1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
51 def check_ocsp_support(dev):
52 tls = dev.request("GET tls_library")
53 if "BoringSSL" in tls:
54 raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
57 with open(fname, "r") as f:
68 return base64.b64decode(cert)
70 def eap_connect(dev, ap, method, identity,
71 sha256=False, expect_failure=False, local_error_report=False,
72 maybe_local_error=False, **kwargs):
73 hapd = hostapd.Hostapd(ap['ifname'])
74 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
75 eap=method, identity=identity,
76 wait_connect=False, scan_freq="2412", ieee80211w="1",
78 eap_check_auth(dev, method, True, sha256=sha256,
79 expect_failure=expect_failure,
80 local_error_report=local_error_report,
81 maybe_local_error=maybe_local_error)
84 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
86 raise Exception("No connection event received from hostapd")
89 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
90 expect_failure=False, local_error_report=False,
91 maybe_local_error=False):
92 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
94 raise Exception("Association and EAP start timed out")
95 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
96 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
98 raise Exception("EAP method selection timed out")
99 if "CTRL-EVENT-EAP-FAILURE" in ev:
100 if maybe_local_error:
102 raise Exception("Could not select EAP method")
104 raise Exception("Unexpected EAP method")
106 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
108 raise Exception("EAP failure timed out")
109 ev = dev.wait_disconnected(timeout=10)
110 if maybe_local_error and "locally_generated=1" in ev:
112 if not local_error_report:
113 if "reason=23" not in ev:
114 raise Exception("Proper reason code for disconnection not reported")
116 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
118 raise Exception("EAP success timed out")
121 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
123 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
125 raise Exception("Association with the AP timed out")
126 status = dev.get_status()
127 if status["wpa_state"] != "COMPLETED":
128 raise Exception("Connection not completed")
130 if status["suppPortStatus"] != "Authorized":
131 raise Exception("Port not authorized")
132 if method not in status["selectedMethod"]:
133 raise Exception("Incorrect EAP method status")
135 e = "WPA2-EAP-SHA256"
137 e = "WPA2/IEEE 802.1X/EAP"
139 e = "WPA/IEEE 802.1X/EAP"
140 if status["key_mgmt"] != e:
141 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
144 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
145 dev.request("REAUTHENTICATE")
146 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
147 expect_failure=expect_failure)
149 def test_ap_wpa2_eap_sim(dev, apdev):
150 """WPA2-Enterprise connection using EAP-SIM"""
151 check_hlr_auc_gw_support()
152 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
153 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
154 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
155 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156 hwsim_utils.test_connectivity(dev[0], hapd)
157 eap_reauth(dev[0], "SIM")
159 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
160 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
161 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
165 logger.info("Negative test with incorrect key")
166 dev[0].request("REMOVE_NETWORK all")
167 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
168 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
171 logger.info("Invalid GSM-Milenage key")
172 dev[0].request("REMOVE_NETWORK all")
173 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
174 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
177 logger.info("Invalid GSM-Milenage key(2)")
178 dev[0].request("REMOVE_NETWORK all")
179 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
180 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
183 logger.info("Invalid GSM-Milenage key(3)")
184 dev[0].request("REMOVE_NETWORK all")
185 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
189 logger.info("Invalid GSM-Milenage key(4)")
190 dev[0].request("REMOVE_NETWORK all")
191 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
192 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
195 logger.info("Missing key configuration")
196 dev[0].request("REMOVE_NETWORK all")
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
200 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
201 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
202 check_hlr_auc_gw_support()
206 raise HwsimSkip("No sqlite3 module available")
207 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
208 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
209 params['auth_server_port'] = "1814"
210 hostapd.add_ap(apdev[0]['ifname'], params)
211 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
214 logger.info("SIM fast re-authentication")
215 eap_reauth(dev[0], "SIM")
217 logger.info("SIM full auth with pseudonym")
220 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
221 eap_reauth(dev[0], "SIM")
223 logger.info("SIM full auth with permanent identity")
226 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
227 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
230 logger.info("SIM reauth with mismatching MK")
233 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
234 eap_reauth(dev[0], "SIM", expect_failure=True)
235 dev[0].request("REMOVE_NETWORK all")
237 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
238 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
241 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
242 eap_reauth(dev[0], "SIM")
245 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
246 logger.info("SIM reauth with mismatching counter")
247 eap_reauth(dev[0], "SIM")
248 dev[0].request("REMOVE_NETWORK all")
250 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
251 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
254 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
255 logger.info("SIM reauth with max reauth count reached")
256 eap_reauth(dev[0], "SIM")
258 def test_ap_wpa2_eap_sim_config(dev, apdev):
259 """EAP-SIM configuration options"""
260 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
261 hostapd.add_ap(apdev[0]['ifname'], params)
262 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263 identity="1232010000000000",
264 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265 phase1="sim_min_num_chal=1",
266 wait_connect=False, scan_freq="2412")
267 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
269 raise Exception("No EAP error message seen")
270 dev[0].request("REMOVE_NETWORK all")
272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
273 identity="1232010000000000",
274 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
275 phase1="sim_min_num_chal=4",
276 wait_connect=False, scan_freq="2412")
277 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
279 raise Exception("No EAP error message seen (2)")
280 dev[0].request("REMOVE_NETWORK all")
282 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
283 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
284 phase1="sim_min_num_chal=2")
285 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
287 anonymous_identity="345678")
289 def test_ap_wpa2_eap_sim_ext(dev, apdev):
290 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
292 _test_ap_wpa2_eap_sim_ext(dev, apdev)
294 dev[0].request("SET external_sim 0")
296 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
297 check_hlr_auc_gw_support()
298 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
299 hostapd.add_ap(apdev[0]['ifname'], params)
300 dev[0].request("SET external_sim 1")
301 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
302 identity="1232010000000000",
303 wait_connect=False, scan_freq="2412")
304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
306 raise Exception("Network connected timed out")
308 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
310 raise Exception("Wait for external SIM processing request timed out")
312 if p[1] != "GSM-AUTH":
313 raise Exception("Unexpected CTRL-REQ-SIM type")
314 rid = p[0].split('-')[3]
317 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
318 # This will fail during processing, but the ctrl_iface command succeeds
319 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
320 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
322 raise Exception("EAP failure not reported")
323 dev[0].request("DISCONNECT")
324 dev[0].wait_disconnected()
327 dev[0].select_network(id, freq="2412")
328 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
330 raise Exception("Wait for external SIM processing request timed out")
332 if p[1] != "GSM-AUTH":
333 raise Exception("Unexpected CTRL-REQ-SIM type")
334 rid = p[0].split('-')[3]
335 # This will fail during GSM auth validation
336 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
337 raise Exception("CTRL-RSP-SIM failed")
338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
340 raise Exception("EAP failure not reported")
341 dev[0].request("DISCONNECT")
342 dev[0].wait_disconnected()
345 dev[0].select_network(id, freq="2412")
346 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
348 raise Exception("Wait for external SIM processing request timed out")
350 if p[1] != "GSM-AUTH":
351 raise Exception("Unexpected CTRL-REQ-SIM type")
352 rid = p[0].split('-')[3]
353 # This will fail during GSM auth validation
354 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
355 raise Exception("CTRL-RSP-SIM failed")
356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
358 raise Exception("EAP failure not reported")
359 dev[0].request("DISCONNECT")
360 dev[0].wait_disconnected()
363 dev[0].select_network(id, freq="2412")
364 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
366 raise Exception("Wait for external SIM processing request timed out")
368 if p[1] != "GSM-AUTH":
369 raise Exception("Unexpected CTRL-REQ-SIM type")
370 rid = p[0].split('-')[3]
371 # This will fail during GSM auth validation
372 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
373 raise Exception("CTRL-RSP-SIM failed")
374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
376 raise Exception("EAP failure not reported")
377 dev[0].request("DISCONNECT")
378 dev[0].wait_disconnected()
381 dev[0].select_network(id, freq="2412")
382 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
384 raise Exception("Wait for external SIM processing request timed out")
386 if p[1] != "GSM-AUTH":
387 raise Exception("Unexpected CTRL-REQ-SIM type")
388 rid = p[0].split('-')[3]
389 # This will fail during GSM auth validation
390 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
391 raise Exception("CTRL-RSP-SIM failed")
392 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
394 raise Exception("EAP failure not reported")
395 dev[0].request("DISCONNECT")
396 dev[0].wait_disconnected()
399 dev[0].select_network(id, freq="2412")
400 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid = p[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
412 raise Exception("EAP failure not reported")
413 dev[0].request("DISCONNECT")
414 dev[0].wait_disconnected()
417 dev[0].select_network(id, freq="2412")
418 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid = p[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
430 raise Exception("EAP failure not reported")
432 def test_ap_wpa2_eap_sim_oom(dev, apdev):
433 """EAP-SIM and OOM"""
434 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
435 hostapd.add_ap(apdev[0]['ifname'], params)
436 tests = [ (1, "milenage_f2345"),
437 (2, "milenage_f2345"),
438 (3, "milenage_f2345"),
439 (4, "milenage_f2345"),
440 (5, "milenage_f2345"),
441 (6, "milenage_f2345"),
442 (7, "milenage_f2345"),
443 (8, "milenage_f2345"),
444 (9, "milenage_f2345"),
445 (10, "milenage_f2345"),
446 (11, "milenage_f2345"),
447 (12, "milenage_f2345") ]
448 for count, func in tests:
449 with alloc_fail(dev[0], count, func):
450 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
451 identity="1232010000000000",
452 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
453 wait_connect=False, scan_freq="2412")
454 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
456 raise Exception("EAP method not selected")
457 dev[0].wait_disconnected()
458 dev[0].request("REMOVE_NETWORK all")
460 def test_ap_wpa2_eap_aka(dev, apdev):
461 """WPA2-Enterprise connection using EAP-AKA"""
462 check_hlr_auc_gw_support()
463 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
464 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
465 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
466 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
467 hwsim_utils.test_connectivity(dev[0], hapd)
468 eap_reauth(dev[0], "AKA")
470 logger.info("Negative test with incorrect key")
471 dev[0].request("REMOVE_NETWORK all")
472 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
473 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
476 logger.info("Invalid Milenage key")
477 dev[0].request("REMOVE_NETWORK all")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
482 logger.info("Invalid Milenage key(2)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
487 logger.info("Invalid Milenage key(3)")
488 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
492 logger.info("Invalid Milenage key(4)")
493 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
494 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
497 logger.info("Invalid Milenage key(5)")
498 dev[0].request("REMOVE_NETWORK all")
499 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
503 logger.info("Invalid Milenage key(6)")
504 dev[0].request("REMOVE_NETWORK all")
505 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
506 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
509 logger.info("Missing key configuration")
510 dev[0].request("REMOVE_NETWORK all")
511 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
515 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
516 check_hlr_auc_gw_support()
520 raise HwsimSkip("No sqlite3 module available")
521 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
522 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
523 params['auth_server_port'] = "1814"
524 hostapd.add_ap(apdev[0]['ifname'], params)
525 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
526 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
528 logger.info("AKA fast re-authentication")
529 eap_reauth(dev[0], "AKA")
531 logger.info("AKA full auth with pseudonym")
534 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
535 eap_reauth(dev[0], "AKA")
537 logger.info("AKA full auth with permanent identity")
540 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
541 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
542 eap_reauth(dev[0], "AKA")
544 logger.info("AKA reauth with mismatching MK")
547 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
548 eap_reauth(dev[0], "AKA", expect_failure=True)
549 dev[0].request("REMOVE_NETWORK all")
551 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
552 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
555 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
556 eap_reauth(dev[0], "AKA")
559 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
560 logger.info("AKA reauth with mismatching counter")
561 eap_reauth(dev[0], "AKA")
562 dev[0].request("REMOVE_NETWORK all")
564 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
565 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
568 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
569 logger.info("AKA reauth with max reauth count reached")
570 eap_reauth(dev[0], "AKA")
572 def test_ap_wpa2_eap_aka_config(dev, apdev):
573 """EAP-AKA configuration options"""
574 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
575 hostapd.add_ap(apdev[0]['ifname'], params)
576 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
577 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
578 anonymous_identity="2345678")
580 def test_ap_wpa2_eap_aka_ext(dev, apdev):
581 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
583 _test_ap_wpa2_eap_aka_ext(dev, apdev)
585 dev[0].request("SET external_sim 0")
587 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
588 check_hlr_auc_gw_support()
589 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
590 hostapd.add_ap(apdev[0]['ifname'], params)
591 dev[0].request("SET external_sim 1")
592 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
593 identity="0232010000000000",
594 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
595 wait_connect=False, scan_freq="2412")
596 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
598 raise Exception("Network connected timed out")
600 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
602 raise Exception("Wait for external SIM processing request timed out")
604 if p[1] != "UMTS-AUTH":
605 raise Exception("Unexpected CTRL-REQ-SIM type")
606 rid = p[0].split('-')[3]
609 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
610 # This will fail during processing, but the ctrl_iface command succeeds
611 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
612 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
614 raise Exception("EAP failure not reported")
615 dev[0].request("DISCONNECT")
616 dev[0].wait_disconnected()
619 dev[0].select_network(id, freq="2412")
620 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
622 raise Exception("Wait for external SIM processing request timed out")
624 if p[1] != "UMTS-AUTH":
625 raise Exception("Unexpected CTRL-REQ-SIM type")
626 rid = p[0].split('-')[3]
627 # This will fail during UMTS auth validation
628 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
629 raise Exception("CTRL-RSP-SIM failed")
630 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
632 raise Exception("Wait for external SIM processing request timed out")
634 if p[1] != "UMTS-AUTH":
635 raise Exception("Unexpected CTRL-REQ-SIM type")
636 rid = p[0].split('-')[3]
637 # This will fail during UMTS auth validation
638 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
