap_reauth(dev[0], "SIM")
257
258 def test_ap_wpa2_eap_sim_config(dev, apdev):
259     """EAP-SIM configuration options"""
260     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
261     hostapd.add_ap(apdev[0]['ifname'], params)
262     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263                    identity="1232010000000000",
264                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265                    phase1="sim_min_num_chal=1",
266                    wait_connect=False, scan_freq="2412")
267     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
268     if ev is None:
269         raise Exception("No EAP error message seen")
270     dev[0].request("REMOVE_NETWORK all")
271
272     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
273                    identity="1232010000000000",
274                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
275                    phase1="sim_min_num_chal=4",
276                    wait_connect=False, scan_freq="2412")
277     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
278     if ev is None:
279         raise Exception("No EAP error message seen (2)")
280     dev[0].request("REMOVE_NETWORK all")
281
282     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
283                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
284                 phase1="sim_min_num_chal=2")
285     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
286                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
287                 anonymous_identity="345678")
288
289 def test_ap_wpa2_eap_sim_ext(dev, apdev):
290     """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
291     try:
292         _test_ap_wpa2_eap_sim_ext(dev, apdev)
293     finally:
294         dev[0].request("SET external_sim 0")
295
296 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
297     check_hlr_auc_gw_support()
298     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
299     hostapd.add_ap(apdev[0]['ifname'], params)
300     dev[0].request("SET external_sim 1")
301     id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
302                         identity="1232010000000000",
303                         wait_connect=False, scan_freq="2412")
304     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
305     if ev is None:
306         raise Exception("Network connected timed out")
307
308     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
309     if ev is None:
310         raise Exception("Wait for external SIM processing request timed out")
311     p = ev.split(':', 2)
312     if p[1] != "GSM-AUTH":
313         raise Exception("Unexpected CTRL-REQ-SIM type")
314     rid = p[0].split('-')[3]
315
316     # IK:CK:RES
317     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
318     # This will fail during processing, but the ctrl_iface command succeeds
319     dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
320     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
321     if ev is None:
322         raise Exception("EAP failure not reported")
323     dev[0].request("DISCONNECT")
324     dev[0].wait_disconnected()
325     time.sleep(0.1)
326
327     dev[0].select_network(id, freq="2412")
328     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
329     if ev is None:
330         raise Exception("Wait for external SIM processing request timed out")
331     p = ev.split(':', 2)
332     if p[1] != "GSM-AUTH":
333         raise Exception("Unexpected CTRL-REQ-SIM type")
334     rid = p[0].split('-')[3]
335     # This will fail during GSM auth validation
336     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
337         raise Exception("CTRL-RSP-SIM failed")
338     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
339     if ev is None:
340         raise Exception("EAP failure not reported")
341     dev[0].request("DISCONNECT")
342     dev[0].wait_disconnected()
343     time.sleep(0.1)
344
345     dev[0].select_network(id, freq="2412")
346     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
347     if ev is None:
348         raise Exception("Wait for external SIM processing request timed out")
349     p = ev.split(':', 2)
350     if p[1] != "GSM-AUTH":
351         raise Exception("Unexpected CTRL-REQ-SIM type")
352     rid = p[0].split('-')[3]
353     # This will fail during GSM auth validation
354     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
355         raise Exception("CTRL-RSP-SIM failed")
356     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357     if ev is None:
358         raise Exception("EAP failure not reported")
359     dev[0].request("DISCONNECT")
360     dev[0].wait_disconnected()
361     time.sleep(0.1)
362
363     dev[0].select_network(id, freq="2412")
364     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365     if ev is None:
366         raise Exception("Wait for external SIM processing request timed out")
367     p = ev.split(':', 2)
368     if p[1] != "GSM-AUTH":
369         raise Exception("Unexpected CTRL-REQ-SIM type")
370     rid = p[0].split('-')[3]
371     # This will fail during GSM auth validation
372     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
373         raise Exception("CTRL-RSP-SIM failed")
374     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375     if ev is None:
376         raise Exception("EAP failure not reported")
377     dev[0].request("DISCONNECT")
378     dev[0].wait_disconnected()
379     time.sleep(0.1)
380
381     dev[0].select_network(id, freq="2412")
382     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383     if ev is None:
384         raise Exception("Wait for external SIM processing request timed out")
385     p = ev.split(':', 2)
386     if p[1] != "GSM-AUTH":
387         raise Exception("Unexpected CTRL-REQ-SIM type")
388     rid = p[0].split('-')[3]
389     # This will fail during GSM auth validation
390     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
391         raise Exception("CTRL-RSP-SIM failed")
392     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393     if ev is None:
394         raise Exception("EAP failure not reported")
395     dev[0].request("DISCONNECT")
396     dev[0].wait_disconnected()
397     time.sleep(0.1)
398
399     dev[0].select_network(id, freq="2412")
400     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401     if ev is None:
402         raise Exception("Wait for external SIM processing request timed out")
403     p = ev.split(':', 2)
404     if p[1] != "GSM-AUTH":
405         raise Exception("Unexpected CTRL-REQ-SIM type")
406     rid = p[0].split('-')[3]
407     # This will fail during GSM auth validation
408     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
409         raise Exception("CTRL-RSP-SIM failed")
410     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411     if ev is None:
412         raise Exception("EAP failure not reported")
413     dev[0].request("DISCONNECT")
414     dev[0].wait_disconnected()
415     time.sleep(0.1)
416
417     dev[0].select_network(id, freq="2412")
418     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419     if ev is None:
420         raise Exception("Wait for external SIM processing request timed out")
421     p = ev.split(':', 2)
422     if p[1] != "GSM-AUTH":
423         raise Exception("Unexpected CTRL-REQ-SIM type")
424     rid = p[0].split('-')[3]
425     # This will fail during GSM auth validation
426     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
427         raise Exception("CTRL-RSP-SIM failed")
428     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429     if ev is None:
430         raise Exception("EAP failure not reported")
431
432 def test_ap_wpa2_eap_sim_oom(dev, apdev):
433     """EAP-SIM and OOM"""
434     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
435     hostapd.add_ap(apdev[0]['ifname'], params)
436     tests = [ (1, "milenage_f2345"),
437               (2, "milenage_f2345"),
438               (3, "milenage_f2345"),
439               (4, "milenage_f2345"),
440               (5, "milenage_f2345"),
441               (6, "milenage_f2345"),
442               (7, "milenage_f2345"),
443               (8, "milenage_f2345"),
444               (9, "milenage_f2345"),
445               (10, "milenage_f2345"),
446               (11, "milenage_f2345"),
447               (12, "milenage_f2345") ]
448     for count, func in tests:
449         with alloc_fail(dev[0], count, func):
450             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
451                            identity="1232010000000000",
452                            password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
453                            wait_connect=False, scan_freq="2412")
454             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
455             if ev is None:
456                 raise Exception("EAP method not selected")
457             dev[0].wait_disconnected()
458             dev[0].request("REMOVE_NETWORK all")
459
460 def test_ap_wpa2_eap_aka(dev, apdev):
461     """WPA2-Enterprise connection using EAP-AKA"""
462     check_hlr_auc_gw_support()
463     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
464     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
465     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
466                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
467     hwsim_utils.test_connectivity(dev[0], hapd)
468     eap_reauth(dev[0], "AKA")
469
470     logger.info("Negative test with incorrect key")
471     dev[0].request("REMOVE_NETWORK all")
472     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
473                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
474                 expect_failure=True)
475
476     logger.info("Invalid Milenage key")
477     dev[0].request("REMOVE_NETWORK all")
478     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
480                 expect_failure=True)
481
482     logger.info("Invalid Milenage key(2)")
483     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
485                 expect_failure=True)
486
487     logger.info("Invalid Milenage key(3)")
488     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
490                 expect_failure=True)
491
492     logger.info("Invalid Milenage key(4)")
493     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
494                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
495                 expect_failure=True)
496
497     logger.info("Invalid Milenage key(5)")
498     dev[0].request("REMOVE_NETWORK all")
499     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
501                 expect_failure=True)
502
503     logger.info("Invalid Milenage key(6)")
504     dev[0].request("REMOVE_NETWORK all")
505     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
506                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
507                 expect_failure=True)
508
509     logger.info("Missing key configuration")
510     dev[0].request("REMOVE_NETWORK all")
511     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
512                 expect_failure=True)
513
514 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
515     """WPA2-Enterprise connection using EAP-AKA (SQL)"""
516     check_hlr_auc_gw_support()
517     try:
518         import sqlite3
519     except ImportError:
520         raise HwsimSkip("No sqlite3 module available")
521     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
522     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
523     params['auth_server_port'] = "1814"
524     hostapd.add_ap(apdev[0]['ifname'], params)
525     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
526                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
527
528     logger.info("AKA fast re-authentication")
529     eap_reauth(dev[0], "AKA")
530
531     logger.info("AKA full auth with pseudonym")
532     with con:
533         cur = con.cursor()
534         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
535     eap_reauth(dev[0], "AKA")
536
537     logger.info("AKA full auth with permanent identity")
538     with con:
539         cur = con.cursor()
540         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
541         cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
542     eap_reauth(dev[0], "AKA")
543
544     logger.info("AKA reauth with mismatching MK")
545     with con:
546         cur = con.cursor()
547         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
548     eap_reauth(dev[0], "AKA", expect_failure=True)
549     dev[0].request("REMOVE_NETWORK all")
550
551     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
552                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
553     with con:
554         cur = con.cursor()
555         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
556     eap_reauth(dev[0], "AKA")
557     with con:
558         cur = con.cursor()
559         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
560     logger.info("AKA reauth with mismatching counter")
561     eap_reauth(dev[0], "AKA")
562     dev[0].request("REMOVE_NETWORK all")
563
564     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
565                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
566     with con:
567         cur = con.cursor()
568         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
569     logger.info("AKA reauth with max reauth count reached")
570     eap_reauth(dev[0], "AKA")
571
572 def test_ap_wpa2_eap_aka_config(dev, apdev):
573     """EAP-AKA configuration options"""
574     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
575     hostapd.add_ap(apdev[0]['ifname'], params)
576     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
577                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
578                 anonymous_identity="2345678")
579
580 def test_ap_wpa2_eap_aka_ext(dev, apdev):
581     """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
582     try:
583         _test_ap_wpa2_eap_aka_ext(dev, apdev)
584     finally:
585         dev[0].request("SET external_sim 0")
586
587 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
588     check_hlr_auc_gw_support()
589     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
590     hostapd.add_ap(apdev[0]['ifname'], params)
591     dev[0].request("SET external_sim 1")
592     id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
593                         identity="0232010000000000",
594                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
595                         wait_connect=False, scan_freq="2412")
596     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
597     if ev is None:
598         raise Exception("Network connected timed out")
599
600     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
601     if ev is None:
602         raise Exception("Wait for external SIM processing request timed out")
603     p = ev.split(':', 2)
604     if p[1] != "UMTS-AUTH":
605         raise Exception("Unexpected CTRL-REQ-SIM type")
606     rid = p[0].split('-')[3]
607
608     # IK:CK:RES
609     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
610     # This will fail during processing, but the ctrl_iface command succeeds
611     dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
612     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
613     if ev is None:
614         raise Exception("EAP failure not reported")
615     dev[0].request("DISCONNECT")
616     dev[0].wait_disconnected()
617     time.sleep(0.1)
618
619     dev[0].select_network(id, freq="2412")
620     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
621     if ev is None:
622         raise Exception("Wait for external SIM processing request timed out")
623     p = ev.split(':', 2)
624     if p[1] != "UMTS-AUTH":
625         raise Exception("Unexpected CTRL-REQ-SIM type")
626     rid = p[0].split('-')[3]
627     # This will fail during UMTS auth validation
628     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
629         raise Exception("CTRL-RSP-SIM failed")
630     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
631     if ev is None:
632         raise Exception("Wait for external SIM processing request timed out")
633     p = ev.split(':', 2)
634     if p[1] != "UMTS-AUTH":
635         raise Exception("Unexpected CTRL-REQ-SIM type")
636     rid = p[0].split('-')[3]
637     # This will fail during UMTS auth validation
638     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
639         raise Exception("CTRL-RSP-SIM failed")
640     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
641     if ev is None:
642         raise Exception("EAP failure not reported")
643     dev[0].request("DISCONNECT")
644     dev[0].wait_disconnected()
645     time.sleep(0.1)
646
647     tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
648               ":UMTS-AUTH:34",
649               ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
650               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
651               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
652               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
653               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
654     for t in tests:
655         dev[0].select_network(id, freq="2412")
656         ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
657         if ev is None:
658             raise Exception("Wait for external SIM processing request timed out")
659         p = ev.split(':', 2)
660         if p[1] != "UMTS-AUTH":
661             raise Exception("Unexpected CTRL-REQ-SIM type")
662         rid = p[0].split('-')[3]
663         # This will fail during UMTS auth validation
664         if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
665             raise Exception("CTRL-RSP-SIM failed")
666         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
667         if ev is None:
668             raise Exception("EAP failure not reported")
669         dev[0].request("DISCONNECT")
670         dev[0].wait_disconnected()
671         time.sleep(0.1)
672
673 def test_ap_wpa2_eap_aka_prime(dev, apdev):
674     """WPA2-Enterprise connection using EAP-AKA'"""
675     check_hlr_auc_gw_support()
676     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
677     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
678     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
680     hwsim_utils.test_connectivity(dev[0], hapd)
681     eap_reauth(dev[0], "AKA'")
682
683     logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
684     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
685                    identity="6555444333222111@both",
686                    password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
687                    wait_connect=False, scan_freq="2412")
688     dev[1].wait_connected(timeout=15)
689
690     logger.info("Negative test with incorrect key")
691     dev[0].request("REMOVE_NETWORK all")
692     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
693                 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
694                 expect_failure=True)
695
696 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
697     """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
698     check_hlr_auc_gw_support()
699     try:
700         import sqlite3
701     except ImportError:
702         raise HwsimSkip("No sqlite3 module available")
703     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
704     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
705     params['auth_server_port'] = "1814"
706     hostapd.add_ap(apdev[0]['ifname'], params)
707     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
708                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
709
710     logger.info("AKA' fast re-authentication")
711     eap_reauth(dev[0], "AKA'")
712
713     logger.info("AKA' full auth with pseudonym")
714     with con:
715         cur = con.cursor()
716         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
717     eap_reauth(dev[0], "AKA'")
718
719     logger.info("AKA' full auth with permanent identity")
720     with con:
721         cur = con.cursor()
722         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
723         cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
724     eap_reauth(dev[0], "AKA'")
725
726     logger.info("AKA' reauth with mismatching k_aut")
727     with con:
728         cur = con.cursor()
729         cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
730     eap_reauth(dev[0], "AKA'", expect_failure=True)
731     dev[0].request("REMOVE_NETWORK all")
732
733     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
734                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
735     with con:
736         cur = con.cursor()
737         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
738     eap_reauth(dev[0], "AKA'")
739     with con:
740         cur = con.cursor()
741         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
742     logger.info("AKA' reauth with mismatching counter")
743     eap_reauth(dev[0], "AKA'")
744     dev[0].request("REMOVE_NETWORK all")
745
746     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
747                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748     with con:
749         cur = con.cursor()
750         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
751     logger.info("AKA' reauth with max reauth count reached")
752     eap_reauth(dev[0], "AKA'")
753
754 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
755     """WPA2-Enterprise connection using EAP-TTLS/PAP"""
756     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
757     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
758     key_mgmt = hapd.get_config()['key_mgmt']
759     if key_mgmt.split(' ')[0] != "WPA-EAP":
760         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
761     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762                 anonymous_identity="ttls", password="password",
763                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
764     hwsim_utils.test_connectivity(dev[0], hapd)
765     eap_reauth(dev[0], "TTLS")
766     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
767                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
768
769 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
770     """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
771     check_subject_match_support(dev[0])
772     check_altsubject_match_support(dev[0])
773     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
774     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
775     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
776                 anonymous_identity="ttls", password="password",
777                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
778                 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
779                 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
780     eap_reauth(dev[0], "TTLS")
781
782 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
783     """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
784     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
785     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
786     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
787                 anonymous_identity="ttls", password="wrong",
788                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
789                 expect_failure=True)
790     eap_connect(dev[1], apdev[0], "TTLS", "user",
791                 anonymous_identity="ttls", password="password",
792                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
793                 expect_failure=True)
794
795 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
796     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
797     skip_with_fips(dev[0])
798     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
799     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
800     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
801                 anonymous_identity="ttls", password="password",
802                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
803     hwsim_utils.test_connectivity(dev[0], hapd)
804     eap_reauth(dev[0], "TTLS")
805
806 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
807     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
808     skip_with_fips(dev[0])
809     check_altsubject_match_support(dev[0])
810     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
811     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
812     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
813                 anonymous_identity="ttls", password="password",
814                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
815                 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
816     eap_reauth(dev[0], "TTLS")
817
818 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
819     """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
820     skip_with_fips(dev[0])
821     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
823     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
824                 anonymous_identity="ttls", password="wrong",
825                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
826                 expect_failure=True)
827     eap_connect(dev[1], apdev[0], "TTLS", "user",
828                 anonymous_identity="ttls", password="password",
829                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
830                 expect_failure=True)
831
832 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
833     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
834     skip_with_fips(dev[0])
835     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
836     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
837     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
838                 anonymous_identity="ttls", password="password",
839                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
840                 domain_suffix_match="server.w1.fi")
841     hwsim_utils.test_connectivity(dev[0], hapd)
842     eap_reauth(dev[0], "TTLS")
843     dev[0].request("REMOVE_NETWORK all")
844     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845                 anonymous_identity="ttls", password="password",
846                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
847                 fragment_size="200")
848
849 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
850     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
851     skip_with_fips(dev[0])
852     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
854     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
855                 anonymous_identity="ttls", password="wrong",
856                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857                 expect_failure=True)
858     eap_connect(dev[1], apdev[0], "TTLS", "user",
859                 anonymous_identity="ttls", password="password",
860                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
861                 expect_failure=True)
862     eap_connect(dev[2], apdev[0], "TTLS", "no such user",
863                 anonymous_identity="ttls", password="password",
864                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
865                 expect_failure=True)
866
867 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
868     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
869     check_eap_capa(dev[0], "MSCHAPV2")
870     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
871     hostapd.add_ap(apdev[0]['ifname'], params)
872     hapd = hostapd.Hostapd(apdev[0]['ifname'])
873     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
874                 anonymous_identity="ttls", password="password",
875                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
876                 domain_suffix_match="server.w1.fi")
877     hwsim_utils.test_connectivity(dev[0], hapd)
878     sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
879     eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
880     eap_reauth(dev[0], "TTLS")
881     sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
882     eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
883     if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
884         raise Exception("dot1xAuthEapolFramesRx did not increase")
885     if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
886         raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
887     if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
888         raise Exception("backendAuthSuccesses did not increase")
889
890     logger.info("Password as hash value")
891     dev[0].request("REMOVE_NETWORK all")
892     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
893                 anonymous_identity="ttls",
894                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
895                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
896
897 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
898     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
899     check_domain_match_full(dev[0])
900     skip_with_fips(dev[0])
901     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
902     hostapd.add_ap(apdev[0]['ifname'], params)
903     hapd = hostapd.Hostapd(apdev[0]['ifname'])
904     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
905                 anonymous_identity="ttls", password="password",
906                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
907                 domain_suffix_match="w1.fi")
908     hwsim_utils.test_connectivity(dev[0], hapd)
909     eap_reauth(dev[0], "TTLS")
910
911 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
912     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
913     skip_with_fips(dev[0])
914     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
915     hostapd.add_ap(apdev[0]['ifname'], params)
916     hapd = hostapd.Hostapd(apdev[0]['ifname'])
917     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
918                 anonymous_identity="ttls", password="password",
919                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
920                 domain_match="Server.w1.fi")
921     hwsim_utils.test_connectivity(dev[0], hapd)
922     eap_reauth(dev[0], "TTLS")
923
924 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
925     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
926     skip_with_fips(dev[0])
927     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
928     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
929     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
930                 anonymous_identity="ttls", password="password1",
931                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
932                 expect_failure=True)
933     eap_connect(dev[1], apdev[0], "TTLS", "user",
934                 anonymous_identity="ttls", password="password",
935                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
936                 expect_failure=True)
937
938 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
939     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
940     skip_with_fips(dev[0])
941     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
942     hostapd.add_ap(apdev[0]['ifname'], params)
943     hapd = hostapd.Hostapd(apdev[0]['ifname'])
944     eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
945                 anonymous_identity="ttls", password="secret-åäö-€-password",
946                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947     eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
948                 anonymous_identity="ttls",
949                 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
950                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
951
952 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
953     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
954     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956     eap_connect(dev[0], apdev[0], "TTLS", "user",
957                 anonymous_identity="ttls", password="password",
958                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
959     hwsim_utils.test_connectivity(dev[0], hapd)
960     eap_reauth(dev[0], "TTLS")
961
962 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
963     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
964     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966     eap_connect(dev[0], apdev[0], "TTLS", "user",
967                 anonymous_identity="ttls", password="wrong",
968                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
969                 expect_failure=True)
970
971 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
972     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
973     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976                 anonymous_identity="ttls", password="password",
977                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
978                 expect_failure=True)
979
980 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
981     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
982     params = int_eap_server_params()
983     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984     with alloc_fail(hapd, 1, "eap_gtc_init"):
985         eap_connect(dev[0], apdev[0], "TTLS", "user",
986                     anonymous_identity="ttls", password="password",
987                     ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
988                     expect_failure=True)
989         dev[0].request("REMOVE_NETWORK all")
990
991     with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
992         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993                        eap="TTLS", identity="user",
994                        anonymous_identity="ttls", password="password",
995                        ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
996                        wait_connect=False, scan_freq="2412")
997         # This would eventually time out, but we can stop after having reached
998         # the allocation failure.
999         for i in range(20):
1000             time.sleep(0.1)
1001             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1002                 break
1003
1004 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1005     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1006     check_eap_capa(dev[0], "MD5")
1007     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1008     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1009     eap_connect(dev[0], apdev[0], "TTLS", "user",
1010                 anonymous_identity="ttls", password="password",
1011                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1012     hwsim_utils.test_connectivity(dev[0], hapd)
1013     eap_reauth(dev[0], "TTLS")
1014
1015 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1016     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1017     check_eap_capa(dev[0], "MD5")
1018     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020     eap_connect(dev[0], apdev[0], "TTLS", "user",
1021                 anonymous_identity="ttls", password="wrong",
1022                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023                 expect_failure=True)
1024
1025 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1026     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1027     check_eap_capa(dev[0], "MD5")
1028     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1029     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1031                 anonymous_identity="ttls", password="password",
1032                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1033                 expect_failure=True)
1034
1035 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1036     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1037     check_eap_capa(dev[0], "MD5")
1038     params = int_eap_server_params()
1039     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1040     with alloc_fail(hapd, 1, "eap_md5_init"):
1041         eap_connect(dev[0], apdev[0], "TTLS", "user",
1042                     anonymous_identity="ttls", password="password",
1043                     ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1044                     expect_failure=True)
1045         dev[0].request("REMOVE_NETWORK all")
1046
1047     with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1048         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1049                        eap="TTLS", identity="user",
1050                        anonymous_identity="ttls", password="password",
1051                        ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1052                        wait_connect=False, scan_freq="2412")
1053         # This would eventually time out, but we can stop after having reached
1054         # the allocation failure.
1055         for i in range(20):
1056             time.sleep(0.1)
1057             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1058                 break
1059
1060 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1061     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1062     check_eap_capa(dev[0], "MSCHAPV2")
1063     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1064     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1065     eap_connect(dev[0], apdev[0], "TTLS", "user",
1066                 anonymous_identity="ttls", password="password",
1067                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1068     hwsim_utils.test_connectivity(dev[0], hapd)
1069     eap_reauth(dev[0], "TTLS")
1070
1071     logger.info("Negative test with incorrect password")
1072     dev[0].request("REMOVE_NETWORK all")
1073     eap_connect(dev[0], apdev[0], "TTLS", "user",
1074                 anonymous_identity="ttls", password="password1",
1075                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076                 expect_failure=True)
1077
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1079     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1080     check_eap_capa(dev[0], "MSCHAPV2")
1081     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1082     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1084                 anonymous_identity="ttls", password="password",
1085                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1086                 expect_failure=True)
1087
1088 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1089     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1090     check_eap_capa(dev[0], "MSCHAPV2")
1091     params = int_eap_server_params()
1092     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1093     with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1094         eap_connect(dev[0], apdev[0], "TTLS", "user",
1095                     anonymous_identity="ttls", password="password",
1096                     ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1097                     expect_failure=True)
1098         dev[0].request("REMOVE_NETWORK all")
1099
1100     with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1101         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1102                        eap="TTLS", identity="user",
1103                        anonymous_identity="ttls", password="password",
1104                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1105                        wait_connect=False, scan_freq="2412")
1106         # This would eventually time out, but we can stop after having reached
1107         # the allocation failure.
1108         for i in range(20):
1109             time.sleep(0.1)
1110             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1111                 break
1112         dev[0].request("REMOVE_NETWORK all")
1113
1114     with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1115         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1116                        eap="TTLS", identity="user",
1117                        anonymous_identity="ttls", password="password",
1118                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1119                        wait_connect=False, scan_freq="2412")
1120         # This would eventually time out, but we can stop after having reached
1121         # the allocation failure.
1122         for i in range(20):
1123             time.sleep(0.1)
1124             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1125                 break
1126         dev[0].request("REMOVE_NETWORK all")
1127
1128     with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1129         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1130                        eap="TTLS", identity="user",
1131                        anonymous_identity="ttls", password="wrong",
1132                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1133                        wait_connect=False, scan_freq="2412")
1134         # This would eventually time out, but we can stop after having reached
1135         # the allocation failure.
1136         for i in range(20):
1137             time.sleep(0.1)
1138             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1139                 break
1140         dev[0].request("REMOVE_NETWORK all")
1141
1142 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1143     """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1144     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145     hostapd.add_ap(apdev[0]['ifname'], params)
1146     eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1147                 anonymous_identity="0232010000000000@ttls",
1148                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1149                 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1150
1151 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1152     """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1153     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154     hostapd.add_ap(apdev[0]['ifname'], params)
1155     eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1156                 anonymous_identity="0232010000000000@peap",
1157                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1159
1160 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1161     """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1162     check_eap_capa(dev[0], "FAST")
1163     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164     hostapd.add_ap(apdev[0]['ifname'], params)
1165     eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1166                 anonymous_identity="0232010000000000@fast",
1167                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1168                 phase1="fast_provisioning=2",
1169                 pac_file="blob://fast_pac_auth_aka",
1170                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1171
1172 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1173     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1174     check_eap_capa(dev[0], "MSCHAPV2")
1175     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1176     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1177     eap_connect(dev[0], apdev[0], "PEAP", "user",
1178                 anonymous_identity="peap", password="password",
1179                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1180     hwsim_utils.test_connectivity(dev[0], hapd)
1181     eap_reauth(dev[0], "PEAP")
1182     dev[0].request("REMOVE_NETWORK all")
1183     eap_connect(dev[0], apdev[0], "PEAP", "user",
1184                 anonymous_identity="peap", password="password",
1185                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1186                 fragment_size="200")
1187
1188     logger.info("Password as hash value")
1189     dev[0].request("REMOVE_NETWORK all")
1190     eap_connect(dev[0], apdev[0], "PEAP", "user",
1191                 anonymous_identity="peap",
1192                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1193                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1194
1195     logger.info("Negative test with incorrect password")
1196     dev[0].request("REMOVE_NETWORK all")
1197     eap_connect(dev[0], apdev[0], "PEAP", "user",
1198                 anonymous_identity="peap", password="password1",
1199                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1200                 expect_failure=True)
1201
1202 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1203     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1204     check_eap_capa(dev[0], "MSCHAPV2")
1205     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1207     eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1208                 anonymous_identity="peap", password="password",
1209                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1210     hwsim_utils.test_connectivity(dev[0], hapd)
1211     eap_reauth(dev[0], "PEAP")
1212
1213 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1214     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1215     check_eap_capa(dev[0], "MSCHAPV2")
1216     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218     eap_connect(dev[0], apdev[0], "PEAP", "user",
1219                 anonymous_identity="peap", password="wrong",
1220                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1221                 expect_failure=True)
1222
1223 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1224     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1225     check_eap_capa(dev[0], "MSCHAPV2")
1226     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1228     eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1229                 ca_cert="auth_serv/ca.pem",
1230                 phase1="peapver=0 crypto_binding=2",
1231                 phase2="auth=MSCHAPV2")
1232     hwsim_utils.test_connectivity(dev[0], hapd)
1233     eap_reauth(dev[0], "PEAP")
1234
1235     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1236                 ca_cert="auth_serv/ca.pem",
1237                 phase1="peapver=0 crypto_binding=1",
1238                 phase2="auth=MSCHAPV2")
1239     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1240                 ca_cert="auth_serv/ca.pem",
1241                 phase1="peapver=0 crypto_binding=0",
1242                 phase2="auth=MSCHAPV2")
1243
1244 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1245     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1246     check_eap_capa(dev[0], "MSCHAPV2")
1247     params = int_eap_server_params()
1248     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1249     with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1250         eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1251                     ca_cert="auth_serv/ca.pem",
1252                     phase1="peapver=0 crypto_binding=2",
1253                     phase2="auth=MSCHAPV2",
1254                     expect_failure=True, local_error_report=True)
1255
1256 def test_ap_wpa2_eap_peap_params(dev, apdev):
1257     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1258     check_eap_capa(dev[0], "MSCHAPV2")
1259     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1260     hostapd.add_ap(apdev[0]['ifname'], params)
1261     eap_connect(dev[0], apdev[0], "PEAP", "user",
1262                 anonymous_identity="peap", password="password",
1263                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1264                 phase1="peapver=0 peaplabel=1",
1265                 expect_failure=True)
1266     dev[0].request("REMOVE_NETWORK all")
1267     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1268                 ca_cert="auth_serv/ca.pem",
1269                 phase1="peap_outer_success=1",
1270                 phase2="auth=MSCHAPV2")
1271     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1272                 ca_cert="auth_serv/ca.pem",
1273                 phase1="peap_outer_success=2",
1274                 phase2="auth=MSCHAPV2")
1275     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1276                    identity="user",
1277                    anonymous_identity="peap", password="password",
1278                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1279                    phase1="peapver=1 peaplabel=1",
1280                    wait_connect=False, scan_freq="2412")
1281     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1282     if ev is None:
1283         raise Exception("No EAP success seen")
1284     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1285     if ev is not None:
1286         raise Exception("Unexpected connection")
1287
1288 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1289     """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1290     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291     hostapd.add_ap(apdev[0]['ifname'], params)
1292     eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1293                 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1294                 ca_cert2="auth_serv/ca.pem",
1295                 client_cert2="auth_serv/user.pem",
1296                 private_key2="auth_serv/user.key")
1297     eap_reauth(dev[0], "PEAP")
1298
1299 def test_ap_wpa2_eap_tls(dev, apdev):
1300     """WPA2-Enterprise connection using EAP-TLS"""
1301     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302     hostapd.add_ap(apdev[0]['ifname'], params)
1303     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1304                 client_cert="auth_serv/user.pem",
1305                 private_key="auth_serv/user.key")
1306     eap_reauth(dev[0], "TLS")
1307
1308 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1309     """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1310     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1311     hostapd.add_ap(apdev[0]['ifname'], params)
1312     cert = read_pem("auth_serv/ca.pem")
1313     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1314         raise Exception("Could not set cacert blob")
1315     cert = read_pem("auth_serv/user.pem")
1316     if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1317         raise Exception("Could not set usercert blob")
1318     key = read_pem("auth_serv/user.rsa-key")
1319     if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1320         raise Exception("Could not set cacert blob")
1321     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1322                 client_cert="blob://usercert",
1323                 private_key="blob://userkey")
1324
1325 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1326     """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1327     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1328     hostapd.add_ap(apdev[0]['ifname'], params)
1329     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1330                 private_key="auth_serv/user.pkcs12",
1331                 private_key_passwd="whatever")
1332     dev[0].request("REMOVE_NETWORK all")
1333     dev[0].wait_disconnected()
1334
1335     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1336                    identity="tls user",
1337                    ca_cert="auth_serv/ca.pem",
1338                    private_key="auth_serv/user.pkcs12",
1339                    wait_connect=False, scan_freq="2412")
1340     ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1341     if ev is None:
1342         raise Exception("Request for private key passphrase timed out")
1343     id = ev.split(':')[0].split('-')[-1]
1344     dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1345     dev[0].wait_connected(timeout=10)
1346     dev[0].request("REMOVE_NETWORK all")
1347     dev[0].wait_disconnected()
1348
1349     # Run this twice to verify certificate chain handling with OpenSSL. Use two
1350     # different files to cover both cases of the extra certificate being the
1351     # one that signed the client certificate and it being unrelated to the
1352     # client certificate.