639 raise Exception("CTRL-RSP-SIM failed")
640 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
642 raise Exception("EAP failure not reported")
643 dev[0].request("DISCONNECT")
644 dev[0].wait_disconnected()
647 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
649 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
650 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
651 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
652 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
653 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
668 raise Exception("EAP failure not reported")
669 dev[0].request("DISCONNECT")
670 dev[0].wait_disconnected()
673 def test_ap_wpa2_eap_aka_prime(dev, apdev):
674 """WPA2-Enterprise connection using EAP-AKA'"""
675 check_hlr_auc_gw_support()
676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
677 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
678 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
680 hwsim_utils.test_connectivity(dev[0], hapd)
681 eap_reauth(dev[0], "AKA'")
683 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
684 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
685 identity="6555444333222111@both",
686 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
687 wait_connect=False, scan_freq="2412")
688 dev[1].wait_connected(timeout=15)
690 logger.info("Negative test with incorrect key")
691 dev[0].request("REMOVE_NETWORK all")
692 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
693 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
696 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
697 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
698 check_hlr_auc_gw_support()
702 raise HwsimSkip("No sqlite3 module available")
703 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
704 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
705 params['auth_server_port'] = "1814"
706 hostapd.add_ap(apdev[0]['ifname'], params)
707 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
708 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
710 logger.info("AKA' fast re-authentication")
711 eap_reauth(dev[0], "AKA'")
713 logger.info("AKA' full auth with pseudonym")
716 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
717 eap_reauth(dev[0], "AKA'")
719 logger.info("AKA' full auth with permanent identity")
722 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
723 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
724 eap_reauth(dev[0], "AKA'")
726 logger.info("AKA' reauth with mismatching k_aut")
729 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
730 eap_reauth(dev[0], "AKA'", expect_failure=True)
731 dev[0].request("REMOVE_NETWORK all")
733 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
734 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
737 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
738 eap_reauth(dev[0], "AKA'")
741 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
742 logger.info("AKA' reauth with mismatching counter")
743 eap_reauth(dev[0], "AKA'")
744 dev[0].request("REMOVE_NETWORK all")
746 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
747 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
750 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
751 logger.info("AKA' reauth with max reauth count reached")
752 eap_reauth(dev[0], "AKA'")
754 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
755 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
756 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
757 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
758 key_mgmt = hapd.get_config()['key_mgmt']
759 if key_mgmt.split(' ')[0] != "WPA-EAP":
760 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762 anonymous_identity="ttls", password="password",
763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
764 hwsim_utils.test_connectivity(dev[0], hapd)
765 eap_reauth(dev[0], "TTLS")
766 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
767 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
769 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
770 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
771 check_subject_match_support(dev[0])
772 check_altsubject_match_support(dev[0])
773 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
774 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
775 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
776 anonymous_identity="ttls", password="password",
777 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
778 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
779 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
780 eap_reauth(dev[0], "TTLS")
782 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
783 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
784 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
785 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
786 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
787 anonymous_identity="ttls", password="wrong",
788 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 eap_connect(dev[1], apdev[0], "TTLS", "user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
795 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
796 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
797 skip_with_fips(dev[0])
798 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
799 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
800 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
801 anonymous_identity="ttls", password="password",
802 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
803 hwsim_utils.test_connectivity(dev[0], hapd)
804 eap_reauth(dev[0], "TTLS")
806 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
807 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
808 skip_with_fips(dev[0])
809 check_altsubject_match_support(dev[0])
810 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
811 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
812 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
813 anonymous_identity="ttls", password="password",
814 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
815 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
816 eap_reauth(dev[0], "TTLS")
818 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
819 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
820 skip_with_fips(dev[0])
821 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
823 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
824 anonymous_identity="ttls", password="wrong",
825 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
827 eap_connect(dev[1], apdev[0], "TTLS", "user",
828 anonymous_identity="ttls", password="password",
829 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
832 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
833 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
834 skip_with_fips(dev[0])
835 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
836 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
837 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
838 anonymous_identity="ttls", password="password",
839 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
840 domain_suffix_match="server.w1.fi")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
843 dev[0].request("REMOVE_NETWORK all")
844 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845 anonymous_identity="ttls", password="password",
846 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
849 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
850 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
851 skip_with_fips(dev[0])
852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
854 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
855 anonymous_identity="ttls", password="wrong",
856 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
858 eap_connect(dev[1], apdev[0], "TTLS", "user",
859 anonymous_identity="ttls", password="password",
860 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
862 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
863 anonymous_identity="ttls", password="password",
864 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
867 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
868 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
869 check_eap_capa(dev[0], "MSCHAPV2")
870 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
871 hostapd.add_ap(apdev[0]['ifname'], params)
872 hapd = hostapd.Hostapd(apdev[0]['ifname'])
873 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
874 anonymous_identity="ttls", password="password",
875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
876 domain_suffix_match="server.w1.fi")
877 hwsim_utils.test_connectivity(dev[0], hapd)
878 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
879 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
880 eap_reauth(dev[0], "TTLS")
881 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
882 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
883 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
884 raise Exception("dot1xAuthEapolFramesRx did not increase")
885 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
886 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
887 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
888 raise Exception("backendAuthSuccesses did not increase")
890 logger.info("Password as hash value")
891 dev[0].request("REMOVE_NETWORK all")
892 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
893 anonymous_identity="ttls",
894 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
895 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
897 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
898 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
899 check_domain_match_full(dev[0])
900 skip_with_fips(dev[0])
901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
902 hostapd.add_ap(apdev[0]['ifname'], params)
903 hapd = hostapd.Hostapd(apdev[0]['ifname'])
904 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
905 anonymous_identity="ttls", password="password",
906 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
907 domain_suffix_match="w1.fi")
908 hwsim_utils.test_connectivity(dev[0], hapd)
909 eap_reauth(dev[0], "TTLS")
911 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
912 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
913 skip_with_fips(dev[0])
914 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
915 hostapd.add_ap(apdev[0]['ifname'], params)
916 hapd = hostapd.Hostapd(apdev[0]['ifname'])
917 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
918 anonymous_identity="ttls", password="password",
919 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
920 domain_match="Server.w1.fi")
921 hwsim_utils.test_connectivity(dev[0], hapd)
922 eap_reauth(dev[0], "TTLS")
924 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
925 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
926 skip_with_fips(dev[0])
927 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
928 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
929 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
930 anonymous_identity="ttls", password="password1",
931 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
933 eap_connect(dev[1], apdev[0], "TTLS", "user",
934 anonymous_identity="ttls", password="password",
935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
938 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
939 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
940 skip_with_fips(dev[0])
941 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
942 hostapd.add_ap(apdev[0]['ifname'], params)
943 hapd = hostapd.Hostapd(apdev[0]['ifname'])
944 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
945 anonymous_identity="ttls", password="secret-åäö-€-password",
946 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
948 anonymous_identity="ttls",
949 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
950 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
952 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
954 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956 eap_connect(dev[0], apdev[0], "TTLS", "user",
957 anonymous_identity="ttls", password="password",
958 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
959 hwsim_utils.test_connectivity(dev[0], hapd)
960 eap_reauth(dev[0], "TTLS")
962 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
963 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966 eap_connect(dev[0], apdev[0], "TTLS", "user",
967 anonymous_identity="ttls", password="wrong",
968 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
971 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
972 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
973 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976 anonymous_identity="ttls", password="password",
977 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
980 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
982 params = int_eap_server_params()
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 with alloc_fail(hapd, 1, "eap_gtc_init"):
985 eap_connect(dev[0], apdev[0], "TTLS", "user",
986 anonymous_identity="ttls", password="password",
987 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
989 dev[0].request("REMOVE_NETWORK all")
991 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
992 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993 eap="TTLS", identity="user",
994 anonymous_identity="ttls", password="password",
995 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
996 wait_connect=False, scan_freq="2412")
997 # This would eventually time out, but we can stop after having reached
998 # the allocation failure.
1001 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1004 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1006 check_eap_capa(dev[0], "MD5")
1007 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1008 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1009 eap_connect(dev[0], apdev[0], "TTLS", "user",
1010 anonymous_identity="ttls", password="password",
1011 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1012 hwsim_utils.test_connectivity(dev[0], hapd)
1013 eap_reauth(dev[0], "TTLS")
1015 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1016 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1017 check_eap_capa(dev[0], "MD5")
1018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020 eap_connect(dev[0], apdev[0], "TTLS", "user",
1021 anonymous_identity="ttls", password="wrong",
1022 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023 expect_failure=True)
1025 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1026 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1027 check_eap_capa(dev[0], "MD5")
1028 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1029 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1031 anonymous_identity="ttls", password="password",
1032 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1033 expect_failure=True)
1035 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1036 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1037 check_eap_capa(dev[0], "MD5")
1038 params = int_eap_server_params()
1039 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1040 with alloc_fail(hapd, 1, "eap_md5_init"):
1041 eap_connect(dev[0], apdev[0], "TTLS", "user",
1042 anonymous_identity="ttls", password="password",
1043 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1044 expect_failure=True)
1045 dev[0].request("REMOVE_NETWORK all")
1047 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1048 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1049 eap="TTLS", identity="user",
1050 anonymous_identity="ttls", password="password",
1051 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1052 wait_connect=False, scan_freq="2412")
1053 # This would eventually time out, but we can stop after having reached
1054 # the allocation failure.
1057 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1060 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1061 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1062 check_eap_capa(dev[0], "MSCHAPV2")
1063 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1064 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1065 eap_connect(dev[0], apdev[0], "TTLS", "user",
1066 anonymous_identity="ttls", password="password",
1067 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1068 hwsim_utils.test_connectivity(dev[0], hapd)
1069 eap_reauth(dev[0], "TTLS")
1071 logger.info("Negative test with incorrect password")
1072 dev[0].request("REMOVE_NETWORK all")
1073 eap_connect(dev[0], apdev[0], "TTLS", "user",
1074 anonymous_identity="ttls", password="password1",
1075 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076 expect_failure=True)
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1079 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1080 check_eap_capa(dev[0], "MSCHAPV2")
1081 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1082 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1084 anonymous_identity="ttls", password="password",
1085 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1086 expect_failure=True)
1088 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1089 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1090 check_eap_capa(dev[0], "MSCHAPV2")
1091 params = int_eap_server_params()
1092 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1093 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1094 eap_connect(dev[0], apdev[0], "TTLS", "user",
1095 anonymous_identity="ttls", password="password",
1096 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1097 expect_failure=True)
1098 dev[0].request("REMOVE_NETWORK all")
1100 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1101 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1102 eap="TTLS", identity="user",
1103 anonymous_identity="ttls", password="password",
1104 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1105 wait_connect=False, scan_freq="2412")
1106 # This would eventually time out, but we can stop after having reached
1107 # the allocation failure.