1353     for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1354         for i in range(2):
1355             eap_connect(dev[0], apdev[0], "TLS", "tls user",
1356                         ca_cert="auth_serv/ca.pem",
1357                         private_key=pkcs12,
1358                         private_key_passwd="whatever")
1359             dev[0].request("REMOVE_NETWORK all")
1360             dev[0].wait_disconnected()
1361
1362 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1363     """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1364     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1365     hostapd.add_ap(apdev[0]['ifname'], params)
1366     cert = read_pem("auth_serv/ca.pem")
1367     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1368         raise Exception("Could not set cacert blob")
1369     with open("auth_serv/user.pkcs12", "rb") as f:
1370         if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1371             raise Exception("Could not set pkcs12 blob")
1372     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1373                 private_key="blob://pkcs12",
1374                 private_key_passwd="whatever")
1375
1376 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1377     """WPA2-Enterprise negative test - incorrect trust root"""
1378     check_eap_capa(dev[0], "MSCHAPV2")
1379     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1380     hostapd.add_ap(apdev[0]['ifname'], params)
1381     cert = read_pem("auth_serv/ca-incorrect.pem")
1382     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1383         raise Exception("Could not set cacert blob")
1384     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1386                    password="password", phase2="auth=MSCHAPV2",
1387                    ca_cert="blob://cacert",
1388                    wait_connect=False, scan_freq="2412")
1389     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1391                    password="password", phase2="auth=MSCHAPV2",
1392                    ca_cert="auth_serv/ca-incorrect.pem",
1393                    wait_connect=False, scan_freq="2412")
1394
1395     for dev in (dev[0], dev[1]):
1396         ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1397         if ev is None:
1398             raise Exception("Association and EAP start timed out")
1399
1400         ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1401         if ev is None:
1402             raise Exception("EAP method selection timed out")
1403         if "TTLS" not in ev:
1404             raise Exception("Unexpected EAP method")
1405
1406         ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1407                              "CTRL-EVENT-EAP-SUCCESS",
1408                              "CTRL-EVENT-EAP-FAILURE",
1409                              "CTRL-EVENT-CONNECTED",
1410                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1411         if ev is None:
1412             raise Exception("EAP result timed out")
1413         if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1414             raise Exception("TLS certificate error not reported")
1415
1416         ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1417                              "CTRL-EVENT-EAP-FAILURE",
1418                              "CTRL-EVENT-CONNECTED",
1419                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1420         if ev is None:
1421             raise Exception("EAP result(2) timed out")
1422         if "CTRL-EVENT-EAP-FAILURE" not in ev:
1423             raise Exception("EAP failure not reported")
1424
1425         ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1426                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1427         if ev is None:
1428             raise Exception("EAP result(3) timed out")
1429         if "CTRL-EVENT-DISCONNECTED" not in ev:
1430             raise Exception("Disconnection not reported")
1431
1432         ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1433         if ev is None:
1434             raise Exception("Network block disabling not reported")
1435
1436 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1437     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1438     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1439     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1440     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441                    identity="pap user", anonymous_identity="ttls",
1442                    password="password", phase2="auth=PAP",
1443                    ca_cert="auth_serv/ca.pem",
1444                    wait_connect=True, scan_freq="2412")
1445     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1446                         identity="pap user", anonymous_identity="ttls",
1447                         password="password", phase2="auth=PAP",
1448                         ca_cert="auth_serv/ca-incorrect.pem",
1449                         only_add_network=True, scan_freq="2412")
1450
1451     dev[0].request("DISCONNECT")
1452     dev[0].wait_disconnected()
1453     dev[0].dump_monitor()
1454     dev[0].select_network(id, freq="2412")
1455
1456     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1457     if ev is None:
1458         raise Exception("EAP-TTLS not re-started")
1459     
1460     ev = dev[0].wait_disconnected(timeout=15)
1461     if "reason=23" not in ev:
1462         raise Exception("Proper reason code for disconnection not reported")
1463
1464 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1465     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1466     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1468     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1469                    identity="pap user", anonymous_identity="ttls",
1470                    password="password", phase2="auth=PAP",
1471                    wait_connect=True, scan_freq="2412")
1472     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1473                         identity="pap user", anonymous_identity="ttls",
1474                         password="password", phase2="auth=PAP",
1475                         ca_cert="auth_serv/ca-incorrect.pem",
1476                         only_add_network=True, scan_freq="2412")
1477
1478     dev[0].request("DISCONNECT")
1479     dev[0].wait_disconnected()
1480     dev[0].dump_monitor()
1481     dev[0].select_network(id, freq="2412")
1482
1483     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1484     if ev is None:
1485         raise Exception("EAP-TTLS not re-started")
1486     
1487     ev = dev[0].wait_disconnected(timeout=15)
1488     if "reason=23" not in ev:
1489         raise Exception("Proper reason code for disconnection not reported")
1490
1491 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1492     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1493     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1494     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1495     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1496                         identity="pap user", anonymous_identity="ttls",
1497                         password="password", phase2="auth=PAP",
1498                         ca_cert="auth_serv/ca.pem",
1499                         wait_connect=True, scan_freq="2412")
1500     dev[0].request("DISCONNECT")
1501     dev[0].wait_disconnected()
1502     dev[0].dump_monitor()
1503     dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1504     dev[0].select_network(id, freq="2412")
1505
1506     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1507     if ev is None:
1508         raise Exception("EAP-TTLS not re-started")
1509     
1510     ev = dev[0].wait_disconnected(timeout=15)
1511     if "reason=23" not in ev:
1512         raise Exception("Proper reason code for disconnection not reported")
1513
1514 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1515     """WPA2-Enterprise negative test - domain suffix mismatch"""
1516     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1517     hostapd.add_ap(apdev[0]['ifname'], params)
1518     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1519                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1520                    password="password", phase2="auth=MSCHAPV2",
1521                    ca_cert="auth_serv/ca.pem",
1522                    domain_suffix_match="incorrect.example.com",
1523                    wait_connect=False, scan_freq="2412")
1524
1525     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1526     if ev is None:
1527         raise Exception("Association and EAP start timed out")
1528
1529     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1530     if ev is None:
1531         raise Exception("EAP method selection timed out")
1532     if "TTLS" not in ev:
1533         raise Exception("Unexpected EAP method")
1534
1535     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1536                             "CTRL-EVENT-EAP-SUCCESS",
1537                             "CTRL-EVENT-EAP-FAILURE",
1538                             "CTRL-EVENT-CONNECTED",
1539                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1540     if ev is None:
1541         raise Exception("EAP result timed out")
1542     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1543         raise Exception("TLS certificate error not reported")
1544     if "Domain suffix mismatch" not in ev:
1545         raise Exception("Domain suffix mismatch not reported")
1546
1547     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1548                             "CTRL-EVENT-EAP-FAILURE",
1549                             "CTRL-EVENT-CONNECTED",
1550                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1551     if ev is None:
1552         raise Exception("EAP result(2) timed out")
1553     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1554         raise Exception("EAP failure not reported")
1555
1556     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1557                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1558     if ev is None:
1559         raise Exception("EAP result(3) timed out")
1560     if "CTRL-EVENT-DISCONNECTED" not in ev:
1561         raise Exception("Disconnection not reported")
1562
1563     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1564     if ev is None:
1565         raise Exception("Network block disabling not reported")
1566
1567 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1568     """WPA2-Enterprise negative test - domain mismatch"""
1569     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1570     hostapd.add_ap(apdev[0]['ifname'], params)
1571     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1572                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1573                    password="password", phase2="auth=MSCHAPV2",
1574                    ca_cert="auth_serv/ca.pem",
1575                    domain_match="w1.fi",
1576                    wait_connect=False, scan_freq="2412")
1577
1578     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1579     if ev is None:
1580         raise Exception("Association and EAP start timed out")
1581
1582     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1583     if ev is None:
1584         raise Exception("EAP method selection timed out")
1585     if "TTLS" not in ev:
1586         raise Exception("Unexpected EAP method")
1587
1588     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1589                             "CTRL-EVENT-EAP-SUCCESS",
1590                             "CTRL-EVENT-EAP-FAILURE",
1591                             "CTRL-EVENT-CONNECTED",
1592                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1593     if ev is None:
1594         raise Exception("EAP result timed out")
1595     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1596         raise Exception("TLS certificate error not reported")
1597     if "Domain mismatch" not in ev:
1598         raise Exception("Domain mismatch not reported")
1599
1600     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1601                             "CTRL-EVENT-EAP-FAILURE",
1602                             "CTRL-EVENT-CONNECTED",
1603                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1604     if ev is None:
1605         raise Exception("EAP result(2) timed out")
1606     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1607         raise Exception("EAP failure not reported")
1608
1609     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1610                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1611     if ev is None:
1612         raise Exception("EAP result(3) timed out")
1613     if "CTRL-EVENT-DISCONNECTED" not in ev:
1614         raise Exception("Disconnection not reported")
1615
1616     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1617     if ev is None:
1618         raise Exception("Network block disabling not reported")
1619
1620 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1621     """WPA2-Enterprise negative test - subject mismatch"""
1622     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1623     hostapd.add_ap(apdev[0]['ifname'], params)
1624     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1625                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1626                    password="password", phase2="auth=MSCHAPV2",
1627                    ca_cert="auth_serv/ca.pem",
1628                    subject_match="/C=FI/O=w1.fi/CN=example.com",
1629                    wait_connect=False, scan_freq="2412")
1630
1631     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1632     if ev is None:
1633         raise Exception("Association and EAP start timed out")
1634
1635     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1636                             "EAP: Failed to initialize EAP method"], timeout=10)
1637     if ev is None:
1638         raise Exception("EAP method selection timed out")
1639     if "EAP: Failed to initialize EAP method" in ev:
1640         tls = dev[0].request("GET tls_library")
1641         if tls.startswith("OpenSSL"):
1642             raise Exception("Failed to select EAP method")
1643         logger.info("subject_match not supported - connection failed, so test succeeded")
1644         return
1645     if "TTLS" not in ev:
1646         raise Exception("Unexpected EAP method")
1647
1648     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1649                             "CTRL-EVENT-EAP-SUCCESS",
1650                             "CTRL-EVENT-EAP-FAILURE",
1651                             "CTRL-EVENT-CONNECTED",
1652                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1653     if ev is None:
1654         raise Exception("EAP result timed out")
1655     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1656         raise Exception("TLS certificate error not reported")
1657     if "Subject mismatch" not in ev:
1658         raise Exception("Subject mismatch not reported")
1659
1660     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1661                             "CTRL-EVENT-EAP-FAILURE",
1662                             "CTRL-EVENT-CONNECTED",
1663                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1664     if ev is None:
1665         raise Exception("EAP result(2) timed out")
1666     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1667         raise Exception("EAP failure not reported")
1668
1669     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1670                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1671     if ev is None:
1672         raise Exception("EAP result(3) timed out")
1673     if "CTRL-EVENT-DISCONNECTED" not in ev:
1674         raise Exception("Disconnection not reported")
1675
1676     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1677     if ev is None:
1678         raise Exception("Network block disabling not reported")
1679
1680 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1681     """WPA2-Enterprise negative test - altsubject mismatch"""
1682     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1683     hostapd.add_ap(apdev[0]['ifname'], params)
1684
1685     tests = [ "incorrect.example.com",
1686               "DNS:incorrect.example.com",
1687               "DNS:w1.fi",
1688               "DNS:erver.w1.fi" ]
1689     for match in tests:
1690         _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1691
1692 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1693     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1694                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1695                    password="password", phase2="auth=MSCHAPV2",
1696                    ca_cert="auth_serv/ca.pem",
1697                    altsubject_match=match,
1698                    wait_connect=False, scan_freq="2412")
1699
1700     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1701     if ev is None:
1702         raise Exception("Association and EAP start timed out")
1703
1704     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1705                             "EAP: Failed to initialize EAP method"], timeout=10)
1706     if ev is None:
1707         raise Exception("EAP method selection timed out")
1708     if "EAP: Failed to initialize EAP method" in ev:
1709         tls = dev[0].request("GET tls_library")
1710         if tls.startswith("OpenSSL"):
1711             raise Exception("Failed to select EAP method")
1712         logger.info("altsubject_match not supported - connection failed, so test succeeded")
1713         return
1714     if "TTLS" not in ev:
1715         raise Exception("Unexpected EAP method")
1716
1717     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1718                             "CTRL-EVENT-EAP-SUCCESS",
1719                             "CTRL-EVENT-EAP-FAILURE",
1720                             "CTRL-EVENT-CONNECTED",
1721                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1722     if ev is None:
1723         raise Exception("EAP result timed out")
1724     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1725         raise Exception("TLS certificate error not reported")
1726     if "AltSubject mismatch" not in ev:
1727         raise Exception("altsubject mismatch not reported")
1728
1729     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1730                             "CTRL-EVENT-EAP-FAILURE",
1731                             "CTRL-EVENT-CONNECTED",
1732                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1733     if ev is None:
1734         raise Exception("EAP result(2) timed out")
1735     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1736         raise Exception("EAP failure not reported")
1737
1738     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1739                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1740     if ev is None:
1741         raise Exception("EAP result(3) timed out")
1742     if "CTRL-EVENT-DISCONNECTED" not in ev:
1743         raise Exception("Disconnection not reported")
1744
1745     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1746     if ev is None:
1747         raise Exception("Network block disabling not reported")
1748
1749     dev[0].request("REMOVE_NETWORK all")
1750
1751 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1752     """WPA2-Enterprise connection using UNAUTH-TLS"""
1753     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1754     hostapd.add_ap(apdev[0]['ifname'], params)
1755     eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1756                 ca_cert="auth_serv/ca.pem")
1757     eap_reauth(dev[0], "UNAUTH-TLS")
1758
1759 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1760     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1761     check_cert_probe_support(dev[0])
1762     skip_with_fips(dev[0])
1763     srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1764     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1765     hostapd.add_ap(apdev[0]['ifname'], params)
1766     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1767                    identity="probe", ca_cert="probe://",
1768                    wait_connect=False, scan_freq="2412")
1769     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1770     if ev is None:
1771         raise Exception("Association and EAP start timed out")
1772     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1773     if ev is None:
1774         raise Exception("No peer server certificate event seen")
1775     if "hash=" + srv_cert_hash not in ev:
1776         raise Exception("Expected server certificate hash not reported")
1777     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1778     if ev is None:
1779         raise Exception("EAP result timed out")
1780     if "Server certificate chain probe" not in ev:
1781         raise Exception("Server certificate probe not reported")
1782     dev[0].wait_disconnected(timeout=10)
1783     dev[0].request("REMOVE_NETWORK all")
1784
1785     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1786                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1787                    password="password", phase2="auth=MSCHAPV2",
1788                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1789                    wait_connect=False, scan_freq="2412")
1790     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1791     if ev is None:
1792         raise Exception("Association and EAP start timed out")
1793     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1794     if ev is None:
1795         raise Exception("EAP result timed out")
1796     if "Server certificate mismatch" not in ev:
1797         raise Exception("Server certificate mismatch not reported")
1798     dev[0].wait_disconnected(timeout=10)
1799     dev[0].request("REMOVE_NETWORK all")
1800
1801     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1802                 anonymous_identity="ttls", password="password",
1803                 ca_cert="hash://server/sha256/" + srv_cert_hash,
1804                 phase2="auth=MSCHAPV2")
1805
1806 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1807     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1808     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1809     hostapd.add_ap(apdev[0]['ifname'], params)
1810     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1811                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1812                    password="password", phase2="auth=MSCHAPV2",
1813                    ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1814                    wait_connect=False, scan_freq="2412")
1815     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1816                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1817                    password="password", phase2="auth=MSCHAPV2",
1818                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1819                    wait_connect=False, scan_freq="2412")
1820     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1821                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1822                    password="password", phase2="auth=MSCHAPV2",
1823                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1824                    wait_connect=False, scan_freq="2412")
1825     for i in range(0, 3):
1826         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1827         if ev is None:
1828             raise Exception("Association and EAP start timed out")
1829         ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1830         if ev is None:
1831             raise Exception("Did not report EAP method initialization failure")
1832
1833 def test_ap_wpa2_eap_pwd(dev, apdev):
1834     """WPA2-Enterprise connection using EAP-pwd"""
1835     check_eap_capa(dev[0], "PWD")
1836     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1837     hostapd.add_ap(apdev[0]['ifname'], params)
1838     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1839     eap_reauth(dev[0], "PWD")
1840     dev[0].request("REMOVE_NETWORK all")
1841
1842     eap_connect(dev[1], apdev[0], "PWD",
1843                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1844                 password="secret password",
1845                 fragment_size="90")
1846
1847     logger.info("Negative test with incorrect password")
1848     eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1849                 expect_failure=True, local_error_report=True)
1850
1851     eap_connect(dev[0], apdev[0], "PWD",
1852                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1853                 password="secret password",
1854                 fragment_size="31")
1855
1856 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1857     """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1858     check_eap_capa(dev[0], "PWD")
1859     skip_with_fips(dev[0])
1860     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861     hostapd.add_ap(apdev[0]['ifname'], params)
1862     eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1863     eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1864                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1865     eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1866                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1867                 expect_failure=True, local_error_report=True)
1868
1869 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1870     """WPA2-Enterprise connection using various EAP-pwd groups"""
1871     check_eap_capa(dev[0], "PWD")
1872     tls = dev[0].request("GET tls_library")
1873     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1874                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1875                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1876     for i in [ 19, 20, 21, 25, 26 ]:
1877         params['pwd_group'] = str(i)
1878         hostapd.add_ap(apdev[0]['ifname'], params)
1879         dev[0].request("REMOVE_NETWORK all")
1880         try:
1881             eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1882                         password="secret password")
1883         except:
1884             if "BoringSSL" in tls and i in [ 25 ]:
1885                 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1886                 dev[0].request("DISCONNECT")
1887                 time.sleep(0.1)
1888                 continue
1889             raise
1890
1891 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1892     """WPA2-Enterprise connection using invalid EAP-pwd group"""
1893     check_eap_capa(dev[0], "PWD")
1894     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1895                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1896                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1897     params['pwd_group'] = "0"
1898     hostapd.add_ap(apdev[0]['ifname'], params)
1899     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1900                    identity="pwd user", password="secret password",
1901                    scan_freq="2412", wait_connect=False)
1902     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1903     if ev is None:
1904         raise Exception("Timeout on EAP failure report")
1905
1906 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1907     """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1908     check_eap_capa(dev[0], "PWD")
1909     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1910     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1911                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1912                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1913                "pwd_group": "19", "fragment_size": "40" }
1914     hostapd.add_ap(apdev[0]['ifname'], params)
1915     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1916
1917 def test_ap_wpa2_eap_gpsk(dev, apdev):
1918     """WPA2-Enterprise connection using EAP-GPSK"""
1919     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1920     hostapd.add_ap(apdev[0]['ifname'], params)
1921     id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1922                      password="abcdefghijklmnop0123456789abcdef")
1923     eap_reauth(dev[0], "GPSK")
1924
1925     logger.info("Test forced algorithm selection")
1926     for phase1 in [ "cipher=1", "cipher=2" ]:
1927         dev[0].set_network_quoted(id, "phase1", phase1)
1928         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1929         if ev is None:
1930             raise Exception("EAP success timed out")
1931         dev[0].wait_connected(timeout=10)
1932
1933     logger.info("Test failed algorithm negotiation")
1934     dev[0].set_network_quoted(id, "phase1", "cipher=9")
1935     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1936     if ev is None:
1937         raise Exception("EAP failure timed out")
1938
1939     logger.info("Negative test with incorrect password")
1940     dev[0].request("REMOVE_NETWORK all")
1941     eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1942                 password="ffcdefghijklmnop0123456789abcdef",
1943                 expect_failure=True)
1944
1945 def test_ap_wpa2_eap_sake(dev, apdev):
1946     """WPA2-Enterprise connection using EAP-SAKE"""
1947     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1948     hostapd.add_ap(apdev[0]['ifname'], params)
1949     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1950                 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1951     eap_reauth(dev[0], "SAKE")
1952
1953     logger.info("Negative test with incorrect password")
1954     dev[0].request("REMOVE_NETWORK all")
1955     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1956                 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1957                 expect_failure=True)
1958
1959 def test_ap_wpa2_eap_eke(dev, apdev):
1960     """WPA2-Enterprise connection using EAP-EKE"""
1961     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1962     hostapd.add_ap(apdev[0]['ifname'], params)
1963     id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1964     eap_reauth(dev[0], "EKE")
1965
1966     logger.info("Test forced algorithm selection")
1967     for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1968                     "dhgroup=4 encr=1 prf=2 mac=2",
1969                     "dhgroup=3 encr=1 prf=2 mac=2",
1970                     "dhgroup=3 encr=1 prf=1 mac=1" ]:
1971         dev[0].set_network_quoted(id, "phase1", phase1)
1972         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1973         if ev is None:
1974             raise Exception("EAP success timed out")
1975         dev[0].wait_connected(timeout=10)
1976
1977     logger.info("Test failed algorithm negotiation")
1978     dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1979     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1980     if ev is None:
1981         raise Exception("EAP failure timed out")
1982
1983     logger.info("Negative test with incorrect password")
1984     dev[0].request("REMOVE_NETWORK all")
1985     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1986                 expect_failure=True)
1987
1988 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1989     """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1990     params = int_eap_server_params()
1991     params['server_id'] = 'example.server@w1.fi'
1992     hostapd.add_ap(apdev[0]['ifname'], params)
1993     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1994
1995 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1996     """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1997     params = int_eap_server_params()
1998     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1999     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2000
2001     for count,func in [ (1, "eap_eke_build_commit"),
2002                         (2, "eap_eke_build_commit"),
2003                         (3, "eap_eke_build_commit"),
2004                         (1, "eap_eke_build_confirm"),
2005                         (2, "eap_eke_build_confirm"),
2006                         (1, "eap_eke_process_commit"),
2007                         (2, "eap_eke_process_commit"),
2008                         (1, "eap_eke_process_confirm"),
2009                         (1, "eap_eke_process_identity"),
2010                         (2, "eap_eke_process_identity"),
2011                         (3, "eap_eke_process_identity"),
2012                         (4, "eap_eke_process_identity") ]:
2013         with alloc_fail(hapd, count, func):
2014             eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2015                         expect_failure=True)
2016             dev[0].request("REMOVE_NETWORK all")
2017
2018     for count,func,pw in [ (1, "eap_eke_init", "hello"),
2019                            (1, "eap_eke_get_session_id", "hello"),
2020                            (1, "eap_eke_getKey", "hello"),
2021                            (1, "eap_eke_build_msg", "hello"),
2022                            (1, "eap_eke_build_failure", "wrong"),
2023                            (1, "eap_eke_build_identity", "hello"),
2024                            (2, "eap_eke_build_identity", "hello") ]:
2025         with alloc_fail(hapd, count, func):
2026             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2027                            eap="EKE", identity="eke user", password=pw,
2028                            wait_connect=False, scan_freq="2412")
2029             # This would eventually time out, but we can stop after having
2030             # reached the allocation failure.
2031             for i in range(20):
2032                 time.sleep(0.1)
2033                 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2034                     break
2035             dev[0].request("REMOVE_NETWORK all")
2036
2037     for count in range(1, 1000):
2038         try:
2039             with alloc_fail(hapd, count, "eap_server_sm_step"):
2040                 dev[0].connect("test-wpa2-eap",
2041                                key_mgmt="WPA-EAP WPA-EAP-SHA256",
2042                                eap="EKE", identity="eke user", password=pw,
2043                                wait_connect=False, scan_freq="2412")
2044                 # This would eventually time out, but we can stop after having
2045                 # reached the allocation failure.