1110 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1112 dev[0].request("REMOVE_NETWORK all")
1114 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1115 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1116 eap="TTLS", identity="user",
1117 anonymous_identity="ttls", password="password",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1119 wait_connect=False, scan_freq="2412")
1120 # This would eventually time out, but we can stop after having reached
1121 # the allocation failure.
1124 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1126 dev[0].request("REMOVE_NETWORK all")
1128 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1129 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1130 eap="TTLS", identity="user",
1131 anonymous_identity="ttls", password="wrong",
1132 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1133 wait_connect=False, scan_freq="2412")
1134 # This would eventually time out, but we can stop after having reached
1135 # the allocation failure.
1138 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1140 dev[0].request("REMOVE_NETWORK all")
1142 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1144 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145 hostapd.add_ap(apdev[0]['ifname'], params)
1146 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1147 anonymous_identity="0232010000000000@ttls",
1148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1149 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1151 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1152 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154 hostapd.add_ap(apdev[0]['ifname'], params)
1155 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1156 anonymous_identity="0232010000000000@peap",
1157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1160 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1161 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1162 check_eap_capa(dev[0], "FAST")
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1166 anonymous_identity="0232010000000000@fast",
1167 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1168 phase1="fast_provisioning=2",
1169 pac_file="blob://fast_pac_auth_aka",
1170 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1172 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1173 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1174 check_eap_capa(dev[0], "MSCHAPV2")
1175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1177 eap_connect(dev[0], apdev[0], "PEAP", "user",
1178 anonymous_identity="peap", password="password",
1179 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1180 hwsim_utils.test_connectivity(dev[0], hapd)
1181 eap_reauth(dev[0], "PEAP")
1182 dev[0].request("REMOVE_NETWORK all")
1183 eap_connect(dev[0], apdev[0], "PEAP", "user",
1184 anonymous_identity="peap", password="password",
1185 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1186 fragment_size="200")
1188 logger.info("Password as hash value")
1189 dev[0].request("REMOVE_NETWORK all")
1190 eap_connect(dev[0], apdev[0], "PEAP", "user",
1191 anonymous_identity="peap",
1192 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1193 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1195 logger.info("Negative test with incorrect password")
1196 dev[0].request("REMOVE_NETWORK all")
1197 eap_connect(dev[0], apdev[0], "PEAP", "user",
1198 anonymous_identity="peap", password="password1",
1199 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1200 expect_failure=True)
1202 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1203 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1204 check_eap_capa(dev[0], "MSCHAPV2")
1205 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1207 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1208 anonymous_identity="peap", password="password",
1209 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1210 hwsim_utils.test_connectivity(dev[0], hapd)
1211 eap_reauth(dev[0], "PEAP")
1213 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1214 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1215 check_eap_capa(dev[0], "MSCHAPV2")
1216 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218 eap_connect(dev[0], apdev[0], "PEAP", "user",
1219 anonymous_identity="peap", password="wrong",
1220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1221 expect_failure=True)
1223 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1224 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1225 check_eap_capa(dev[0], "MSCHAPV2")
1226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1228 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1229 ca_cert="auth_serv/ca.pem",
1230 phase1="peapver=0 crypto_binding=2",
1231 phase2="auth=MSCHAPV2")
1232 hwsim_utils.test_connectivity(dev[0], hapd)
1233 eap_reauth(dev[0], "PEAP")
1235 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1236 ca_cert="auth_serv/ca.pem",
1237 phase1="peapver=0 crypto_binding=1",
1238 phase2="auth=MSCHAPV2")
1239 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1240 ca_cert="auth_serv/ca.pem",
1241 phase1="peapver=0 crypto_binding=0",
1242 phase2="auth=MSCHAPV2")
1244 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1245 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1246 check_eap_capa(dev[0], "MSCHAPV2")
1247 params = int_eap_server_params()
1248 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1249 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1250 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1251 ca_cert="auth_serv/ca.pem",
1252 phase1="peapver=0 crypto_binding=2",
1253 phase2="auth=MSCHAPV2",
1254 expect_failure=True, local_error_report=True)
1256 def test_ap_wpa2_eap_peap_params(dev, apdev):
1257 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1258 check_eap_capa(dev[0], "MSCHAPV2")
1259 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1260 hostapd.add_ap(apdev[0]['ifname'], params)
1261 eap_connect(dev[0], apdev[0], "PEAP", "user",
1262 anonymous_identity="peap", password="password",
1263 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1264 phase1="peapver=0 peaplabel=1",
1265 expect_failure=True)
1266 dev[0].request("REMOVE_NETWORK all")
1267 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1268 ca_cert="auth_serv/ca.pem",
1269 phase1="peap_outer_success=1",
1270 phase2="auth=MSCHAPV2")
1271 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1272 ca_cert="auth_serv/ca.pem",
1273 phase1="peap_outer_success=2",
1274 phase2="auth=MSCHAPV2")
1275 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1277 anonymous_identity="peap", password="password",
1278 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1279 phase1="peapver=1 peaplabel=1",
1280 wait_connect=False, scan_freq="2412")
1281 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1283 raise Exception("No EAP success seen")
1284 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1286 raise Exception("Unexpected connection")
1288 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hostapd.add_ap(apdev[0]['ifname'], params)
1292 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1293 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1294 ca_cert2="auth_serv/ca.pem",
1295 client_cert2="auth_serv/user.pem",
1296 private_key2="auth_serv/user.key")
1297 eap_reauth(dev[0], "PEAP")
1299 def test_ap_wpa2_eap_tls(dev, apdev):
1300 """WPA2-Enterprise connection using EAP-TLS"""
1301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302 hostapd.add_ap(apdev[0]['ifname'], params)
1303 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1304 client_cert="auth_serv/user.pem",
1305 private_key="auth_serv/user.key")
1306 eap_reauth(dev[0], "TLS")
1308 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1309 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1311 hostapd.add_ap(apdev[0]['ifname'], params)
1312 cert = read_pem("auth_serv/ca.pem")
1313 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1314 raise Exception("Could not set cacert blob")
1315 cert = read_pem("auth_serv/user.pem")
1316 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1317 raise Exception("Could not set usercert blob")
1318 key = read_pem("auth_serv/user.rsa-key")
1319 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1320 raise Exception("Could not set cacert blob")
1321 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1322 client_cert="blob://usercert",
1323 private_key="blob://userkey")
1325 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1326 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1327 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1328 hostapd.add_ap(apdev[0]['ifname'], params)
1329 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1330 private_key="auth_serv/user.pkcs12",
1331 private_key_passwd="whatever")
1332 dev[0].request("REMOVE_NETWORK all")
1333 dev[0].wait_disconnected()
1335 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1336 identity="tls user",
1337 ca_cert="auth_serv/ca.pem",
1338 private_key="auth_serv/user.pkcs12",
1339 wait_connect=False, scan_freq="2412")
1340 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1342 raise Exception("Request for private key passphrase timed out")
1343 id = ev.split(':')[0].split('-')[-1]
1344 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1345 dev[0].wait_connected(timeout=10)
1346 dev[0].request("REMOVE_NETWORK all")
1347 dev[0].wait_disconnected()
1349 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1350 # different files to cover both cases of the extra certificate being the
1351 # one that signed the client certificate and it being unrelated to the
1352 # client certificate.
1353 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1355 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1356 ca_cert="auth_serv/ca.pem",
1358 private_key_passwd="whatever")
1359 dev[0].request("REMOVE_NETWORK all")
1360 dev[0].wait_disconnected()
1362 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1363 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1365 hostapd.add_ap(apdev[0]['ifname'], params)
1366 cert = read_pem("auth_serv/ca.pem")
1367 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1368 raise Exception("Could not set cacert blob")
1369 with open("auth_serv/user.pkcs12", "rb") as f:
1370 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1371 raise Exception("Could not set pkcs12 blob")
1372 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1373 private_key="blob://pkcs12",
1374 private_key_passwd="whatever")
1376 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1377 """WPA2-Enterprise negative test - incorrect trust root"""
1378 check_eap_capa(dev[0], "MSCHAPV2")
1379 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1380 hostapd.add_ap(apdev[0]['ifname'], params)
1381 cert = read_pem("auth_serv/ca-incorrect.pem")
1382 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1383 raise Exception("Could not set cacert blob")
1384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1386 password="password", phase2="auth=MSCHAPV2",
1387 ca_cert="blob://cacert",
1388 wait_connect=False, scan_freq="2412")
1389 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1391 password="password", phase2="auth=MSCHAPV2",
1392 ca_cert="auth_serv/ca-incorrect.pem",
1393 wait_connect=False, scan_freq="2412")
1395 for dev in (dev[0], dev[1]):
1396 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1398 raise Exception("Association and EAP start timed out")
1400 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1402 raise Exception("EAP method selection timed out")
1403 if "TTLS" not in ev:
1404 raise Exception("Unexpected EAP method")
1406 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1407 "CTRL-EVENT-EAP-SUCCESS",
1408 "CTRL-EVENT-EAP-FAILURE",
1409 "CTRL-EVENT-CONNECTED",
1410 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1412 raise Exception("EAP result timed out")
1413 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1414 raise Exception("TLS certificate error not reported")
1416 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1417 "CTRL-EVENT-EAP-FAILURE",
1418 "CTRL-EVENT-CONNECTED",
1419 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1421 raise Exception("EAP result(2) timed out")
1422 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1423 raise Exception("EAP failure not reported")
1425 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1426 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1428 raise Exception("EAP result(3) timed out")
1429 if "CTRL-EVENT-DISCONNECTED" not in ev:
1430 raise Exception("Disconnection not reported")
1432 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1434 raise Exception("Network block disabling not reported")
1436 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1437 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1438 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1439 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1440 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441 identity="pap user", anonymous_identity="ttls",
1442 password="password", phase2="auth=PAP",
1443 ca_cert="auth_serv/ca.pem",
1444 wait_connect=True, scan_freq="2412")
1445 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1446 identity="pap user", anonymous_identity="ttls",
1447 password="password", phase2="auth=PAP",
1448 ca_cert="auth_serv/ca-incorrect.pem",
1449 only_add_network=True, scan_freq="2412")
1451 dev[0].request("DISCONNECT")
1452 dev[0].wait_disconnected()
1453 dev[0].dump_monitor()
1454 dev[0].select_network(id, freq="2412")
1456 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1458 raise Exception("EAP-TTLS not re-started")
1460 ev = dev[0].wait_disconnected(timeout=15)
1461 if "reason=23" not in ev:
1462 raise Exception("Proper reason code for disconnection not reported")
1464 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1465 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1469 identity="pap user", anonymous_identity="ttls",
1470 password="password", phase2="auth=PAP",
1471 wait_connect=True, scan_freq="2412")
1472 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1473 identity="pap user", anonymous_identity="ttls",
1474 password="password", phase2="auth=PAP",
1475 ca_cert="auth_serv/ca-incorrect.pem",
1476 only_add_network=True, scan_freq="2412")
1478 dev[0].request("DISCONNECT")
1479 dev[0].wait_disconnected()
1480 dev[0].dump_monitor()
1481 dev[0].select_network(id, freq="2412")
1483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1485 raise Exception("EAP-TTLS not re-started")
1487 ev = dev[0].wait_disconnected(timeout=15)
1488 if "reason=23" not in ev:
1489 raise Exception("Proper reason code for disconnection not reported")
1491 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1492 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1493 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1494 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1495 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1496 identity="pap user", anonymous_identity="ttls",
1497 password="password", phase2="auth=PAP",
1498 ca_cert="auth_serv/ca.pem",
1499 wait_connect=True, scan_freq="2412")
1500 dev[0].request("DISCONNECT")
1501 dev[0].wait_disconnected()
1502 dev[0].dump_monitor()
1503 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1504 dev[0].select_network(id, freq="2412")
1506 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1508 raise Exception("EAP-TTLS not re-started")
1510 ev = dev[0].wait_disconnected(timeout=15)
1511 if "reason=23" not in ev:
1512 raise Exception("Proper reason code for disconnection not reported")
1514 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1515 """WPA2-Enterprise negative test - domain suffix mismatch"""
1516 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1517 hostapd.add_ap(apdev[0]['ifname'], params)
1518 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1519 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1520 password="password", phase2="auth=MSCHAPV2",
1521 ca_cert="auth_serv/ca.pem",
1522 domain_suffix_match="incorrect.example.com",
1523 wait_connect=False, scan_freq="2412")
1525 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1527 raise Exception("Association and EAP start timed out")
1529 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1531 raise Exception("EAP method selection timed out")
1532 if "TTLS" not in ev:
1533 raise Exception("Unexpected EAP method")
1535 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1536 "CTRL-EVENT-EAP-SUCCESS",
1537 "CTRL-EVENT-EAP-FAILURE",
1538 "CTRL-EVENT-CONNECTED",
1539 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1541 raise Exception("EAP result timed out")
1542 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1543 raise Exception("TLS certificate error not reported")
1544 if "Domain suffix mismatch" not in ev:
1545 raise Exception("Domain suffix mismatch not reported")
1547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1548 "CTRL-EVENT-EAP-FAILURE",
1549 "CTRL-EVENT-CONNECTED",
1550 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1552 raise Exception("EAP result(2) timed out")
1553 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1554 raise Exception("EAP failure not reported")
1556 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1557 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1559 raise Exception("EAP result(3) timed out")
1560 if "CTRL-EVENT-DISCONNECTED" not in ev:
1561 raise Exception("Disconnection not reported")
1563 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1565 raise Exception("Network block disabling not reported")
1567 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1568 """WPA2-Enterprise negative test - domain mismatch"""
1569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1570 hostapd.add_ap(apdev[0]['ifname'], params)
1571 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1572 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1573 password="password", phase2="auth=MSCHAPV2",
1574 ca_cert="auth_serv/ca.pem",