2046                 for i in range(10):
2047                     time.sleep(0.1)
2048                     if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2049                         break
2050                 dev[0].request("REMOVE_NETWORK all")
2051         except Exception, e:
2052             if str(e) == "Allocation failure did not trigger":
2053                 if count < 30:
2054                     raise Exception("Too few allocation failures")
2055                 logger.info("%d allocation failures tested" % (count - 1))
2056                 break
2057             raise e
2058
2059 def test_ap_wpa2_eap_ikev2(dev, apdev):
2060     """WPA2-Enterprise connection using EAP-IKEv2"""
2061     check_eap_capa(dev[0], "IKEV2")
2062     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2063     hostapd.add_ap(apdev[0]['ifname'], params)
2064     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2065                 password="ike password")
2066     eap_reauth(dev[0], "IKEV2")
2067     dev[0].request("REMOVE_NETWORK all")
2068     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2069                 password="ike password", fragment_size="50")
2070
2071     logger.info("Negative test with incorrect password")
2072     dev[0].request("REMOVE_NETWORK all")
2073     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2074                 password="ike-password", expect_failure=True)
2075
2076 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2077     """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2078     check_eap_capa(dev[0], "IKEV2")
2079     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2080     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2081                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2082                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2083                "fragment_size": "50" }
2084     hostapd.add_ap(apdev[0]['ifname'], params)
2085     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2086                 password="ike password")
2087     eap_reauth(dev[0], "IKEV2")
2088
2089 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2090     """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2091     check_eap_capa(dev[0], "IKEV2")
2092     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2093     hostapd.add_ap(apdev[0]['ifname'], params)
2094
2095     tests = [ (1, "dh_init"),
2096               (2, "dh_init"),
2097               (1, "dh_derive_shared") ]
2098     for count, func in tests:
2099         with alloc_fail(dev[0], count, func):
2100             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2101                            identity="ikev2 user", password="ike password",
2102                            wait_connect=False, scan_freq="2412")
2103             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2104             if ev is None:
2105                 raise Exception("EAP method not selected")
2106             for i in range(10):
2107                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2108                     break
2109                 time.sleep(0.02)
2110             dev[0].request("REMOVE_NETWORK all")
2111
2112     tests = [ (1, "os_get_random;dh_init") ]
2113     for count, func in tests:
2114         with fail_test(dev[0], count, func):
2115             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2116                            identity="ikev2 user", password="ike password",
2117                            wait_connect=False, scan_freq="2412")
2118             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2119             if ev is None:
2120                 raise Exception("EAP method not selected")
2121             for i in range(10):
2122                 if "0:" in dev[0].request("GET_FAIL"):
2123                     break
2124                 time.sleep(0.02)
2125             dev[0].request("REMOVE_NETWORK all")
2126
2127 def test_ap_wpa2_eap_pax(dev, apdev):
2128     """WPA2-Enterprise connection using EAP-PAX"""
2129     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130     hostapd.add_ap(apdev[0]['ifname'], params)
2131     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2132                 password_hex="0123456789abcdef0123456789abcdef")
2133     eap_reauth(dev[0], "PAX")
2134
2135     logger.info("Negative test with incorrect password")
2136     dev[0].request("REMOVE_NETWORK all")
2137     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2138                 password_hex="ff23456789abcdef0123456789abcdef",
2139                 expect_failure=True)
2140
2141 def test_ap_wpa2_eap_psk(dev, apdev):
2142     """WPA2-Enterprise connection using EAP-PSK"""
2143     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144     params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2145     params["ieee80211w"] = "2"
2146     hostapd.add_ap(apdev[0]['ifname'], params)
2147     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2148                 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2149     eap_reauth(dev[0], "PSK", sha256=True)
2150     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2151                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2152
2153     bss = dev[0].get_bss(apdev[0]['bssid'])
2154     if 'flags' not in bss:
2155         raise Exception("Could not get BSS flags from BSS table")
2156     if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2157         raise Exception("Unexpected BSS flags: " + bss['flags'])
2158
2159     logger.info("Negative test with incorrect password")
2160     dev[0].request("REMOVE_NETWORK all")
2161     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2162                 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2163                 expect_failure=True)
2164
2165 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2166     """WPA2-Enterprise connection using EAP-PSK and OOM"""
2167     skip_with_fips(dev[0])
2168     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2169     hostapd.add_ap(apdev[0]['ifname'], params)
2170     tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2171               (1, "omac1_aes_128;aes_128_eax_encrypt"),
2172               (2, "omac1_aes_128;aes_128_eax_encrypt"),
2173               (3, "omac1_aes_128;aes_128_eax_encrypt"),
2174               (1, "=aes_128_eax_encrypt"),
2175               (1, "omac1_aes_vector"),
2176               (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2177               (1, "omac1_aes_128;aes_128_eax_decrypt"),
2178               (2, "omac1_aes_128;aes_128_eax_decrypt"),
2179               (3, "omac1_aes_128;aes_128_eax_decrypt"),
2180               (1, "=aes_128_eax_decrypt") ]
2181     for count, func in tests:
2182         with alloc_fail(dev[0], count, func):
2183             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2184                            identity="psk.user@example.com",
2185                            password_hex="0123456789abcdef0123456789abcdef",
2186                            wait_connect=False, scan_freq="2412")
2187             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2188             if ev is None:
2189                 raise Exception("EAP method not selected")
2190             for i in range(10):
2191                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2192                     break
2193                 time.sleep(0.02)
2194             dev[0].request("REMOVE_NETWORK all")
2195
2196     with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2197             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2198                            identity="psk.user@example.com",
2199                            password_hex="0123456789abcdef0123456789abcdef",
2200                            wait_connect=False, scan_freq="2412")
2201             ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2202             if ev is None:
2203                 raise Exception("EAP method failure not reported")
2204             dev[0].request("REMOVE_NETWORK all")
2205
2206 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2207     """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2208     check_eap_capa(dev[0], "MSCHAPV2")
2209     params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2210     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2211     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2212                    identity="user", password="password", phase2="auth=MSCHAPV2",
2213                    ca_cert="auth_serv/ca.pem", wait_connect=False,
2214                    scan_freq="2412")
2215     eap_check_auth(dev[0], "PEAP", True, rsn=False)
2216     hwsim_utils.test_connectivity(dev[0], hapd)
2217     eap_reauth(dev[0], "PEAP", rsn=False)
2218     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2219                         ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2220     status = dev[0].get_status(extra="VERBOSE")
2221     if 'portControl' not in status:
2222         raise Exception("portControl missing from STATUS-VERBOSE")
2223     if status['portControl'] != 'Auto':
2224         raise Exception("Unexpected portControl value: " + status['portControl'])
2225     if 'eap_session_id' not in status:
2226         raise Exception("eap_session_id missing from STATUS-VERBOSE")
2227     if not status['eap_session_id'].startswith("19"):
2228         raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2229
2230 def test_ap_wpa2_eap_interactive(dev, apdev):
2231     """WPA2-Enterprise connection using interactive identity/password entry"""
2232     check_eap_capa(dev[0], "MSCHAPV2")
2233     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2234     hostapd.add_ap(apdev[0]['ifname'], params)
2235     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2236
2237     tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2238                "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2239                None, "password"),
2240               ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2241                "TTLS", "ttls", None, "auth=MSCHAPV2",
2242                "DOMAIN\mschapv2 user", "password"),
2243               ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2244                "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2245               ("Connection with dynamic TTLS/EAP-MD5 password entry",
2246                "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2247               ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2248                "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2249               ("Connection with dynamic PEAP/EAP-GTC password entry",
2250                "PEAP", None, "user", "auth=GTC", None, "password") ]
2251     for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2252         logger.info(desc)
2253         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2254                        anonymous_identity=anon, identity=identity,
2255                        ca_cert="auth_serv/ca.pem", phase2=phase2,
2256                        wait_connect=False, scan_freq="2412")
2257         if req_id:
2258             ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2259             if ev is None:
2260                 raise Exception("Request for identity timed out")
2261             id = ev.split(':')[0].split('-')[-1]
2262             dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2263         ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2264         if ev is None:
2265             raise Exception("Request for password timed out")
2266         id = ev.split(':')[0].split('-')[-1]
2267         type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2268         dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2269         dev[0].wait_connected(timeout=10)
2270         dev[0].request("REMOVE_NETWORK all")
2271
2272 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2273     """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2274     check_eap_capa(dev[0], "MSCHAPV2")
2275     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2276     hostapd.add_ap(apdev[0]['ifname'], params)
2277     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2278
2279     id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2280                               only_add_network=True)
2281
2282     req_id = "DOMAIN\mschapv2 user"
2283     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2284                    anonymous_identity="ttls", identity=None,
2285                    password="password",
2286                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2287                    wait_connect=False, scan_freq="2412")
2288     ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2289     if ev is None:
2290         raise Exception("Request for identity timed out")
2291     id = ev.split(':')[0].split('-')[-1]
2292     dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2293     dev[0].wait_connected(timeout=10)
2294
2295     if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2296         raise Exception("Failed to enable network")
2297     ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2298     if ev is not None:
2299         raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2300     dev[0].request("REMOVE_NETWORK all")
2301
2302 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2303     """WPA2-Enterprise connection using EAP vendor test"""
2304     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2305     hostapd.add_ap(apdev[0]['ifname'], params)
2306     eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2307     eap_reauth(dev[0], "VENDOR-TEST")
2308     eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2309                 password="pending")
2310
2311 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2312     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2313     check_eap_capa(dev[0], "FAST")
2314     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2315     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2316     eap_connect(dev[0], apdev[0], "FAST", "user",
2317                 anonymous_identity="FAST", password="password",
2318                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2319                 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2320     hwsim_utils.test_connectivity(dev[0], hapd)
2321     res = eap_reauth(dev[0], "FAST")
2322     if res['tls_session_reused'] != '1':
2323         raise Exception("EAP-FAST could not use PAC session ticket")
2324
2325 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2326     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2327     check_eap_capa(dev[0], "FAST")
2328     pac_file = os.path.join(params['logdir'], "fast.pac")
2329     pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2330     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2331     hostapd.add_ap(apdev[0]['ifname'], params)
2332
2333     try:
2334         eap_connect(dev[0], apdev[0], "FAST", "user",
2335                     anonymous_identity="FAST", password="password",
2336                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2337                     phase1="fast_provisioning=1", pac_file=pac_file)
2338         with open(pac_file, "r") as f:
2339             data = f.read()
2340             if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2341                 raise Exception("PAC file header missing")
2342             if "PAC-Key=" not in data:
2343                 raise Exception("PAC-Key missing from PAC file")
2344         dev[0].request("REMOVE_NETWORK all")
2345         eap_connect(dev[0], apdev[0], "FAST", "user",
2346                     anonymous_identity="FAST", password="password",
2347                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2348                     pac_file=pac_file)
2349
2350         eap_connect(dev[1], apdev[0], "FAST", "user",
2351                     anonymous_identity="FAST", password="password",
2352                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2353                     phase1="fast_provisioning=1 fast_pac_format=binary",
2354                     pac_file=pac_file2)
2355         dev[1].request("REMOVE_NETWORK all")
2356         eap_connect(dev[1], apdev[0], "FAST", "user",
2357                     anonymous_identity="FAST", password="password",
2358                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2359                     phase1="fast_pac_format=binary",
2360                     pac_file=pac_file2)
2361     finally:
2362         try:
2363             os.remove(pac_file)
2364         except:
2365             pass
2366         try:
2367             os.remove(pac_file2)
2368         except:
2369             pass
2370
2371 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2372     """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2373     check_eap_capa(dev[0], "FAST")
2374     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2375     hostapd.add_ap(apdev[0]['ifname'], params)
2376     eap_connect(dev[0], apdev[0], "FAST", "user",
2377                 anonymous_identity="FAST", password="password",
2378                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2379                 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2380                 pac_file="blob://fast_pac_bin")
2381     res = eap_reauth(dev[0], "FAST")
2382     if res['tls_session_reused'] != '1':
2383         raise Exception("EAP-FAST could not use PAC session ticket")
2384
2385 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2386     """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2387     check_eap_capa(dev[0], "FAST")
2388     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2389     hostapd.add_ap(apdev[0]['ifname'], params)
2390
2391     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2392                    identity="user", anonymous_identity="FAST",
2393                    password="password",
2394                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2395                    pac_file="blob://fast_pac_not_in_use",
2396                    wait_connect=False, scan_freq="2412")
2397     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2398     if ev is None:
2399         raise Exception("Timeout on EAP failure report")
2400     dev[0].request("REMOVE_NETWORK all")
2401
2402     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2403                    identity="user", anonymous_identity="FAST",
2404                    password="password",
2405                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2406                    wait_connect=False, scan_freq="2412")
2407     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2408     if ev is None:
2409         raise Exception("Timeout on EAP failure report")
2410
2411 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2412     """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2413     check_eap_capa(dev[0], "FAST")
2414     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2415     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2416     eap_connect(dev[0], apdev[0], "FAST", "user",
2417                 anonymous_identity="FAST", password="password",
2418                 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2419                 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2420     hwsim_utils.test_connectivity(dev[0], hapd)
2421     res = eap_reauth(dev[0], "FAST")
2422     if res['tls_session_reused'] != '1':
2423         raise Exception("EAP-FAST could not use PAC session ticket")
2424
2425 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2426     """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2427     check_eap_capa(dev[0], "FAST")
2428     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2429     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2430     id = eap_connect(dev[0], apdev[0], "FAST", "user",
2431                      anonymous_identity="FAST", password="password",
2432                      ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2433                      phase1="fast_provisioning=2",
2434                      pac_file="blob://fast_pac_auth")
2435     dev[0].set_network_quoted(id, "identity", "user2")
2436     dev[0].wait_disconnected()
2437     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2438     if ev is None:
2439         raise Exception("EAP-FAST not started")
2440     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2441     if ev is None:
2442         raise Exception("EAP failure not reported")
2443     dev[0].wait_disconnected()
2444
2445 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2446     """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2447     check_eap_capa(dev[0], "FAST")
2448     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2449     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2450     with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2451         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2452                        identity="user", anonymous_identity="FAST",
2453                        password="password", ca_cert="auth_serv/ca.pem",
2454                        phase2="auth=GTC",
2455                        phase1="fast_provisioning=2",
2456                        pac_file="blob://fast_pac_auth",
2457                        wait_connect=False, scan_freq="2412")
2458         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2459         if ev is None:
2460             raise Exception("EAP failure not reported")
2461     dev[0].request("DISCONNECT")
2462
2463 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2464     """EAP-FAST/MSCHAPv2 and server OOM"""
2465     check_eap_capa(dev[0], "FAST")
2466
2467     params = int_eap_server_params()
2468     params['dh_file'] = 'auth_serv/dh.conf'
2469     params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2470     params['eap_fast_a_id'] = '1011'
2471     params['eap_fast_a_id_info'] = 'another test server'
2472     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2473
2474     with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2475         id = eap_connect(dev[0], apdev[0], "FAST", "user",
2476                          anonymous_identity="FAST", password="password",
2477                          ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2478                          phase1="fast_provisioning=1",
2479                          pac_file="blob://fast_pac",
2480                          expect_failure=True)
2481         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2482         if ev is None:
2483             raise Exception("No EAP failure reported")
2484         dev[0].wait_disconnected()
2485         dev[0].request("DISCONNECT")
2486
2487     dev[0].select_network(id, freq="2412")
2488
2489 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2490     """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2491     check_ocsp_support(dev[0])
2492     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2493     hostapd.add_ap(apdev[0]['ifname'], params)
2494     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2495                 private_key="auth_serv/user.pkcs12",