1575 domain_match="w1.fi",
1576 wait_connect=False, scan_freq="2412")
1578 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1580 raise Exception("Association and EAP start timed out")
1582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1584 raise Exception("EAP method selection timed out")
1585 if "TTLS" not in ev:
1586 raise Exception("Unexpected EAP method")
1588 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1589 "CTRL-EVENT-EAP-SUCCESS",
1590 "CTRL-EVENT-EAP-FAILURE",
1591 "CTRL-EVENT-CONNECTED",
1592 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1594 raise Exception("EAP result timed out")
1595 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1596 raise Exception("TLS certificate error not reported")
1597 if "Domain mismatch" not in ev:
1598 raise Exception("Domain mismatch not reported")
1600 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1601 "CTRL-EVENT-EAP-FAILURE",
1602 "CTRL-EVENT-CONNECTED",
1603 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1605 raise Exception("EAP result(2) timed out")
1606 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1607 raise Exception("EAP failure not reported")
1609 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1610 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1612 raise Exception("EAP result(3) timed out")
1613 if "CTRL-EVENT-DISCONNECTED" not in ev:
1614 raise Exception("Disconnection not reported")
1616 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1618 raise Exception("Network block disabling not reported")
1620 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1621 """WPA2-Enterprise negative test - subject mismatch"""
1622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1623 hostapd.add_ap(apdev[0]['ifname'], params)
1624 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1625 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1626 password="password", phase2="auth=MSCHAPV2",
1627 ca_cert="auth_serv/ca.pem",
1628 subject_match="/C=FI/O=w1.fi/CN=example.com",
1629 wait_connect=False, scan_freq="2412")
1631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1633 raise Exception("Association and EAP start timed out")
1635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1636 "EAP: Failed to initialize EAP method"], timeout=10)
1638 raise Exception("EAP method selection timed out")
1639 if "EAP: Failed to initialize EAP method" in ev:
1640 tls = dev[0].request("GET tls_library")
1641 if tls.startswith("OpenSSL"):
1642 raise Exception("Failed to select EAP method")
1643 logger.info("subject_match not supported - connection failed, so test succeeded")
1645 if "TTLS" not in ev:
1646 raise Exception("Unexpected EAP method")
1648 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1649 "CTRL-EVENT-EAP-SUCCESS",
1650 "CTRL-EVENT-EAP-FAILURE",
1651 "CTRL-EVENT-CONNECTED",
1652 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1654 raise Exception("EAP result timed out")
1655 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1656 raise Exception("TLS certificate error not reported")
1657 if "Subject mismatch" not in ev:
1658 raise Exception("Subject mismatch not reported")
1660 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1661 "CTRL-EVENT-EAP-FAILURE",
1662 "CTRL-EVENT-CONNECTED",
1663 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1665 raise Exception("EAP result(2) timed out")
1666 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1667 raise Exception("EAP failure not reported")
1669 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1670 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1672 raise Exception("EAP result(3) timed out")
1673 if "CTRL-EVENT-DISCONNECTED" not in ev:
1674 raise Exception("Disconnection not reported")
1676 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1678 raise Exception("Network block disabling not reported")
1680 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1681 """WPA2-Enterprise negative test - altsubject mismatch"""
1682 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1683 hostapd.add_ap(apdev[0]['ifname'], params)
1685 tests = [ "incorrect.example.com",
1686 "DNS:incorrect.example.com",
1690 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1692 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1693 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1694 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1695 password="password", phase2="auth=MSCHAPV2",
1696 ca_cert="auth_serv/ca.pem",
1697 altsubject_match=match,
1698 wait_connect=False, scan_freq="2412")
1700 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1702 raise Exception("Association and EAP start timed out")
1704 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1705 "EAP: Failed to initialize EAP method"], timeout=10)
1707 raise Exception("EAP method selection timed out")
1708 if "EAP: Failed to initialize EAP method" in ev:
1709 tls = dev[0].request("GET tls_library")
1710 if tls.startswith("OpenSSL"):
1711 raise Exception("Failed to select EAP method")
1712 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1714 if "TTLS" not in ev:
1715 raise Exception("Unexpected EAP method")
1717 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1718 "CTRL-EVENT-EAP-SUCCESS",
1719 "CTRL-EVENT-EAP-FAILURE",
1720 "CTRL-EVENT-CONNECTED",
1721 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1723 raise Exception("EAP result timed out")
1724 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1725 raise Exception("TLS certificate error not reported")
1726 if "AltSubject mismatch" not in ev:
1727 raise Exception("altsubject mismatch not reported")
1729 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1730 "CTRL-EVENT-EAP-FAILURE",
1731 "CTRL-EVENT-CONNECTED",
1732 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1734 raise Exception("EAP result(2) timed out")
1735 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1736 raise Exception("EAP failure not reported")
1738 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1739 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1741 raise Exception("EAP result(3) timed out")
1742 if "CTRL-EVENT-DISCONNECTED" not in ev:
1743 raise Exception("Disconnection not reported")
1745 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1747 raise Exception("Network block disabling not reported")
1749 dev[0].request("REMOVE_NETWORK all")
1751 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1752 """WPA2-Enterprise connection using UNAUTH-TLS"""
1753 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1754 hostapd.add_ap(apdev[0]['ifname'], params)
1755 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1756 ca_cert="auth_serv/ca.pem")
1757 eap_reauth(dev[0], "UNAUTH-TLS")
1759 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1760 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1761 check_cert_probe_support(dev[0])
1762 skip_with_fips(dev[0])
1763 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1764 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1765 hostapd.add_ap(apdev[0]['ifname'], params)
1766 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1767 identity="probe", ca_cert="probe://",
1768 wait_connect=False, scan_freq="2412")
1769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1771 raise Exception("Association and EAP start timed out")
1772 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1774 raise Exception("No peer server certificate event seen")
1775 if "hash=" + srv_cert_hash not in ev:
1776 raise Exception("Expected server certificate hash not reported")
1777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1779 raise Exception("EAP result timed out")
1780 if "Server certificate chain probe" not in ev:
1781 raise Exception("Server certificate probe not reported")
1782 dev[0].wait_disconnected(timeout=10)
1783 dev[0].request("REMOVE_NETWORK all")
1785 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1786 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1787 password="password", phase2="auth=MSCHAPV2",
1788 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1789 wait_connect=False, scan_freq="2412")
1790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1792 raise Exception("Association and EAP start timed out")
1793 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1795 raise Exception("EAP result timed out")
1796 if "Server certificate mismatch" not in ev:
1797 raise Exception("Server certificate mismatch not reported")
1798 dev[0].wait_disconnected(timeout=10)
1799 dev[0].request("REMOVE_NETWORK all")
1801 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1802 anonymous_identity="ttls", password="password",
1803 ca_cert="hash://server/sha256/" + srv_cert_hash,
1804 phase2="auth=MSCHAPV2")
1806 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1807 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1808 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1809 hostapd.add_ap(apdev[0]['ifname'], params)
1810 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1811 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1812 password="password", phase2="auth=MSCHAPV2",
1813 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1814 wait_connect=False, scan_freq="2412")
1815 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1816 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1817 password="password", phase2="auth=MSCHAPV2",
1818 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1819 wait_connect=False, scan_freq="2412")
1820 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1821 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1822 password="password", phase2="auth=MSCHAPV2",
1823 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1824 wait_connect=False, scan_freq="2412")
1825 for i in range(0, 3):
1826 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1828 raise Exception("Association and EAP start timed out")
1829 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1831 raise Exception("Did not report EAP method initialization failure")
1833 def test_ap_wpa2_eap_pwd(dev, apdev):
1834 """WPA2-Enterprise connection using EAP-pwd"""
1835 check_eap_capa(dev[0], "PWD")
1836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1837 hostapd.add_ap(apdev[0]['ifname'], params)
1838 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1839 eap_reauth(dev[0], "PWD")
1840 dev[0].request("REMOVE_NETWORK all")
1842 eap_connect(dev[1], apdev[0], "PWD",
1843 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1844 password="secret password",
1847 logger.info("Negative test with incorrect password")
1848 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1849 expect_failure=True, local_error_report=True)
1851 eap_connect(dev[0], apdev[0], "PWD",
1852 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1853 password="secret password",
1856 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1857 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1858 check_eap_capa(dev[0], "PWD")
1859 skip_with_fips(dev[0])
1860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861 hostapd.add_ap(apdev[0]['ifname'], params)
1862 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1863 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1864 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1865 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1866 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1867 expect_failure=True, local_error_report=True)
1869 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1870 """WPA2-Enterprise connection using various EAP-pwd groups"""
1871 check_eap_capa(dev[0], "PWD")
1872 tls = dev[0].request("GET tls_library")
1873 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1874 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1875 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1876 for i in [ 19, 20, 21, 25, 26 ]:
1877 params['pwd_group'] = str(i)
1878 hostapd.add_ap(apdev[0]['ifname'], params)
1879 dev[0].request("REMOVE_NETWORK all")
1881 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1882 password="secret password")
1884 if "BoringSSL" in tls and i in [ 25 ]:
1885 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1886 dev[0].request("DISCONNECT")
1891 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1892 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1893 check_eap_capa(dev[0], "PWD")
1894 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1895 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1896 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1897 params['pwd_group'] = "0"
1898 hostapd.add_ap(apdev[0]['ifname'], params)
1899 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1900 identity="pwd user", password="secret password",
1901 scan_freq="2412", wait_connect=False)
1902 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1904 raise Exception("Timeout on EAP failure report")
1906 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1907 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1908 check_eap_capa(dev[0], "PWD")
1909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1910 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1911 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1912 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1913 "pwd_group": "19", "fragment_size": "40" }
1914 hostapd.add_ap(apdev[0]['ifname'], params)
1915 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1917 def test_ap_wpa2_eap_gpsk(dev, apdev):
1918 """WPA2-Enterprise connection using EAP-GPSK"""
1919 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1920 hostapd.add_ap(apdev[0]['ifname'], params)
1921 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1922 password="abcdefghijklmnop0123456789abcdef")
1923 eap_reauth(dev[0], "GPSK")
1925 logger.info("Test forced algorithm selection")
1926 for phase1 in [ "cipher=1", "cipher=2" ]:
1927 dev[0].set_network_quoted(id, "phase1", phase1)
1928 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1930 raise Exception("EAP success timed out")
1931 dev[0].wait_connected(timeout=10)
1933 logger.info("Test failed algorithm negotiation")
1934 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1935 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1937 raise Exception("EAP failure timed out")
1939 logger.info("Negative test with incorrect password")
1940 dev[0].request("REMOVE_NETWORK all")
1941 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1942 password="ffcdefghijklmnop0123456789abcdef",
1943 expect_failure=True)
1945 def test_ap_wpa2_eap_sake(dev, apdev):
1946 """WPA2-Enterprise connection using EAP-SAKE"""
1947 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1948 hostapd.add_ap(apdev[0]['ifname'], params)
1949 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1950 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1951 eap_reauth(dev[0], "SAKE")
1953 logger.info("Negative test with incorrect password")
1954 dev[0].request("REMOVE_NETWORK all")
1955 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1956 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1957 expect_failure=True)
1959 def test_ap_wpa2_eap_eke(dev, apdev):
1960 """WPA2-Enterprise connection using EAP-EKE"""
1961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1962 hostapd.add_ap(apdev[0]['ifname'], params)
1963 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1964 eap_reauth(dev[0], "EKE")
1966 logger.info("Test forced algorithm selection")
1967 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1968 "dhgroup=4 encr=1 prf=2 mac=2",
1969 "dhgroup=3 encr=1 prf=2 mac=2",
1970 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1971 dev[0].set_network_quoted(id, "phase1", phase1)
1972 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1974 raise Exception("EAP success timed out")
1975 dev[0].wait_connected(timeout=10)
1977 logger.info("Test failed algorithm negotiation")
1978 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1979 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1981 raise Exception("EAP failure timed out")
1983 logger.info("Negative test with incorrect password")
1984 dev[0].request("REMOVE_NETWORK all")
1985 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1986 expect_failure=True)
1988 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1989 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1990 params = int_eap_server_params()
1991 params['server_id'] = 'example.server@w1.fi'
1992 hostapd.add_ap(apdev[0]['ifname'], params)
1993 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1995 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1996 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1997 params = int_eap_server_params()
1998 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1999 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2001 for count,func in [ (1, "eap_eke_build_commit"),
2002 (2, "eap_eke_build_commit"),
2003 (3, "eap_eke_build_commit"),
2004 (1, "eap_eke_build_confirm"),
2005 (2, "eap_eke_build_confirm"),
2006 (1, "eap_eke_process_commit"),
2007 (2, "eap_eke_process_commit"),
2008 (1, "eap_eke_process_confirm"),
2009 (1, "eap_eke_process_identity"),
2010 (2, "eap_eke_process_identity"),
2011 (3, "eap_eke_process_identity"),
2012 (4, "eap_eke_process_identity") ]:
2013 with alloc_fail(hapd, count, func):
2014 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2015 expect_failure=True)
2016 dev[0].request("REMOVE_NETWORK all")
2018 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2019 (1, "eap_eke_get_session_id", "hello"),
2020 (1, "eap_eke_getKey", "hello"),
2021 (1, "eap_eke_build_msg", "hello"),
2022 (1, "eap_eke_build_failure", "wrong"),
2023 (1, "eap_eke_build_identity", "hello"),
2024 (2, "eap_eke_build_identity", "hello") ]:
2025 with alloc_fail(hapd, count, func):
2026 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2027 eap="EKE", identity="eke user", password=pw,
2028 wait_connect=False, scan_freq="2412")
2029 # This would eventually time out, but we can stop after having
2030 # reached the allocation failure.