2496                 private_key_passwd="whatever", ocsp=2)
2497
2498 def int_eap_server_params():
2499     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2500                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2501                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2502                "ca_cert": "auth_serv/ca.pem",
2503                "server_cert": "auth_serv/server.pem",
2504                "private_key": "auth_serv/server.key" }
2505     return params
2506
2507 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2508     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2509     check_ocsp_support(dev[0])
2510     params = int_eap_server_params()
2511     params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2512     hostapd.add_ap(apdev[0]['ifname'], params)
2513     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2514                    identity="tls user", ca_cert="auth_serv/ca.pem",
2515                    private_key="auth_serv/user.pkcs12",
2516                    private_key_passwd="whatever", ocsp=2,
2517                    wait_connect=False, scan_freq="2412")
2518     count = 0
2519     while True:
2520         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2521         if ev is None:
2522             raise Exception("Timeout on EAP status")
2523         if 'bad certificate status response' in ev:
2524             break
2525         count = count + 1
2526         if count > 10:
2527             raise Exception("Unexpected number of EAP status messages")
2528
2529     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2530     if ev is None:
2531         raise Exception("Timeout on EAP failure report")
2532
2533 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2534     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2535     check_ocsp_support(dev[0])
2536     params = int_eap_server_params()
2537     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2538     hostapd.add_ap(apdev[0]['ifname'], params)
2539     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2540                    identity="tls user", ca_cert="auth_serv/ca.pem",
2541                    private_key="auth_serv/user.pkcs12",
2542                    private_key_passwd="whatever", ocsp=2,
2543                    wait_connect=False, scan_freq="2412")
2544     count = 0
2545     while True:
2546         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2547         if ev is None:
2548             raise Exception("Timeout on EAP status")
2549         if 'bad certificate status response' in ev:
2550             break
2551         count = count + 1
2552         if count > 10:
2553             raise Exception("Unexpected number of EAP status messages")
2554
2555     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2556     if ev is None:
2557         raise Exception("Timeout on EAP failure report")
2558
2559 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2560     """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2561     check_ocsp_support(dev[0])
2562     params = int_eap_server_params()
2563     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2564     hostapd.add_ap(apdev[0]['ifname'], params)
2565     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2566                    identity="tls user", ca_cert="auth_serv/ca.pem",
2567                    private_key="auth_serv/user.pkcs12",
2568                    private_key_passwd="whatever", ocsp=2,
2569                    wait_connect=False, scan_freq="2412")
2570     count = 0
2571     while True:
2572         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2573         if ev is None:
2574             raise Exception("Timeout on EAP status")
2575         if 'bad certificate status response' in ev:
2576             break
2577         count = count + 1
2578         if count > 10:
2579             raise Exception("Unexpected number of EAP status messages")
2580
2581     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2582     if ev is None:
2583         raise Exception("Timeout on EAP failure report")
2584
2585 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2586     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2587     check_ocsp_support(dev[0])
2588     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2589     if not os.path.exists(ocsp):
2590         raise HwsimSkip("No OCSP response available")
2591     params = int_eap_server_params()
2592     params["ocsp_stapling_response"] = ocsp
2593     hostapd.add_ap(apdev[0]['ifname'], params)
2594     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2595                    identity="pap user", ca_cert="auth_serv/ca.pem",
2596                    anonymous_identity="ttls", password="password",
2597                    phase2="auth=PAP", ocsp=2,
2598                    wait_connect=False, scan_freq="2412")
2599     count = 0
2600     while True:
2601         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2602         if ev is None:
2603             raise Exception("Timeout on EAP status")
2604         if 'bad certificate status response' in ev:
2605             break
2606         if 'certificate revoked' in ev:
2607             break
2608         count = count + 1
2609         if count > 10:
2610             raise Exception("Unexpected number of EAP status messages")
2611
2612     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2613     if ev is None:
2614         raise Exception("Timeout on EAP failure report")
2615
2616 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2617     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2618     check_ocsp_support(dev[0])
2619     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2620     if not os.path.exists(ocsp):
2621         raise HwsimSkip("No OCSP response available")
2622     params = int_eap_server_params()
2623     params["ocsp_stapling_response"] = ocsp
2624     hostapd.add_ap(apdev[0]['ifname'], params)
2625     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2626                    identity="pap user", ca_cert="auth_serv/ca.pem",
2627                    anonymous_identity="ttls", password="password",
2628                    phase2="auth=PAP", ocsp=2,
2629                    wait_connect=False, scan_freq="2412")
2630     count = 0
2631     while True:
2632         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2633         if ev is None:
2634             raise Exception("Timeout on EAP status")
2635         if 'bad certificate status response' in ev:
2636             break
2637         count = count + 1
2638         if count > 10:
2639             raise Exception("Unexpected number of EAP status messages")
2640
2641     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2642     if ev is None:
2643         raise Exception("Timeout on EAP failure report")
2644
2645 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2646     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2647     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2648     if not os.path.exists(ocsp):
2649         raise HwsimSkip("No OCSP response available")
2650     params = int_eap_server_params()
2651     params["ocsp_stapling_response"] = ocsp
2652     hostapd.add_ap(apdev[0]['ifname'], params)
2653     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2654                    identity="pap user", ca_cert="auth_serv/ca.pem",
2655                    anonymous_identity="ttls", password="password",
2656                    phase2="auth=PAP", ocsp=1, scan_freq="2412")
2657
2658 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2659     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2660     params = int_eap_server_params()
2661     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2662     params["private_key"] = "auth_serv/server-no-dnsname.key"
2663     hostapd.add_ap(apdev[0]['ifname'], params)
2664     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2665                    identity="tls user", ca_cert="auth_serv/ca.pem",
2666                    private_key="auth_serv/user.pkcs12",
2667                    private_key_passwd="whatever",
2668                    domain_suffix_match="server3.w1.fi",
2669                    scan_freq="2412")
2670
2671 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2672     """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2673     params = int_eap_server_params()
2674     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2675     params["private_key"] = "auth_serv/server-no-dnsname.key"
2676     hostapd.add_ap(apdev[0]['ifname'], params)
2677     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2678                    identity="tls user", ca_cert="auth_serv/ca.pem",
2679                    private_key="auth_serv/user.pkcs12",
2680                    private_key_passwd="whatever",
2681                    domain_match="server3.w1.fi",
2682                    scan_freq="2412")
2683
2684 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2685     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2686     check_domain_match_full(dev[0])
2687     params = int_eap_server_params()
2688     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2689     params["private_key"] = "auth_serv/server-no-dnsname.key"
2690     hostapd.add_ap(apdev[0]['ifname'], params)
2691     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2692                    identity="tls user", ca_cert="auth_serv/ca.pem",
2693                    private_key="auth_serv/user.pkcs12",
2694                    private_key_passwd="whatever",
2695                    domain_suffix_match="w1.fi",
2696                    scan_freq="2412")
2697
2698 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2699     """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2700     params = int_eap_server_params()
2701     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2702     params["private_key"] = "auth_serv/server-no-dnsname.key"
2703     hostapd.add_ap(apdev[0]['ifname'], params)
2704     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2705                    identity="tls user", ca_cert="auth_serv/ca.pem",
2706                    private_key="auth_serv/user.pkcs12",
2707                    private_key_passwd="whatever",
2708                    domain_suffix_match="example.com",
2709                    wait_connect=False,
2710                    scan_freq="2412")
2711     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2712                    identity="tls user", ca_cert="auth_serv/ca.pem",
2713                    private_key="auth_serv/user.pkcs12",
2714                    private_key_passwd="whatever",
2715                    domain_suffix_match="erver3.w1.fi",
2716                    wait_connect=False,
2717                    scan_freq="2412")
2718     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2719     if ev is None:
2720         raise Exception("Timeout on EAP failure report")
2721     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2722     if ev is None:
2723         raise Exception("Timeout on EAP failure report (2)")
2724
2725 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2726     """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2727     params = int_eap_server_params()
2728     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2729     params["private_key"] = "auth_serv/server-no-dnsname.key"
2730     hostapd.add_ap(apdev[0]['ifname'], params)
2731     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2732                    identity="tls user", ca_cert="auth_serv/ca.pem",
2733                    private_key="auth_serv/user.pkcs12",
2734                    private_key_passwd="whatever",
2735                    domain_match="example.com",
2736                    wait_connect=False,
2737                    scan_freq="2412")
2738     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2739                    identity="tls user", ca_cert="auth_serv/ca.pem",
2740                    private_key="auth_serv/user.pkcs12",
2741                    private_key_passwd="whatever",
2742                    domain_match="w1.fi",
2743                    wait_connect=False,
2744                    scan_freq="2412")
2745     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2746     if ev is None:
2747         raise Exception("Timeout on EAP failure report")
2748     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2749     if ev is None:
2750         raise Exception("Timeout on EAP failure report (2)")
2751
2752 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2753     """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2754     skip_with_fips(dev[0])
2755     params = int_eap_server_params()
2756     params["server_cert"] = "auth_serv/server-expired.pem"
2757     params["private_key"] = "auth_serv/server-expired.key"
2758     hostapd.add_ap(apdev[0]['ifname'], params)
2759     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2760                    identity="mschap user", password="password",
2761                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2762                    wait_connect=False,
2763                    scan_freq="2412")
2764     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2765     if ev is None:
2766         raise Exception("Timeout on EAP certificate error report")
2767     if "reason=4" not in ev or "certificate has expired" not in ev:
2768         raise Exception("Unexpected failure reason: " + ev)
2769     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2770     if ev is None:
2771         raise Exception("Timeout on EAP failure report")
2772
2773 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2774     """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2775     skip_with_fips(dev[0])
2776     params = int_eap_server_params()
2777     params["server_cert"] = "auth_serv/server-expired.pem"
2778     params["private_key"] = "auth_serv/server-expired.key"
2779     hostapd.add_ap(apdev[0]['ifname'], params)
2780     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2781                    identity="mschap user", password="password",
2782                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2783                    phase1="tls_disable_time_checks=1",
2784                    scan_freq="2412")
2785
2786 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2787     """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2788     skip_with_fips(dev[0])
2789     params = int_eap_server_params()
2790     params["server_cert"] = "auth_serv/server-long-duration.pem"
2791     params["private_key"] = "auth_serv/server-long-duration.key"
2792     hostapd.add_ap(apdev[0]['ifname'], params)
2793     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2794                    identity="mschap user", password="password",
2795                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2796                    scan_freq="2412")
2797
2798 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2799     """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2800     skip_with_fips(dev[0])
2801     params = int_eap_server_params()
2802     params["server_cert"] = "auth_serv/server-eku-client.pem"
2803     params["private_key"] = "auth_serv/server-eku-client.key"
2804     hostapd.add_ap(apdev[0]['ifname'], params)
2805     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2806                    identity="mschap user", password="password",
2807                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2808                    wait_connect=False,
2809                    scan_freq="2412")
2810     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2811     if ev is None:
2812         raise Exception("Timeout on EAP failure report")
2813
2814 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2815     """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2816     skip_with_fips(dev[0])
2817     params = int_eap_server_params()
2818     params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2819     params["private_key"] = "auth_serv/server-eku-client-server.key"
2820     hostapd.add_ap(apdev[0]['ifname'], params)
2821     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2822                    identity="mschap user", password="password",
2823                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2824                    scan_freq="2412")
2825
2826 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2827     """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2828     skip_with_fips(dev[0])
2829     params = int_eap_server_params()
2830     del params["server_cert"]
2831     params["private_key"] = "auth_serv/server.pkcs12"
2832     hostapd.add_ap(apdev[0]['ifname'], params)
2833     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2834                    identity="mschap user", password="password",
2835                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2836                    scan_freq="2412")
2837
2838 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2839     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2840     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2841     hostapd.add_ap(apdev[0]['ifname'], params)
2842     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2843                 anonymous_identity="ttls", password="password",
2844                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2845                 dh_file="auth_serv/dh.conf")
2846
2847 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2848     """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2849     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2850     hostapd.add_ap(apdev[0]['ifname'], params)
2851     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2852                 anonymous_identity="ttls", password="password",
2853                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2854                 dh_file="auth_serv/dsaparam.pem")
2855
2856 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2857     """EAP-TTLS and DH params file not found"""
2858     skip_with_fips(dev[0])
2859     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2860     hostapd.add_ap(apdev[0]['ifname'], params)
2861     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2862                    identity="mschap user", password="password",
2863                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2864                    dh_file="auth_serv/dh-no-such-file.conf",
2865                    scan_freq="2412", wait_connect=False)
2866     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2867     if ev is None:
2868         raise Exception("EAP failure timed out")
2869     dev[0].request("REMOVE_NETWORK all")
2870     dev[0].wait_disconnected()
2871
2872 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2873     """EAP-TTLS and invalid DH params file"""
2874     skip_with_fips(dev[0])
2875     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2876     hostapd.add_ap(apdev[0]['ifname'], params)
2877     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2878                    identity="mschap user", password="password",
2879                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2880                    dh_file="auth_serv/ca.pem",
2881                    scan_freq="2412", wait_connect=False)
2882     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2883     if ev is None:
2884         raise Exception("EAP failure timed out")
2885     dev[0].request("REMOVE_NETWORK all")
2886     dev[0].wait_disconnected()
2887
2888 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2889     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2890     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2891     hostapd.add_ap(apdev[0]['ifname'], params)
2892     dh = read_pem("auth_serv/dh2.conf")
2893     if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2894         raise Exception("Could not set dhparams blob")
2895     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2896                 anonymous_identity="ttls", password="password",
2897                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2898                 dh_file="blob://dhparams")
2899
2900 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2901     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2902     params = int_eap_server_params()
2903     params["dh_file"] = "auth_serv/dh2.conf"
2904     hostapd.add_ap(apdev[0]['ifname'], params)
2905     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2906                 anonymous_identity="ttls", password="password",
2907                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2908
2909 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2910     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2911     params = int_eap_server_params()
2912     params["dh_file"] = "auth_serv/dsaparam.pem"
2913     hostapd.add_ap(apdev[0]['ifname'], params)
2914     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2915                 anonymous_identity="ttls", password="password",
2916                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2917
2918 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2919     """EAP-TLS server and dhparams file not found"""
2920     params = int_eap_server_params()
2921     params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2922     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2923     if "FAIL" not in hapd.request("ENABLE"):
2924         raise Exception("Invalid configuration accepted")
2925
2926 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2927     """EAP-TLS server and invalid dhparams file"""
2928     params = int_eap_server_params()
2929     params["dh_file"] = "auth_serv/ca.pem"
2930     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2931     if "FAIL" not in hapd.request("ENABLE"):
2932         raise Exception("Invalid configuration accepted")
2933
2934 def test_ap_wpa2_eap_reauth(dev, apdev):
2935     """WPA2-Enterprise and Authenticator forcing reauthentication"""
2936     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2937     params['eap_reauth_period'] = '2'
2938     hostapd.add_ap(apdev[0]['ifname'], params)
2939     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2940                 password_hex="0123456789abcdef0123456789abcdef")
2941     logger.info("Wait for reauthentication")
2942     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2943     if ev is None:
2944         raise Exception("Timeout on reauthentication")
2945     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2946     if ev is None:
2947         raise Exception("Timeout on reauthentication")
2948     for i in range(0, 20):
2949         state = dev[0].get_status_field("wpa_state")
2950         if state == "COMPLETED":
2951             break
2952         time.sleep(0.1)
2953     if state != "COMPLETED":
2954         raise Exception("Reauthentication did not complete")
2955
2956 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2957     """Optional displayable message in EAP Request-Identity"""
2958     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2959     params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2960     hostapd.add_ap(apdev[0]['ifname'], params)
2961     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2962                 password_hex="0123456789abcdef0123456789abcdef")
2963
2964 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2965     """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2966     check_hlr_auc_gw_support()
2967     params = int_eap_server_params()
2968     params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2969     params['eap_sim_aka_result_ind'] = "1"
2970     hostapd.add_ap(apdev[0]['ifname'], params)
2971
2972     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2973                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2974                 phase1="result_ind=1")
2975     eap_reauth(dev[0], "SIM")
2976     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2977                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2978
2979     dev[0].request("REMOVE_NETWORK all")
2980     dev[1].request("REMOVE_NETWORK all")
2981
2982     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2983                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2984                 phase1="result_ind=1")
2985     eap_reauth(dev[0], "AKA")
2986     eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2987                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2988
2989     dev[0].request("REMOVE_NETWORK all")
2990     dev[1].request("REMOVE_NETWORK all")
2991
2992     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2993                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2994                 phase1="result_ind=1")
2995     eap_reauth(dev[0], "AKA'")
2996     eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2997                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2998
2999 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3000     """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3001     skip_with_fips(dev[0])
3002     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3003     hostapd.add_ap(apdev[0]['ifname'], params)
3004     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3005                    eap="TTLS", identity="mschap user",
3006                    wait_connect=False, scan_freq="2412", ieee80211w="1",
3007                    anonymous_identity="ttls", password="password",
3008                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3009                    fragment_size="10")
3010     ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3011     if ev is None:
3012         raise Exception("EAP roundtrip limit not reached")
3013
3014 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3015     """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3016     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3017     hostapd.add_ap(apdev[0]['ifname'], params)
3018     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3019                    eap="PSK", identity="vendor-test",
3020                    password_hex="ff23456789abcdef0123456789abcdef",
3021                    wait_connect=False)
3022
3023     found = False
3024     for i in range(0, 5):
3025         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3026         if ev is None:
3027             raise Exception("Association and EAP start timed out")
3028         if "refuse proposed method" in ev:
3029             found = True
3030             break
3031     if not found:
3032         raise Exception("Unexpected EAP status: " + ev)
3033
3034     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3035     if ev is None:
3036         raise Exception("EAP failure timed out")
3037
3038 def test_ap_wpa2_eap_sql(dev, apdev, params):
3039     """WPA2-Enterprise connection using SQLite for user DB"""
3040     skip_with_fips(dev[0])
3041     try:
3042         import sqlite3
3043     except ImportError:
3044         raise HwsimSkip("No sqlite3 module available")
3045     dbfile = os.path.join(params['logdir'], "eap-user.db")
3046     try:
3047         os.remove(dbfile)
3048     except:
3049         pass
3050     con = sqlite3.connect(dbfile)
3051     with con:
3052         cur = con.cursor()
3053         cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3054         cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3055         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3056         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3057         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3058         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3059         cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3060         cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3061
3062     try:
3063         params = int_eap_server_params()
3064         params["eap_user_file"] = "sqlite:" + dbfile
3065         hostapd.add_ap(apdev[0]['ifname'], params)
3066         eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3067                     anonymous_identity="ttls", password="password",
3068                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3069         dev[0].request("REMOVE_NETWORK all")
3070         eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3071                     anonymous_identity="ttls", password="password",
3072                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3073         dev[1].request("REMOVE_NETWORK all")
3074         eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3075                     anonymous_identity="ttls", password="password",
3076                     ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3077         eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3078                     anonymous_identity="ttls", password="password",
3079                     ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3080     finally:
3081         os.remove(dbfile)
3082
3083 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3084     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3085     params = int_eap_server_params()
3086     hostapd.add_ap(apdev[0]['ifname'], params)
3087     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3088                    identity="\x80", password="password", wait_connect=False)
3089     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3090                    identity="a\x80", password="password", wait_connect=False)
3091     for i in range(0, 2):
3092         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3093         if ev is None:
3094             raise Exception("Association and EAP start timed out")
3095         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3096         if ev is None:
3097             raise Exception("EAP method selection timed out")
3098
3099 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3100     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3101     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3102     hostapd.add_ap(apdev[0]['ifname'], params)
3103     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3104                    identity="\x80", password="password", wait_connect=False)
3105     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3106                    identity="a\x80", password="password", wait_connect=False)
3107     for i in range(0, 2):
3108         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3109         if ev is None:
3110             raise Exception("Association and EAP start timed out")
3111         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3112         if ev is None:
3113             raise Exception("EAP method selection timed out")
3114
3115 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3116     """OpenSSL cipher suite configuration on wpa_supplicant"""
3117     tls = dev[0].request("GET tls_library")
3118     if not tls.startswith("OpenSSL"):
3119         raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3120     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3121     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3122     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3123                 anonymous_identity="ttls", password="password",
3124                 openssl_ciphers="AES128",
3125                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3126     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3127                 anonymous_identity="ttls", password="password",
3128                 openssl_ciphers="EXPORT",
3129                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3130                 expect_failure=True, maybe_local_error=True)
3131     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3132                    identity="pap user", anonymous_identity="ttls",
3133                    password="password",
3134                    openssl_ciphers="FOO",
3135                    ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3136                    wait_connect=False)
3137     ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3138     if ev is None:
3139         raise Exception("EAP failure after invalid openssl_ciphers not reported")
3140     dev[2].request("DISCONNECT")
3141
3142 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3143     """OpenSSL cipher suite configuration on hostapd"""
3144     tls = dev[0].request("GET tls_library")
3145     if not tls.startswith("OpenSSL"):
3146         raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3147     params = int_eap_server_params()
3148     params['openssl_ciphers'] = "AES256"
3149     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3150     tls = hapd.request("GET tls_library")
3151     if not tls.startswith("OpenSSL"):
3152         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3153     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3154                 anonymous_identity="ttls", password="password",
3155                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3156     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3157                 anonymous_identity="ttls", password="password",
3158                 openssl_ciphers="AES128",
3159                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3160                 expect_failure=True)
3161     eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3162                 anonymous_identity="ttls", password="password",
3163                 openssl_ciphers="HIGH:!ADH",
3164                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3165
3166     params['openssl_ciphers'] = "FOO"
3167     hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3168     if "FAIL" not in hapd2.request("ENABLE"):
3169         raise Exception("Invalid openssl_ciphers value accepted")
3170
3171 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3172     """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3173     p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3174     hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3175     password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3176     pid = find_wpas_process(dev[0])
3177     id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3178                      anonymous_identity="ttls", password=password,
3179                      ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3180     time.sleep(1)
3181     buf = read_process_memory(pid, password)
3182
3183     dev[0].request("DISCONNECT")
3184     dev[0].wait_disconnected()
3185
3186     dev[0].relog()
3187     msk = None
3188     emsk = None
3189     pmk = None
3190     ptk = None
3191     gtk = None
3192     with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3193         for l in f.readlines():
3194             if "EAP-TTLS: Derived key - hexdump" in l:
3195                 val = l.strip().split(':')[3].replace(' ', '')
3196                 msk = binascii.unhexlify(val)
3197             if "EAP-TTLS: Derived EMSK - hexdump" in l:
3198                 val = l.strip().split(':')[3].replace(' ', '')
3199                 emsk = binascii.unhexlify(val)
3200             if "WPA: PMK - hexdump" in l:
3201                 val = l.strip().split(':')[3].replace(' ', '')
3202                 pmk = binascii.unhexlify(val)
3203             if "WPA: PTK - hexdump" in l:
3204                 val = l.strip().split(':')[3].replace(' ', '')
3205                 ptk = binascii.unhexlify(val)
3206             if "WPA: Group Key - hexdump" in l:
3207                 val = l.strip().split(':')[3].replace(' ', '')
3208                 gtk = binascii.unhexlify(val)
3209     if not msk or not emsk or not pmk or not ptk or not gtk:
3210         raise Exception("Could not find keys from debug log")
3211     if len(gtk) != 16:
3212         raise Exception("Unexpected GTK length")
3213
3214     kck = ptk[0:16]
3215     kek = ptk[16:32]
3216     tk = ptk[32:48]
3217
3218     fname = os.path.join(params['logdir'],
3219                          'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3220
3221     logger.info("Checking keys in memory while associated")
3222     get_key_locations(buf, password, "Password")
3223     get_key_locations(buf, pmk, "PMK")
3224     get_key_locations(buf, msk, "MSK")
3225     get_key_locations(buf, emsk, "EMSK")
3226     if password not in buf:
3227         raise HwsimSkip("Password not found while associated")
3228     if pmk not in buf:
3229         raise HwsimSkip("PMK not found while associated")
3230     if kck not in buf:
3231         raise Exception("KCK not found while associated")
3232     if kek not in buf:
3233         raise Exception("KEK not found while associated")
3234     if tk in buf:
3235         raise Exception("TK found from memory")
3236     if gtk in buf:
3237         raise Exception("GTK found from memory")
3238
3239     logger.info("Checking keys in memory after disassociation")
3240     buf = read_process_memory(pid, password)
3241
3242     # Note: Password is still present in network configuration
3243     # Note: PMK is in PMKSA cache and EAP fast re-auth data
3244
3245     get_key_locations(buf, password, "Password")
3246     get_key_locations(buf, pmk, "PMK")
3247     get_key_locations(buf, msk, "MSK")
3248     get_key_locations(buf, emsk, "EMSK")
3249     verify_not_present(buf, kck, fname, "KCK")
3250     verify_not_present(buf, kek, fname, "KEK")
3251     verify_not_present(buf, tk, fname, "TK")
3252     verify_not_present(buf, gtk, fname, "GTK")
3253
3254     dev[0].request("PMKSA_FLUSH")
3255     dev[0].set_network_quoted(id, "identity", "foo")
3256     logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3257     buf = read_process_memory(pid, password)
3258     get_key_locations(buf, password, "Password")
3259     get_key_locations(buf, pmk, "PMK")
3260     get_key_locations(buf, msk, "MSK")
3261     get_key_locations(buf, emsk, "EMSK")
3262     verify_not_present(buf, pmk, fname, "PMK")
3263
3264     dev[0].request("REMOVE_NETWORK all")
3265
3266     logger.info("Checking keys in memory after network profile removal")
3267     buf = read_process_memory(pid, password)
3268
3269     get_key_locations(buf, password, "Password")
3270     get_key_locations(buf, pmk, "PMK")
3271     get_key_locations(buf, msk, "MSK")
3272     get_key_locations(buf, emsk, "EMSK")
3273     verify_not_present(buf, password, fname, "password")
3274     verify_not_present(buf, pmk, fname, "PMK")
3275     verify_not_present(buf, kck, fname, "KCK")
3276     verify_not_present(buf, kek, fname, "KEK")
3277     verify_not_present(buf, tk, fname, "TK")
3278     verify_not_present(buf, gtk, fname, "GTK")
3279     verify_not_present(buf, msk, fname, "MSK")
3280     verify_not_present(buf, emsk, fname, "EMSK")
3281
3282 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3283     """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3284     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3285     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3286     bssid = apdev[0]['bssid']
3287     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3288                 anonymous_identity="ttls", password="password",
3289                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3290
3291     # Send unexpected WEP EAPOL-Key; this gets dropped
3292     res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3293     if "OK" not in res:
3294         raise Exception("EAPOL_RX to wpa_supplicant failed")
3295
3296 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3297     """WPA2-EAP and wpas interface in a bridge"""
3298     br_ifname='sta-br0'
3299     ifname='wlan5'
3300     try:
3301         _test_ap_wpa2_eap_in_bridge(dev, apdev)
3302     finally:
3303         subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3304         subprocess.call(['brctl', 'delif', br_ifname, ifname])
3305         subprocess.call(['brctl', 'delbr', br_ifname])
3306         subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3307
3308 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3309     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3310     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3311
3312     br_ifname='sta-br0'
3313     ifname='wlan5'
3314     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3315     subprocess.call(['brctl', 'addbr', br_ifname])
3316     subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3317     subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3318     subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3319     subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3320     wpas.interface_add(ifname, br_ifname=br_ifname)
3321
3322     id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3323                      password_hex="0123456789abcdef0123456789abcdef")
3324     eap_reauth(wpas, "PAX")
3325     # Try again as a regression test for packet socket workaround
3326     eap_reauth(wpas, "PAX")
3327     wpas.request("DISCONNECT")
3328     wpas.wait_disconnected()
3329     wpas.request("RECONNECT")
3330     wpas.wait_connected()
3331
3332 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3333     """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3334     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3335     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3336     key_mgmt = hapd.get_config()['key_mgmt']
3337     if key_mgmt.split(' ')[0] != "WPA-EAP":
3338         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3339     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3340                 anonymous_identity="ttls", password="password",
3341                 ca_cert="auth_serv/ca.pem",
3342                 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3343     eap_reauth(dev[0], "TTLS")
3344
3345 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3346     """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3347     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3348     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3349     key_mgmt = hapd.get_config()['key_mgmt']
3350     if key_mgmt.split(' ')[0] != "WPA-EAP":
3351         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3352     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3353                 anonymous_identity="ttls", password="password",
3354                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3355                 phase2="auth=PAP")
3356     eap_reauth(dev[0], "TTLS")
3357
3358 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3359     """EAP-TLS and server checking CRL"""
3360     params = int_eap_server_params()
3361     params['check_crl'] = '1'
3362     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3363
3364     # check_crl=1 and no CRL available --> reject connection
3365     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3366                 client_cert="auth_serv/user.pem",
3367                 private_key="auth_serv/user.key", expect_failure=True)
3368     dev[0].request("REMOVE_NETWORK all")
3369
3370     hapd.disable()
3371     hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3372     hapd.enable()
3373
3374     # check_crl=1 and valid CRL --> accept
3375     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3376                 client_cert="auth_serv/user.pem",
3377                 private_key="auth_serv/user.key")
3378     dev[0].request("REMOVE_NETWORK all")
3379
3380     hapd.disable()
3381     hapd.set("check_crl", "2")
3382     hapd.enable()
3383
3384     # check_crl=2 and valid CRL --> accept
3385     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3386                 client_cert="auth_serv/user.pem",
3387                 private_key="auth_serv/user.key")
3388     dev[0].request("REMOVE_NETWORK all")
3389
3390 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3391     """EAP-TLS and OOM"""
3392     check_subject_match_support(dev[0])
3393     check_altsubject_match_support(dev[0])
3394     check_domain_match_full(dev[0])
3395
3396     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3397     hostapd.add_ap(apdev[0]['ifname'], params)
3398
3399     tests = [ (1, "tls_connection_set_subject_match"),
3400               (2, "tls_connection_set_subject_match"),
3401               (3, "tls_connection_set_subject_match"),
3402               (4, "tls_connection_set_subject_match") ]
3403     for count, func in tests:
3404         with alloc_fail(dev[0], count, func):
3405             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3406                            identity="tls user", ca_cert="auth_serv/ca.pem",
3407                            client_cert="auth_serv/user.pem",
3408                            private_key="auth_serv/user.key",
3409                            subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3410                            altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3411                            domain_suffix_match="server.w1.fi",
3412                            domain_match="server.w1.fi",
3413                            wait_connect=False, scan_freq="2412")
3414             # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3415             ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3416             if ev is None:
3417                 raise Exception("No passphrase request")
3418             dev[0].request("REMOVE_NETWORK all")
3419             dev[0].wait_disconnected()
3420
3421 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3422     """WPA2-Enterprise connection using MAC ACL"""
3423     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3424     params["macaddr_acl"] = "2"
3425     hostapd.add_ap(apdev[0]['ifname'], params)
3426     eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3427                 client_cert="auth_serv/user.pem",
3428                 private_key="auth_serv/user.key")
3429
3430 def test_ap_wpa2_eap_oom(dev, apdev):
3431     """EAP server and OOM"""
3432     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3433     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3434     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3435
3436     with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3437         # The first attempt fails, but STA will send EAPOL-Start to retry and
3438         # that succeeds.