2033 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2035 dev[0].request("REMOVE_NETWORK all")
2037 for count in range(1, 1000):
2039 with alloc_fail(hapd, count, "eap_server_sm_step"):
2040 dev[0].connect("test-wpa2-eap",
2041 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2042 eap="EKE", identity="eke user", password=pw,
2043 wait_connect=False, scan_freq="2412")
2044 # This would eventually time out, but we can stop after having
2045 # reached the allocation failure.
2048 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2050 dev[0].request("REMOVE_NETWORK all")
2051 except Exception, e:
2052 if str(e) == "Allocation failure did not trigger":
2054 raise Exception("Too few allocation failures")
2055 logger.info("%d allocation failures tested" % (count - 1))
2059 def test_ap_wpa2_eap_ikev2(dev, apdev):
2060 """WPA2-Enterprise connection using EAP-IKEv2"""
2061 check_eap_capa(dev[0], "IKEV2")
2062 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2063 hostapd.add_ap(apdev[0]['ifname'], params)
2064 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2065 password="ike password")
2066 eap_reauth(dev[0], "IKEV2")
2067 dev[0].request("REMOVE_NETWORK all")
2068 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2069 password="ike password", fragment_size="50")
2071 logger.info("Negative test with incorrect password")
2072 dev[0].request("REMOVE_NETWORK all")
2073 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2074 password="ike-password", expect_failure=True)
2076 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2077 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2078 check_eap_capa(dev[0], "IKEV2")
2079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2080 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2081 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2082 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2083 "fragment_size": "50" }
2084 hostapd.add_ap(apdev[0]['ifname'], params)
2085 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2086 password="ike password")
2087 eap_reauth(dev[0], "IKEV2")
2089 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2090 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2091 check_eap_capa(dev[0], "IKEV2")
2092 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2093 hostapd.add_ap(apdev[0]['ifname'], params)
2095 tests = [ (1, "dh_init"),
2097 (1, "dh_derive_shared") ]
2098 for count, func in tests:
2099 with alloc_fail(dev[0], count, func):
2100 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2101 identity="ikev2 user", password="ike password",
2102 wait_connect=False, scan_freq="2412")
2103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2105 raise Exception("EAP method not selected")
2107 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2110 dev[0].request("REMOVE_NETWORK all")
2112 tests = [ (1, "os_get_random;dh_init") ]
2113 for count, func in tests:
2114 with fail_test(dev[0], count, func):
2115 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2116 identity="ikev2 user", password="ike password",
2117 wait_connect=False, scan_freq="2412")
2118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2120 raise Exception("EAP method not selected")
2122 if "0:" in dev[0].request("GET_FAIL"):
2125 dev[0].request("REMOVE_NETWORK all")
2127 def test_ap_wpa2_eap_pax(dev, apdev):
2128 """WPA2-Enterprise connection using EAP-PAX"""
2129 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130 hostapd.add_ap(apdev[0]['ifname'], params)
2131 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2132 password_hex="0123456789abcdef0123456789abcdef")
2133 eap_reauth(dev[0], "PAX")
2135 logger.info("Negative test with incorrect password")
2136 dev[0].request("REMOVE_NETWORK all")
2137 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2138 password_hex="ff23456789abcdef0123456789abcdef",
2139 expect_failure=True)
2141 def test_ap_wpa2_eap_psk(dev, apdev):
2142 """WPA2-Enterprise connection using EAP-PSK"""
2143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2145 params["ieee80211w"] = "2"
2146 hostapd.add_ap(apdev[0]['ifname'], params)
2147 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2148 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2149 eap_reauth(dev[0], "PSK", sha256=True)
2150 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2151 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2153 bss = dev[0].get_bss(apdev[0]['bssid'])
2154 if 'flags' not in bss:
2155 raise Exception("Could not get BSS flags from BSS table")
2156 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2157 raise Exception("Unexpected BSS flags: " + bss['flags'])
2159 logger.info("Negative test with incorrect password")
2160 dev[0].request("REMOVE_NETWORK all")
2161 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2162 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2163 expect_failure=True)
2165 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2166 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2167 skip_with_fips(dev[0])
2168 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2169 hostapd.add_ap(apdev[0]['ifname'], params)
2170 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2171 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2172 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2173 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2174 (1, "=aes_128_eax_encrypt"),
2175 (1, "omac1_aes_vector"),
2176 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2177 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2178 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2179 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2180 (1, "=aes_128_eax_decrypt") ]
2181 for count, func in tests:
2182 with alloc_fail(dev[0], count, func):
2183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2184 identity="psk.user@example.com",
2185 password_hex="0123456789abcdef0123456789abcdef",
2186 wait_connect=False, scan_freq="2412")
2187 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2189 raise Exception("EAP method not selected")
2191 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2194 dev[0].request("REMOVE_NETWORK all")
2196 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2197 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2198 identity="psk.user@example.com",
2199 password_hex="0123456789abcdef0123456789abcdef",
2200 wait_connect=False, scan_freq="2412")
2201 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2203 raise Exception("EAP method failure not reported")
2204 dev[0].request("REMOVE_NETWORK all")
2206 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2207 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2208 check_eap_capa(dev[0], "MSCHAPV2")
2209 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2210 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2211 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2212 identity="user", password="password", phase2="auth=MSCHAPV2",
2213 ca_cert="auth_serv/ca.pem", wait_connect=False,
2215 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2216 hwsim_utils.test_connectivity(dev[0], hapd)
2217 eap_reauth(dev[0], "PEAP", rsn=False)
2218 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2219 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2220 status = dev[0].get_status(extra="VERBOSE")
2221 if 'portControl' not in status:
2222 raise Exception("portControl missing from STATUS-VERBOSE")
2223 if status['portControl'] != 'Auto':
2224 raise Exception("Unexpected portControl value: " + status['portControl'])
2225 if 'eap_session_id' not in status:
2226 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2227 if not status['eap_session_id'].startswith("19"):
2228 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2230 def test_ap_wpa2_eap_interactive(dev, apdev):
2231 """WPA2-Enterprise connection using interactive identity/password entry"""
2232 check_eap_capa(dev[0], "MSCHAPV2")
2233 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2234 hostapd.add_ap(apdev[0]['ifname'], params)
2235 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2237 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2238 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2240 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2241 "TTLS", "ttls", None, "auth=MSCHAPV2",
2242 "DOMAIN\mschapv2 user", "password"),
2243 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2244 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2245 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2246 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2247 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2248 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2249 ("Connection with dynamic PEAP/EAP-GTC password entry",
2250 "PEAP", None, "user", "auth=GTC", None, "password") ]
2251 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2253 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2254 anonymous_identity=anon, identity=identity,
2255 ca_cert="auth_serv/ca.pem", phase2=phase2,
2256 wait_connect=False, scan_freq="2412")
2258 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2260 raise Exception("Request for identity timed out")
2261 id = ev.split(':')[0].split('-')[-1]
2262 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2263 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2265 raise Exception("Request for password timed out")
2266 id = ev.split(':')[0].split('-')[-1]
2267 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2268 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2269 dev[0].wait_connected(timeout=10)
2270 dev[0].request("REMOVE_NETWORK all")
2272 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2273 """WPA2-Enterprise connection using EAP vendor test"""
2274 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2275 hostapd.add_ap(apdev[0]['ifname'], params)
2276 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2277 eap_reauth(dev[0], "VENDOR-TEST")
2278 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2281 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2282 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2283 check_eap_capa(dev[0], "FAST")
2284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2285 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2286 eap_connect(dev[0], apdev[0], "FAST", "user",
2287 anonymous_identity="FAST", password="password",
2288 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2289 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2290 hwsim_utils.test_connectivity(dev[0], hapd)
2291 res = eap_reauth(dev[0], "FAST")
2292 if res['tls_session_reused'] != '1':
2293 raise Exception("EAP-FAST could not use PAC session ticket")
2295 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2296 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2297 check_eap_capa(dev[0], "FAST")
2298 pac_file = os.path.join(params['logdir'], "fast.pac")
2299 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2300 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2301 hostapd.add_ap(apdev[0]['ifname'], params)
2304 eap_connect(dev[0], apdev[0], "FAST", "user",
2305 anonymous_identity="FAST", password="password",
2306 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2307 phase1="fast_provisioning=1", pac_file=pac_file)
2308 with open(pac_file, "r") as f:
2310 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2311 raise Exception("PAC file header missing")
2312 if "PAC-Key=" not in data:
2313 raise Exception("PAC-Key missing from PAC file")
2314 dev[0].request("REMOVE_NETWORK all")
2315 eap_connect(dev[0], apdev[0], "FAST", "user",
2316 anonymous_identity="FAST", password="password",
2317 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2320 eap_connect(dev[1], apdev[0], "FAST", "user",
2321 anonymous_identity="FAST", password="password",
2322 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2323 phase1="fast_provisioning=1 fast_pac_format=binary",
2325 dev[1].request("REMOVE_NETWORK all")
2326 eap_connect(dev[1], apdev[0], "FAST", "user",
2327 anonymous_identity="FAST", password="password",
2328 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2329 phase1="fast_pac_format=binary",
2337 os.remove(pac_file2)
2341 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2342 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2343 check_eap_capa(dev[0], "FAST")
2344 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2345 hostapd.add_ap(apdev[0]['ifname'], params)
2346 eap_connect(dev[0], apdev[0], "FAST", "user",
2347 anonymous_identity="FAST", password="password",
2348 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2349 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2350 pac_file="blob://fast_pac_bin")
2351 res = eap_reauth(dev[0], "FAST")
2352 if res['tls_session_reused'] != '1':
2353 raise Exception("EAP-FAST could not use PAC session ticket")
2355 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2356 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2357 check_eap_capa(dev[0], "FAST")
2358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359 hostapd.add_ap(apdev[0]['ifname'], params)
2361 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2362 identity="user", anonymous_identity="FAST",
2363 password="password",
2364 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2365 pac_file="blob://fast_pac_not_in_use",
2366 wait_connect=False, scan_freq="2412")
2367 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2369 raise Exception("Timeout on EAP failure report")
2370 dev[0].request("REMOVE_NETWORK all")
2372 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2373 identity="user", anonymous_identity="FAST",
2374 password="password",
2375 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2376 wait_connect=False, scan_freq="2412")
2377 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2379 raise Exception("Timeout on EAP failure report")
2381 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2382 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2383 check_eap_capa(dev[0], "FAST")
2384 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2385 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2386 eap_connect(dev[0], apdev[0], "FAST", "user",
2387 anonymous_identity="FAST", password="password",
2388 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2389 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2390 hwsim_utils.test_connectivity(dev[0], hapd)
2391 res = eap_reauth(dev[0], "FAST")
2392 if res['tls_session_reused'] != '1':
2393 raise Exception("EAP-FAST could not use PAC session ticket")
2395 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2396 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2397 check_eap_capa(dev[0], "FAST")
2398 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2399 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2400 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2401 anonymous_identity="FAST", password="password",
2402 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2403 phase1="fast_provisioning=2",
2404 pac_file="blob://fast_pac_auth")
2405 dev[0].set_network_quoted(id, "identity", "user2")
2406 dev[0].wait_disconnected()
2407 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2409 raise Exception("EAP-FAST not started")
2410 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2412 raise Exception("EAP failure not reported")
2413 dev[0].wait_disconnected()
2415 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2416 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2417 check_eap_capa(dev[0], "FAST")
2418 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2419 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2420 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2421 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2422 identity="user", anonymous_identity="FAST",
2423 password="password", ca_cert="auth_serv/ca.pem",
2425 phase1="fast_provisioning=2",
2426 pac_file="blob://fast_pac_auth",
2427 wait_connect=False, scan_freq="2412")
2428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2430 raise Exception("EAP failure not reported")
2431 dev[0].request("DISCONNECT")
2433 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2434 """EAP-FAST/MSCHAPv2 and server OOM"""
2435 check_eap_capa(dev[0], "FAST")
2437 params = int_eap_server_params()
2438 params['dh_file'] = 'auth_serv/dh.conf'
2439 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2440 params['eap_fast_a_id'] = '1011'
2441 params['eap_fast_a_id_info'] = 'another test server'
2442 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2444 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2445 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2446 anonymous_identity="FAST", password="password",
2447 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2448 phase1="fast_provisioning=1",
2449 pac_file="blob://fast_pac",
2450 expect_failure=True)
2451 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2453 raise Exception("No EAP failure reported")
2454 dev[0].wait_disconnected()
2455 dev[0].request("DISCONNECT")
2457 dev[0].select_network(id, freq="2412")
2459 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2460 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2461 check_ocsp_support(dev[0])
2462 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2463 hostapd.add_ap(apdev[0]['ifname'], params)
2464 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2465 private_key="auth_serv/user.pkcs12",
2466 private_key_passwd="whatever", ocsp=2)
2468 def int_eap_server_params():
2469 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2470 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2471 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2472 "ca_cert": "auth_serv/ca.pem",
2473 "server_cert": "auth_serv/server.pem",
2474 "private_key": "auth_serv/server.key" }
2477 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2478 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2479 check_ocsp_support(dev[0])
2480 params = int_eap_server_params()
2481 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2482 hostapd.add_ap(apdev[0]['ifname'], params)
2483 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2484 identity="tls user", ca_cert="auth_serv/ca.pem",
2485 private_key="auth_serv/user.pkcs12",
2486 private_key_passwd="whatever", ocsp=2,
2487 wait_connect=False, scan_freq="2412")
2490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2492 raise Exception("Timeout on EAP status")
2493 if 'bad certificate status response' in ev:
2497 raise Exception("Unexpected number of EAP status messages")
2499 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2501 raise Exception("Timeout on EAP failure report")
2503 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2504 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2505 check_ocsp_support(dev[0])
2506 params = int_eap_server_params()
2507 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2508 hostapd.add_ap(apdev[0]['ifname'], params)
2509 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2510 identity="tls user", ca_cert="auth_serv/ca.pem",
2511 private_key="auth_serv/user.pkcs12",
2512 private_key_passwd="whatever", ocsp=2,
2513 wait_connect=False, scan_freq="2412")
2516 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2518 raise Exception("Timeout on EAP status")
2519 if 'bad certificate status response' in ev:
2523 raise Exception("Unexpected number of EAP status messages")
2525 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2527 raise Exception("Timeout on EAP failure report")
2529 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2530 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2531 check_ocsp_support(dev[0])
2532 params = int_eap_server_params()
2533 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2534 hostapd.add_ap(apdev[0]['ifname'], params)
2535 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2536 identity="tls user", ca_cert="auth_serv/ca.pem",
2537 private_key="auth_serv/user.pkcs12",
2538 private_key_passwd="whatever", ocsp=2,
2539 wait_connect=False, scan_freq="2412")
2542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2544 raise Exception("Timeout on EAP status")
2545 if 'bad certificate status response' in ev:
2549 raise Exception("Unexpected number of EAP status messages")
2551 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2553 raise Exception("Timeout on EAP failure report")
2555 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2556 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2557 check_ocsp_support(dev[0])
2558 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2559 if not os.path.exists(ocsp):
2560 raise HwsimSkip("No OCSP response available")
2561 params = int_eap_server_params()
2562 params["ocsp_stapling_response"] = ocsp
2563 hostapd.add_ap(apdev[0]['ifname'], params)
2564 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2565 identity="pap user", ca_cert="auth_serv/ca.pem",
2566 anonymous_identity="ttls", password="password",
2567 phase2="auth=PAP", ocsp=2,
2568 wait_connect=False, scan_freq="2412")
2571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2573 raise Exception("Timeout on EAP status")
2574 if 'bad certificate status response' in ev:
2576 if 'certificate revoked' in ev:
2580 raise Exception("Unexpected number of EAP status messages")
2582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2584 raise Exception("Timeout on EAP failure report")
2586 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2587 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2588 check_ocsp_support(dev[0])
2589 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2590 if not os.path.exists(ocsp):
2591 raise HwsimSkip("No OCSP response available")
2592 params = int_eap_server_params()
2593 params["ocsp_stapling_response"] = ocsp
2594 hostapd.add_ap(apdev[0]['ifname'], params)
2595 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2596 identity="pap user", ca_cert="auth_serv/ca.pem",
2597 anonymous_identity="ttls", password="password",
2598 phase2="auth=PAP", ocsp=2,
2599 wait_connect=False, scan_freq="2412")
2602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2604 raise Exception("Timeout on EAP status")
2605 if 'bad certificate status response' in ev:
2609 raise Exception("Unexpected number of EAP status messages")
2611 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2613 raise Exception("Timeout on EAP failure report")
2615 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2616 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2617 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2618 if not os.path.exists(ocsp):
2619 raise HwsimSkip("No OCSP response available")
2620 params = int_eap_server_params()
2621 params["ocsp_stapling_response"] = ocsp
2622 hostapd.add_ap(apdev[0]['ifname'], params)
2623 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2624 identity="pap user", ca_cert="auth_serv/ca.pem",
2625 anonymous_identity="ttls", password="password",
2626 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2628 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2629 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2630 params = int_eap_server_params()
2631 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2632 params["private_key"] = "auth_serv/server-no-dnsname.key"
2633 hostapd.add_ap(apdev[0]['ifname'], params)
2634 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2635 identity="tls user", ca_cert="auth_serv/ca.pem",
2636 private_key="auth_serv/user.pkcs12",
2637 private_key_passwd="whatever",
2638 domain_suffix_match="server3.w1.fi",
2641 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2642 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2643 params = int_eap_server_params()
2644 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2645 params["private_key"] = "auth_serv/server-no-dnsname.key"
2646 hostapd.add_ap(apdev[0]['ifname'], params)
2647 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2648 identity="tls user", ca_cert="auth_serv/ca.pem",
2649 private_key="auth_serv/user.pkcs12",
2650 private_key_passwd="whatever",
2651 domain_match="server3.w1.fi",
2654 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2655 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2656 check_domain_match_full(dev[0])
2657 params = int_eap_server_params()
2658 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2659 params["private_key"] = "auth_serv/server-no-dnsname.key"
2660 hostapd.add_ap(apdev[0]['ifname'], params)
2661 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2662 identity="tls user", ca_cert="auth_serv/ca.pem",
2663 private_key="auth_serv/user.pkcs12",
2664 private_key_passwd="whatever",
2665 domain_suffix_match="w1.fi",
2668 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2669 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2670 params = int_eap_server_params()
2671 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2672 params["private_key"] = "auth_serv/server-no-dnsname.key"
2673 hostapd.add_ap(apdev[0]['ifname'], params)
2674 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2675 identity="tls user", ca_cert="auth_serv/ca.pem",
2676 private_key="auth_serv/user.pkcs12",
2677 private_key_passwd="whatever",
2678 domain_suffix_match="example.com",
2681 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2682 identity="tls user", ca_cert="auth_serv/ca.pem",
2683 private_key="auth_serv/user.pkcs12",
2684 private_key_passwd="whatever",
2685 domain_suffix_match="erver3.w1.fi",
2688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2690 raise Exception("Timeout on EAP failure report")
2691 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2693 raise Exception("Timeout on EAP failure report (2)")
2695 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2696 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2697 params = int_eap_server_params()
2698 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2699 params["private_key"] = "auth_serv/server-no-dnsname.key"
2700 hostapd.add_ap(apdev[0]['ifname'], params)
2701 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2702 identity="tls user", ca_cert="auth_serv/ca.pem",
2703 private_key="auth_serv/user.pkcs12",
2704 private_key_passwd="whatever",
2705 domain_match="example.com",
2708 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2709 identity="tls user", ca_cert="auth_serv/ca.pem",
2710 private_key="auth_serv/user.pkcs12",
2711 private_key_passwd="whatever",
2712 domain_match="w1.fi",
2715 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2717 raise Exception("Timeout on EAP failure report")
2718 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2720 raise Exception("Timeout on EAP failure report (2)")
2722 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2723 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2724 skip_with_fips(dev[0])
2725 params = int_eap_server_params()
2726 params["server_cert"] = "auth_serv/server-expired.pem"
2727 params["private_key"] = "auth_serv/server-expired.key"
2728 hostapd.add_ap(apdev[0]['ifname'], params)
2729 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2730 identity="mschap user", password="password",
2731 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2734 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2736 raise Exception("Timeout on EAP certificate error report")
2737 if "reason=4" not in ev or "certificate has expired" not in ev:
2738 raise Exception("Unexpected failure reason: " + ev)
2739 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2741 raise Exception("Timeout on EAP failure report")
2743 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2744 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2745 skip_with_fips(dev[0])
2746 params = int_eap_server_params()
2747 params["server_cert"] = "auth_serv/server-expired.pem"
2748 params["private_key"] = "auth_serv/server-expired.key"
2749 hostapd.add_ap(apdev[0]['ifname'], params)
2750 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2751 identity="mschap user", password="password",
2752 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2753 phase1="tls_disable_time_checks=1",
2756 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2757 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2758 skip_with_fips(dev[0])
2759 params = int_eap_server_params()
2760 params["server_cert"] = "auth_serv/server-long-duration.pem"
2761 params["private_key"] = "auth_serv/server-long-duration.key"
2762 hostapd.add_ap(apdev[0]['ifname'], params)
2763 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2764 identity="mschap user", password="password",
2765 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2768 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2769 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2770 skip_with_fips(dev[0])
2771 params = int_eap_server_params()
2772 params["server_cert"] = "auth_serv/server-eku-client.pem"
2773 params["private_key"] = "auth_serv/server-eku-client.key"
2774 hostapd.add_ap(apdev[0]['ifname'], params)
2775 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2776 identity="mschap user", password="password",
2777 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2780 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2782 raise Exception("Timeout on EAP failure report")
2784 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2785 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2786 skip_with_fips(dev[0])
2787 params = int_eap_server_params()
2788 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2789 params["private_key"] = "auth_serv/server-eku-client-server.key"
2790 hostapd.add_ap(apdev[0]['ifname'], params)
2791 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2792 identity="mschap user", password="password",
2793 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2796 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2797 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2798 skip_with_fips(dev[0])
2799 params = int_eap_server_params()
2800 del params["server_cert"]
2801 params["private_key"] = "auth_serv/server.pkcs12"
2802 hostapd.add_ap(apdev[0]['ifname'], params)
2803 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2804 identity="mschap user", password="password",
2805 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2808 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2809 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2810 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2811 hostapd.add_ap(apdev[0]['ifname'], params)
2812 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2813 anonymous_identity="ttls", password="password",
2814 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2815 dh_file="auth_serv/dh.conf")