3439         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3440                        identity="tls user", ca_cert="auth_serv/ca.pem",
3441                        client_cert="auth_serv/user.pem",
3442                        private_key="auth_serv/user.key",
3443                        scan_freq="2412")
3444
3445 def check_tls_ver(dev, ap, phase1, expected):
3446     eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3447                 client_cert="auth_serv/user.pem",
3448                 private_key="auth_serv/user.key",
3449                 phase1=phase1)
3450     ver = dev.get_status_field("eap_tls_version")
3451     if ver != expected:
3452         raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3453
3454 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3455     """EAP-TLS and TLS version configuration"""
3456     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3457     hostapd.add_ap(apdev[0]['ifname'], params)
3458
3459     tls = dev[0].request("GET tls_library")
3460     if tls.startswith("OpenSSL"):
3461         if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3462             check_tls_ver(dev[0], apdev[0],
3463                           "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3464                           "TLSv1.2")
3465     check_tls_ver(dev[1], apdev[0],
3466                   "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3467     check_tls_ver(dev[2], apdev[0],
3468                   "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3469
3470 def test_rsn_ie_proto_eap_sta(dev, apdev):
3471     """RSN element protocol testing for EAP cases on STA side"""
3472     bssid = apdev[0]['bssid']
3473     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3474     # This is the RSN element used normally by hostapd
3475     params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3476     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3477     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3478                         identity="gpsk user",
3479                         password="abcdefghijklmnop0123456789abcdef",
3480                         scan_freq="2412")
3481
3482     tests = [ ('No RSN Capabilities field',
3483                '30120100000fac040100000fac040100000fac01'),
3484               ('No AKM Suite fields',
3485                '300c0100000fac040100000fac04'),
3486               ('No Pairwise Cipher Suite fields',
3487                '30060100000fac04'),
3488               ('No Group Data Cipher Suite field',
3489                '30020100') ]
3490     for txt,ie in tests:
3491         dev[0].request("DISCONNECT")
3492         dev[0].wait_disconnected()
3493         logger.info(txt)
3494         hapd.disable()
3495         hapd.set('own_ie_override', ie)
3496         hapd.enable()
3497         dev[0].request("BSS_FLUSH 0")
3498         dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3499         dev[0].select_network(id, freq=2412)
3500         dev[0].wait_connected()
3501
3502 def check_tls_session_resumption_capa(dev, hapd):
3503     tls = hapd.request("GET tls_library")
3504     if not tls.startswith("OpenSSL"):
3505         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3506
3507     tls = dev.request("GET tls_library")
3508     if not tls.startswith("OpenSSL"):
3509         raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3510
3511 def test_eap_ttls_pap_session_resumption(dev, apdev):
3512     """EAP-TTLS/PAP session resumption"""
3513     params = int_eap_server_params()
3514     params['tls_session_lifetime'] = '60'
3515     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3516     check_tls_session_resumption_capa(dev[0], hapd)
3517     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3518                 anonymous_identity="ttls", password="password",
3519                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3520                 phase2="auth=PAP")
3521     if dev[0].get_status_field("tls_session_reused") != '0':
3522         raise Exception("Unexpected session resumption on the first connection")
3523
3524     dev[0].request("REAUTHENTICATE")
3525     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3526     if ev is None:
3527         raise Exception("EAP success timed out")
3528     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3529     if ev is None:
3530         raise Exception("Key handshake with the AP timed out")
3531     if dev[0].get_status_field("tls_session_reused") != '1':
3532         raise Exception("Session resumption not used on the second connection")
3533
3534 def test_eap_ttls_chap_session_resumption(dev, apdev):
3535     """EAP-TTLS/CHAP session resumption"""
3536     params = int_eap_server_params()
3537     params['tls_session_lifetime'] = '60'
3538     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3539     check_tls_session_resumption_capa(dev[0], hapd)
3540     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3541                 anonymous_identity="ttls", password="password",
3542                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3543     if dev[0].get_status_field("tls_session_reused") != '0':
3544         raise Exception("Unexpected session resumption on the first connection")
3545
3546     dev[0].request("REAUTHENTICATE")
3547     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3548     if ev is None:
3549         raise Exception("EAP success timed out")
3550     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3551     if ev is None:
3552         raise Exception("Key handshake with the AP timed out")
3553     if dev[0].get_status_field("tls_session_reused") != '1':
3554         raise Exception("Session resumption not used on the second connection")
3555
3556 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3557     """EAP-TTLS/MSCHAP session resumption"""
3558     params = int_eap_server_params()
3559     params['tls_session_lifetime'] = '60'
3560     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3561     check_tls_session_resumption_capa(dev[0], hapd)
3562     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3563                 anonymous_identity="ttls", password="password",
3564                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3565                 domain_suffix_match="server.w1.fi")
3566     if dev[0].get_status_field("tls_session_reused") != '0':
3567         raise Exception("Unexpected session resumption on the first connection")
3568
3569     dev[0].request("REAUTHENTICATE")
3570     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3571     if ev is None:
3572         raise Exception("EAP success timed out")
3573     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3574     if ev is None:
3575         raise Exception("Key handshake with the AP timed out")
3576     if dev[0].get_status_field("tls_session_reused") != '1':
3577         raise Exception("Session resumption not used on the second connection")
3578
3579 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3580     """EAP-TTLS/MSCHAPv2 session resumption"""
3581     check_eap_capa(dev[0], "MSCHAPV2")
3582     params = int_eap_server_params()
3583     params['tls_session_lifetime'] = '60'
3584     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3585     check_tls_session_resumption_capa(dev[0], hapd)
3586     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3587                 anonymous_identity="ttls", password="password",
3588                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3589                 domain_suffix_match="server.w1.fi")
3590     if dev[0].get_status_field("tls_session_reused") != '0':
3591         raise Exception("Unexpected session resumption on the first connection")
3592
3593     dev[0].request("REAUTHENTICATE")
3594     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3595     if ev is None:
3596         raise Exception("EAP success timed out")
3597     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3598     if ev is None:
3599         raise Exception("Key handshake with the AP timed out")
3600     if dev[0].get_status_field("tls_session_reused") != '1':
3601         raise Exception("Session resumption not used on the second connection")
3602
3603 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3604     """EAP-TTLS/EAP-GTC session resumption"""
3605     params = int_eap_server_params()
3606     params['tls_session_lifetime'] = '60'
3607     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3608     check_tls_session_resumption_capa(dev[0], hapd)
3609     eap_connect(dev[0], apdev[0], "TTLS", "user",
3610                 anonymous_identity="ttls", password="password",
3611                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3612     if dev[0].get_status_field("tls_session_reused") != '0':
3613         raise Exception("Unexpected session resumption on the first connection")
3614
3615     dev[0].request("REAUTHENTICATE")
3616     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3617     if ev is None:
3618         raise Exception("EAP success timed out")
3619     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3620     if ev is None:
3621         raise Exception("Key handshake with the AP timed out")
3622     if dev[0].get_status_field("tls_session_reused") != '1':
3623         raise Exception("Session resumption not used on the second connection")
3624
3625 def test_eap_ttls_no_session_resumption(dev, apdev):
3626     """EAP-TTLS session resumption disabled on server"""
3627     params = int_eap_server_params()
3628     params['tls_session_lifetime'] = '0'
3629     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3630     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3631                 anonymous_identity="ttls", password="password",
3632                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3633                 phase2="auth=PAP")
3634     if dev[0].get_status_field("tls_session_reused") != '0':
3635         raise Exception("Unexpected session resumption on the first connection")
3636
3637     dev[0].request("REAUTHENTICATE")
3638     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3639     if ev is None:
3640         raise Exception("EAP success timed out")
3641     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3642     if ev is None:
3643         raise Exception("Key handshake with the AP timed out")
3644     if dev[0].get_status_field("tls_session_reused") != '0':
3645         raise Exception("Unexpected session resumption on the second connection")
3646
3647 def test_eap_peap_session_resumption(dev, apdev):
3648     """EAP-PEAP session resumption"""
3649     params = int_eap_server_params()
3650     params['tls_session_lifetime'] = '60'
3651     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3652     check_tls_session_resumption_capa(dev[0], hapd)
3653     eap_connect(dev[0], apdev[0], "PEAP", "user",
3654                 anonymous_identity="peap", password="password",
3655                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3656     if dev[0].get_status_field("tls_session_reused") != '0':
3657         raise Exception("Unexpected session resumption on the first connection")
3658
3659     dev[0].request("REAUTHENTICATE")
3660     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3661     if ev is None:
3662         raise Exception("EAP success timed out")
3663     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3664     if ev is None:
3665         raise Exception("Key handshake with the AP timed out")
3666     if dev[0].get_status_field("tls_session_reused") != '1':
3667         raise Exception("Session resumption not used on the second connection")
3668
3669 def test_eap_peap_no_session_resumption(dev, apdev):
3670     """EAP-PEAP session resumption disabled on server"""
3671     params = int_eap_server_params()
3672     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3673     eap_connect(dev[0], apdev[0], "PEAP", "user",
3674                 anonymous_identity="peap", password="password",
3675                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3676     if dev[0].get_status_field("tls_session_reused") != '0':
3677         raise Exception("Unexpected session resumption on the first connection")
3678
3679     dev[0].request("REAUTHENTICATE")
3680     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3681     if ev is None:
3682         raise Exception("EAP success timed out")
3683     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3684     if ev is None:
3685         raise Exception("Key handshake with the AP timed out")
3686     if dev[0].get_status_field("tls_session_reused") != '0':
3687         raise Exception("Unexpected session resumption on the second connection")
3688
3689 def test_eap_tls_session_resumption(dev, apdev):
3690     """EAP-TLS session resumption"""
3691     params = int_eap_server_params()
3692     params['tls_session_lifetime'] = '60'
3693     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3694     check_tls_session_resumption_capa(dev[0], hapd)
3695     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3696                 client_cert="auth_serv/user.pem",
3697                 private_key="auth_serv/user.key")
3698     if dev[0].get_status_field("tls_session_reused") != '0':
3699         raise Exception("Unexpected session resumption on the first connection")
3700
3701     dev[0].request("REAUTHENTICATE")
3702     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3703     if ev is None:
3704         raise Exception("EAP success timed out")
3705     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3706     if ev is None:
3707         raise Exception("Key handshake with the AP timed out")
3708     if dev[0].get_status_field("tls_session_reused") != '1':
3709         raise Exception("Session resumption not used on the second connection")
3710
3711     dev[0].request("REAUTHENTICATE")
3712     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3713     if ev is None:
3714         raise Exception("EAP success timed out")
3715     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3716     if ev is None:
3717         raise Exception("Key handshake with the AP timed out")
3718     if dev[0].get_status_field("tls_session_reused") != '1':
3719         raise Exception("Session resumption not used on the third connection")
3720
3721 def test_eap_tls_session_resumption_expiration(dev, apdev):
3722     """EAP-TLS session resumption"""
3723     params = int_eap_server_params()
3724     params['tls_session_lifetime'] = '1'
3725     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3726     check_tls_session_resumption_capa(dev[0], hapd)
3727     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3728                 client_cert="auth_serv/user.pem",
3729                 private_key="auth_serv/user.key")
3730     if dev[0].get_status_field("tls_session_reused") != '0':
3731         raise Exception("Unexpected session resumption on the first connection")
3732
3733     # Allow multiple attempts since OpenSSL may not expire the cached entry
3734     # immediately.
3735     for i in range(10):
3736         time.sleep(1.2)
3737
3738         dev[0].request("REAUTHENTICATE")
3739         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3740         if ev is None:
3741             raise Exception("EAP success timed out")
3742         ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3743         if ev is None:
3744             raise Exception("Key handshake with the AP timed out")
3745         if dev[0].get_status_field("tls_session_reused") == '0':
3746             break
3747     if dev[0].get_status_field("tls_session_reused") != '0':
3748         raise Exception("Session resumption used after lifetime expiration")
3749
3750 def test_eap_tls_no_session_resumption(dev, apdev):
3751     """EAP-TLS session resumption disabled on server"""
3752     params = int_eap_server_params()
3753     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3754     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3755                 client_cert="auth_serv/user.pem",
3756                 private_key="auth_serv/user.key")
3757     if dev[0].get_status_field("tls_session_reused") != '0':
3758         raise Exception("Unexpected session resumption on the first connection")
3759
3760     dev[0].request("REAUTHENTICATE")
3761     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3762     if ev is None:
3763         raise Exception("EAP success timed out")
3764     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3765     if ev is None:
3766         raise Exception("Key handshake with the AP timed out")
3767     if dev[0].get_status_field("tls_session_reused") != '0':
3768         raise Exception("Unexpected session resumption on the second connection")
3769
3770 def test_eap_tls_session_resumption_radius(dev, apdev):
3771     """EAP-TLS session resumption (RADIUS)"""
3772     params = { "ssid": "as", "beacon_int": "2000",
3773                "radius_server_clients": "auth_serv/radius_clients.conf",
3774                "radius_server_auth_port": '18128',
3775                "eap_server": "1",
3776                "eap_user_file": "auth_serv/eap_user.conf",
3777                "ca_cert": "auth_serv/ca.pem",
3778                "server_cert": "auth_serv/server.pem",
3779                "private_key": "auth_serv/server.key",
3780                "tls_session_lifetime": "60" }
3781     authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
3782     check_tls_session_resumption_capa(dev[0], authsrv)
3783
3784     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3785     params['auth_server_port'] = "18128"
3786     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3787     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3788                 client_cert="auth_serv/user.pem",
3789                 private_key="auth_serv/user.key")
3790     if dev[0].get_status_field("tls_session_reused") != '0':
3791         raise Exception("Unexpected session resumption on the first connection")
3792
3793     dev[0].request("REAUTHENTICATE")
3794     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3795     if ev is None:
3796         raise Exception("EAP success timed out")
3797     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3798     if ev is None:
3799         raise Exception("Key handshake with the AP timed out")
3800     if dev[0].get_status_field("tls_session_reused") != '1':
3801         raise Exception("Session resumption not used on the second connection")
3802
3803 def test_eap_tls_no_session_resumption_radius(dev, apdev):
3804     """EAP-TLS session resumption disabled (RADIUS)"""
3805     params = { "ssid": "as", "beacon_int": "2000",
3806                "radius_server_clients": "auth_serv/radius_clients.conf",
3807                "radius_server_auth_port": '18128',
3808                "eap_server": "1",
3809                "eap_user_file": "auth_serv/eap_user.conf",
3810                "ca_cert": "auth_serv/ca.pem",
3811                "server_cert": "auth_serv/server.pem",
3812                "private_key": "auth_serv/server.key",
3813                "tls_session_lifetime": "0" }
3814     hostapd.add_ap(apdev[1]['ifname'], params)
3815
3816     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3817     params['auth_server_port'] = "18128"
3818     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3819     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3820                 client_cert="auth_serv/user.pem",
3821                 private_key="auth_serv/user.key")
3822     if dev[0].get_status_field("tls_session_reused") != '0':
3823         raise Exception("Unexpected session resumption on the first connection")
3824
3825     dev[0].request("REAUTHENTICATE")
3826     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3827     if ev is None:
3828         raise Exception("EAP success timed out")
3829     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3830     if ev is None:
3831         raise Exception("Key handshake with the AP timed out")
3832     if dev[0].get_status_field("tls_session_reused") != '0':
3833         raise Exception("Unexpected session resumption on the second connection")
Moonshot GSS-API mechanism