2817 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2818 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2819 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2820 hostapd.add_ap(apdev[0]['ifname'], params)
2821 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2822 anonymous_identity="ttls", password="password",
2823 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2824 dh_file="auth_serv/dsaparam.pem")
2826 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2827 """EAP-TTLS and DH params file not found"""
2828 skip_with_fips(dev[0])
2829 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2830 hostapd.add_ap(apdev[0]['ifname'], params)
2831 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2832 identity="mschap user", password="password",
2833 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2834 dh_file="auth_serv/dh-no-such-file.conf",
2835 scan_freq="2412", wait_connect=False)
2836 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2838 raise Exception("EAP failure timed out")
2839 dev[0].request("REMOVE_NETWORK all")
2840 dev[0].wait_disconnected()
2842 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2843 """EAP-TTLS and invalid DH params file"""
2844 skip_with_fips(dev[0])
2845 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2846 hostapd.add_ap(apdev[0]['ifname'], params)
2847 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2848 identity="mschap user", password="password",
2849 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2850 dh_file="auth_serv/ca.pem",
2851 scan_freq="2412", wait_connect=False)
2852 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2854 raise Exception("EAP failure timed out")
2855 dev[0].request("REMOVE_NETWORK all")
2856 dev[0].wait_disconnected()
2858 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2859 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2861 hostapd.add_ap(apdev[0]['ifname'], params)
2862 dh = read_pem("auth_serv/dh2.conf")
2863 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2864 raise Exception("Could not set dhparams blob")
2865 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2866 anonymous_identity="ttls", password="password",
2867 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2868 dh_file="blob://dhparams")
2870 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2871 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2872 params = int_eap_server_params()
2873 params["dh_file"] = "auth_serv/dh2.conf"
2874 hostapd.add_ap(apdev[0]['ifname'], params)
2875 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2876 anonymous_identity="ttls", password="password",
2877 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2879 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2880 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2881 params = int_eap_server_params()
2882 params["dh_file"] = "auth_serv/dsaparam.pem"
2883 hostapd.add_ap(apdev[0]['ifname'], params)
2884 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2885 anonymous_identity="ttls", password="password",
2886 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2888 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2889 """EAP-TLS server and dhparams file not found"""
2890 params = int_eap_server_params()
2891 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2892 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2893 if "FAIL" not in hapd.request("ENABLE"):
2894 raise Exception("Invalid configuration accepted")
2896 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2897 """EAP-TLS server and invalid dhparams file"""
2898 params = int_eap_server_params()
2899 params["dh_file"] = "auth_serv/ca.pem"
2900 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2901 if "FAIL" not in hapd.request("ENABLE"):
2902 raise Exception("Invalid configuration accepted")
2904 def test_ap_wpa2_eap_reauth(dev, apdev):
2905 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2906 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2907 params['eap_reauth_period'] = '2'
2908 hostapd.add_ap(apdev[0]['ifname'], params)
2909 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2910 password_hex="0123456789abcdef0123456789abcdef")
2911 logger.info("Wait for reauthentication")
2912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2914 raise Exception("Timeout on reauthentication")
2915 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2917 raise Exception("Timeout on reauthentication")
2918 for i in range(0, 20):
2919 state = dev[0].get_status_field("wpa_state")
2920 if state == "COMPLETED":
2923 if state != "COMPLETED":
2924 raise Exception("Reauthentication did not complete")
2926 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2927 """Optional displayable message in EAP Request-Identity"""
2928 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2929 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2930 hostapd.add_ap(apdev[0]['ifname'], params)
2931 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2932 password_hex="0123456789abcdef0123456789abcdef")
2934 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2935 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2936 check_hlr_auc_gw_support()
2937 params = int_eap_server_params()
2938 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2939 params['eap_sim_aka_result_ind'] = "1"
2940 hostapd.add_ap(apdev[0]['ifname'], params)
2942 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2943 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2944 phase1="result_ind=1")
2945 eap_reauth(dev[0], "SIM")
2946 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2947 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2949 dev[0].request("REMOVE_NETWORK all")
2950 dev[1].request("REMOVE_NETWORK all")
2952 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2953 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2954 phase1="result_ind=1")
2955 eap_reauth(dev[0], "AKA")
2956 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2957 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2959 dev[0].request("REMOVE_NETWORK all")
2960 dev[1].request("REMOVE_NETWORK all")
2962 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2963 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2964 phase1="result_ind=1")
2965 eap_reauth(dev[0], "AKA'")
2966 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2967 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2969 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2970 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2971 skip_with_fips(dev[0])
2972 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2973 hostapd.add_ap(apdev[0]['ifname'], params)
2974 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2975 eap="TTLS", identity="mschap user",
2976 wait_connect=False, scan_freq="2412", ieee80211w="1",
2977 anonymous_identity="ttls", password="password",
2978 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2980 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2982 raise Exception("EAP roundtrip limit not reached")
2984 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2985 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2986 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2987 hostapd.add_ap(apdev[0]['ifname'], params)
2988 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2989 eap="PSK", identity="vendor-test",
2990 password_hex="ff23456789abcdef0123456789abcdef",
2994 for i in range(0, 5):
2995 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2997 raise Exception("Association and EAP start timed out")
2998 if "refuse proposed method" in ev:
3002 raise Exception("Unexpected EAP status: " + ev)
3004 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3006 raise Exception("EAP failure timed out")
3008 def test_ap_wpa2_eap_sql(dev, apdev, params):
3009 """WPA2-Enterprise connection using SQLite for user DB"""
3010 skip_with_fips(dev[0])
3014 raise HwsimSkip("No sqlite3 module available")
3015 dbfile = os.path.join(params['logdir'], "eap-user.db")
3020 con = sqlite3.connect(dbfile)
3023 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3024 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3025 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3026 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3027 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3028 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3029 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3030 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3033 params = int_eap_server_params()
3034 params["eap_user_file"] = "sqlite:" + dbfile
3035 hostapd.add_ap(apdev[0]['ifname'], params)
3036 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3037 anonymous_identity="ttls", password="password",
3038 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3039 dev[0].request("REMOVE_NETWORK all")
3040 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3041 anonymous_identity="ttls", password="password",
3042 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3043 dev[1].request("REMOVE_NETWORK all")
3044 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3045 anonymous_identity="ttls", password="password",
3046 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3047 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3048 anonymous_identity="ttls", password="password",
3049 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3053 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3054 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3055 params = int_eap_server_params()
3056 hostapd.add_ap(apdev[0]['ifname'], params)
3057 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3058 identity="\x80", password="password", wait_connect=False)
3059 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3060 identity="a\x80", password="password", wait_connect=False)
3061 for i in range(0, 2):
3062 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3064 raise Exception("Association and EAP start timed out")
3065 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3067 raise Exception("EAP method selection timed out")
3069 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3070 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3071 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3072 hostapd.add_ap(apdev[0]['ifname'], params)
3073 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3074 identity="\x80", password="password", wait_connect=False)
3075 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3076 identity="a\x80", password="password", wait_connect=False)
3077 for i in range(0, 2):
3078 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3080 raise Exception("Association and EAP start timed out")
3081 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3083 raise Exception("EAP method selection timed out")
3085 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3086 """OpenSSL cipher suite configuration on wpa_supplicant"""
3087 tls = dev[0].request("GET tls_library")
3088 if not tls.startswith("OpenSSL"):
3089 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3090 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3091 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3092 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3093 anonymous_identity="ttls", password="password",
3094 openssl_ciphers="AES128",
3095 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3096 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3097 anonymous_identity="ttls", password="password",
3098 openssl_ciphers="EXPORT",
3099 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3100 expect_failure=True, maybe_local_error=True)
3101 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3102 identity="pap user", anonymous_identity="ttls",
3103 password="password",
3104 openssl_ciphers="FOO",
3105 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3107 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3109 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3110 dev[2].request("DISCONNECT")
3112 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3113 """OpenSSL cipher suite configuration on hostapd"""
3114 tls = dev[0].request("GET tls_library")
3115 if not tls.startswith("OpenSSL"):
3116 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3117 params = int_eap_server_params()
3118 params['openssl_ciphers'] = "AES256"
3119 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3120 tls = hapd.request("GET tls_library")
3121 if not tls.startswith("OpenSSL"):
3122 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3123 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3124 anonymous_identity="ttls", password="password",
3125 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3126 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3127 anonymous_identity="ttls", password="password",
3128 openssl_ciphers="AES128",
3129 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3130 expect_failure=True)
3131 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3132 anonymous_identity="ttls", password="password",
3133 openssl_ciphers="HIGH:!ADH",
3134 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3136 params['openssl_ciphers'] = "FOO"
3137 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3138 if "FAIL" not in hapd2.request("ENABLE"):
3139 raise Exception("Invalid openssl_ciphers value accepted")
3141 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3142 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3143 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3144 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3145 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3146 pid = find_wpas_process(dev[0])
3147 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3148 anonymous_identity="ttls", password=password,
3149 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3151 buf = read_process_memory(pid, password)
3153 dev[0].request("DISCONNECT")
3154 dev[0].wait_disconnected()
3162 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3163 for l in f.readlines():
3164 if "EAP-TTLS: Derived key - hexdump" in l:
3165 val = l.strip().split(':')[3].replace(' ', '')
3166 msk = binascii.unhexlify(val)
3167 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3168 val = l.strip().split(':')[3].replace(' ', '')
3169 emsk = binascii.unhexlify(val)
3170 if "WPA: PMK - hexdump" in l:
3171 val = l.strip().split(':')[3].replace(' ', '')
3172 pmk = binascii.unhexlify(val)
3173 if "WPA: PTK - hexdump" in l:
3174 val = l.strip().split(':')[3].replace(' ', '')
3175 ptk = binascii.unhexlify(val)
3176 if "WPA: Group Key - hexdump" in l:
3177 val = l.strip().split(':')[3].replace(' ', '')
3178 gtk = binascii.unhexlify(val)
3179 if not msk or not emsk or not pmk or not ptk or not gtk:
3180 raise Exception("Could not find keys from debug log")
3182 raise Exception("Unexpected GTK length")
3188 fname = os.path.join(params['logdir'],
3189 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3191 logger.info("Checking keys in memory while associated")
3192 get_key_locations(buf, password, "Password")
3193 get_key_locations(buf, pmk, "PMK")
3194 get_key_locations(buf, msk, "MSK")
3195 get_key_locations(buf, emsk, "EMSK")
3196 if password not in buf:
3197 raise HwsimSkip("Password not found while associated")
3199 raise HwsimSkip("PMK not found while associated")
3201 raise Exception("KCK not found while associated")
3203 raise Exception("KEK not found while associated")
3205 raise Exception("TK found from memory")
3207 raise Exception("GTK found from memory")
3209 logger.info("Checking keys in memory after disassociation")
3210 buf = read_process_memory(pid, password)
3212 # Note: Password is still present in network configuration
3213 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3215 get_key_locations(buf, password, "Password")
3216 get_key_locations(buf, pmk, "PMK")
3217 get_key_locations(buf, msk, "MSK")
3218 get_key_locations(buf, emsk, "EMSK")
3219 verify_not_present(buf, kck, fname, "KCK")
3220 verify_not_present(buf, kek, fname, "KEK")
3221 verify_not_present(buf, tk, fname, "TK")
3222 verify_not_present(buf, gtk, fname, "GTK")
3224 dev[0].request("PMKSA_FLUSH")
3225 dev[0].set_network_quoted(id, "identity", "foo")
3226 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3227 buf = read_process_memory(pid, password)
3228 get_key_locations(buf, password, "Password")
3229 get_key_locations(buf, pmk, "PMK")
3230 get_key_locations(buf, msk, "MSK")
3231 get_key_locations(buf, emsk, "EMSK")
3232 verify_not_present(buf, pmk, fname, "PMK")
3234 dev[0].request("REMOVE_NETWORK all")
3236 logger.info("Checking keys in memory after network profile removal")
3237 buf = read_process_memory(pid, password)
3239 get_key_locations(buf, password, "Password")
3240 get_key_locations(buf, pmk, "PMK")
3241 get_key_locations(buf, msk, "MSK")
3242 get_key_locations(buf, emsk, "EMSK")
3243 verify_not_present(buf, password, fname, "password")
3244 verify_not_present(buf, pmk, fname, "PMK")
3245 verify_not_present(buf, kck, fname, "KCK")
3246 verify_not_present(buf, kek, fname, "KEK")
3247 verify_not_present(buf, tk, fname, "TK")
3248 verify_not_present(buf, gtk, fname, "GTK")
3249 verify_not_present(buf, msk, fname, "MSK")
3250 verify_not_present(buf, emsk, fname, "EMSK")
3252 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3253 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3255 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3256 bssid = apdev[0]['bssid']
3257 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3258 anonymous_identity="ttls", password="password",
3259 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3261 # Send unexpected WEP EAPOL-Key; this gets dropped
3262 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3264 raise Exception("EAPOL_RX to wpa_supplicant failed")
3266 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3267 """WPA2-EAP and wpas interface in a bridge"""
3271 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3273 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3274 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3275 subprocess.call(['brctl', 'delbr', br_ifname])
3276 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3278 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3279 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3280 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3284 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3285 subprocess.call(['brctl', 'addbr', br_ifname])
3286 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3287 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3288 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3289 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3290 wpas.interface_add(ifname, br_ifname=br_ifname)
3292 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3293 password_hex="0123456789abcdef0123456789abcdef")
3294 eap_reauth(wpas, "PAX")
3295 # Try again as a regression test for packet socket workaround
3296 eap_reauth(wpas, "PAX")
3297 wpas.request("DISCONNECT")
3298 wpas.wait_disconnected()
3299 wpas.request("RECONNECT")
3300 wpas.wait_connected()
3302 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3303 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3304 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3305 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3306 key_mgmt = hapd.get_config()['key_mgmt']
3307 if key_mgmt.split(' ')[0] != "WPA-EAP":
3308 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3309 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3310 anonymous_identity="ttls", password="password",
3311 ca_cert="auth_serv/ca.pem",
3312 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3313 eap_reauth(dev[0], "TTLS")
3315 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3316 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3317 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3318 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3319 key_mgmt = hapd.get_config()['key_mgmt']
3320 if key_mgmt.split(' ')[0] != "WPA-EAP":
3321 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3322 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3323 anonymous_identity="ttls", password="password",
3324 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3326 eap_reauth(dev[0], "TTLS")
3328 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3329 """EAP-TLS and server checking CRL"""
3330 params = int_eap_server_params()
3331 params['check_crl'] = '1'
3332 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3334 # check_crl=1 and no CRL available --> reject connection
3335 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3336 client_cert="auth_serv/user.pem",
3337 private_key="auth_serv/user.key", expect_failure=True)
3338 dev[0].request("REMOVE_NETWORK all")
3341 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3344 # check_crl=1 and valid CRL --> accept
3345 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3346 client_cert="auth_serv/user.pem",
3347 private_key="auth_serv/user.key")
3348 dev[0].request("REMOVE_NETWORK all")
3351 hapd.set("check_crl", "2")
3354 # check_crl=2 and valid CRL --> accept
3355 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3356 client_cert="auth_serv/user.pem",
3357 private_key="auth_serv/user.key")
3358 dev[0].request("REMOVE_NETWORK all")
3360 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3361 """EAP-TLS and OOM"""
3362 check_subject_match_support(dev[0])
3363 check_altsubject_match_support(dev[0])
3364 check_domain_match_full(dev[0])
3366 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3367 hostapd.add_ap(apdev[0]['ifname'], params)
3369 tests = [ (1, "tls_connection_set_subject_match"),
3370 (2, "tls_connection_set_subject_match"),
3371 (3, "tls_connection_set_subject_match"),
3372 (4, "tls_connection_set_subject_match") ]
3373 for count, func in tests:
3374 with alloc_fail(dev[0], count, func):
3375 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3376 identity="tls user", ca_cert="auth_serv/ca.pem",
3377 client_cert="auth_serv/user.pem",
3378 private_key="auth_serv/user.key",
3379 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3380 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3381 domain_suffix_match="server.w1.fi",
3382 domain_match="server.w1.fi",
3383 wait_connect=False, scan_freq="2412")
3384 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3385 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3387 raise Exception("No passphrase request")
3388 dev[0].request("REMOVE_NETWORK all")
3389 dev[0].wait_disconnected()
3391 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3392 """WPA2-Enterprise connection using MAC ACL"""
3393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3394 params["macaddr_acl"] = "2"
3395 hostapd.add_ap(apdev[0]['ifname'], params)
3396 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3397 client_cert="auth_serv/user.pem",
3398 private_key="auth_serv/user.key")
3400 def test_ap_wpa2_eap_oom(dev, apdev):
3401 """EAP server and OOM"""
3402 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3403 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3404 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3406 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3407 # The first attempt fails, but STA will send EAPOL-Start to retry and
3409 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3410 identity="tls user", ca_cert="auth_serv/ca.pem",
3411 client_cert="auth_serv/user.pem",
3412 private_key="auth_serv/user.key",
3415 def check_tls_ver(dev, ap, phase1, expected):
3416 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3417 client_cert="auth_serv/user.pem",
3418 private_key="auth_serv/user.key",
3420 ver = dev.get_status_field("eap_tls_version")
3422 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3424 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3425 """EAP-TLS and TLS version configuration"""
3426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3427 hostapd.add_ap(apdev[0]['ifname'], params)
3429 tls = dev[0].request("GET tls_library")
3430 if tls.startswith("OpenSSL"):
3431 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3432 check_tls_ver(dev[0], apdev[0],
3433 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3435 check_tls_ver(dev[1], apdev[0],
3436 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3437 check_tls_ver(dev[2], apdev[0],
3438 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3440 def test_rsn_ie_proto_eap_sta(dev, apdev):
3441 """RSN element protocol testing for EAP cases on STA side"""
3442 bssid = apdev[0]['bssid']
3443 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3444 # This is the RSN element used normally by hostapd
3445 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3446 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3447 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3448 identity="gpsk user",
3449 password="abcdefghijklmnop0123456789abcdef",
3452 tests = [ ('No RSN Capabilities field',
3453 '30120100000fac040100000fac040100000fac01'),
3454 ('No AKM Suite fields',
3455 '300c0100000fac040100000fac04'),
3456 ('No Pairwise Cipher Suite fields',
3457 '30060100000fac04'),
3458 ('No Group Data Cipher Suite field',
3460 for txt,ie in tests:
3461 dev[0].request("DISCONNECT")
3462 dev[0].wait_disconnected()
3465 hapd.set('own_ie_override', ie)
3467 dev[0].request("BSS_FLUSH 0")
3468 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3469 dev[0].select_network(id, freq=2412)
3470 dev[0].wait_connected()
3472 def check_tls_session_resumption_capa(dev, hapd):
3473 tls = hapd.request("GET tls_library")
3474 if not tls.startswith("OpenSSL"):
3475 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3477 tls = dev.request("GET tls_library")
3478 if not tls.startswith("OpenSSL"):
3479 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3481 def test_eap_ttls_pap_session_resumption(dev, apdev):
3482 """EAP-TTLS/PAP session resumption"""
3483 params = int_eap_server_params()
3484 params['tls_session_lifetime'] = '60'
3485 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3486 check_tls_session_resumption_capa(dev[0], hapd)
3487 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3488 anonymous_identity="ttls", password="password",
3489 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3491 if dev[0].get_status_field("tls_session_reused") != '0':
3492 raise Exception("Unexpected session resumption on the first connection")
3494 dev[0].request("REAUTHENTICATE")
3495 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3497 raise Exception("EAP success timed out")
3498 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3500 raise Exception("Key handshake with the AP timed out")
3501 if dev[0].get_status_field("tls_session_reused") != '1':
3502 raise Exception("Session resumption not used on the second connection")
3504 def test_eap_ttls_chap_session_resumption(dev, apdev):
3505 """EAP-TTLS/CHAP session resumption"""
3506 params = int_eap_server_params()
3507 params['tls_session_lifetime'] = '60'
3508 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3509 check_tls_session_resumption_capa(dev[0], hapd)
3510 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3511 anonymous_identity="ttls", password="password",
3512 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3513 if dev[0].get_status_field("tls_session_reused") != '0':
3514 raise Exception("Unexpected session resumption on the first connection")
3516 dev[0].request("REAUTHENTICATE")
3517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3519 raise Exception("EAP success timed out")
3520 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3522 raise Exception("Key handshake with the AP timed out")
3523 if dev[0].get_status_field("tls_session_reused") != '1':
3524 raise Exception("Session resumption not used on the second connection")
3526 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3527 """EAP-TTLS/MSCHAP session resumption"""
3528 params = int_eap_server_params()
3529 params['tls_session_lifetime'] = '60'
3530 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3531 check_tls_session_resumption_capa(dev[0], hapd)
3532 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3533 anonymous_identity="ttls", password="password",
3534 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3535 domain_suffix_match="server.w1.fi")
3536 if dev[0].get_status_field("tls_session_reused") != '0':
3537 raise Exception("Unexpected session resumption on the first connection")
3539 dev[0].request("REAUTHENTICATE")
3540 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3542 raise Exception("EAP success timed out")
3543 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3545 raise Exception("Key handshake with the AP timed out")
3546 if dev[0].get_status_field("tls_session_reused") != '1':
3547 raise Exception("Session resumption not used on the second connection")
3549 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3550 """EAP-TTLS/MSCHAPv2 session resumption"""
3551 check_eap_capa(dev[0], "MSCHAPV2")
3552 params = int_eap_server_params()
3553 params['tls_session_lifetime'] = '60'
3554 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3555 check_tls_session_resumption_capa(dev[0], hapd)
3556 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3557 anonymous_identity="ttls", password="password",
3558 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3559 domain_suffix_match="server.w1.fi")
3560 if dev[0].get_status_field("tls_session_reused") != '0':
3561 raise Exception("Unexpected session resumption on the first connection")
3563 dev[0].request("REAUTHENTICATE")
3564 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3566 raise Exception("EAP success timed out")
3567 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3569 raise Exception("Key handshake with the AP timed out")
3570 if dev[0].get_status_field("tls_session_reused") != '1':
3571 raise Exception("Session resumption not used on the second connection")
3573 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3574 """EAP-TTLS/EAP-GTC session resumption"""
3575 params = int_eap_server_params()
3576 params['tls_session_lifetime'] = '60'
3577 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3578 check_tls_session_resumption_capa(dev[0], hapd)
3579 eap_connect(dev[0], apdev[0], "TTLS", "user",
3580 anonymous_identity="ttls", password="password",
3581 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3582 if dev[0].get_status_field("tls_session_reused") != '0':
3583 raise Exception("Unexpected session resumption on the first connection")
3585 dev[0].request("REAUTHENTICATE")
3586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3588 raise Exception("EAP success timed out")
3589 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3591 raise Exception("Key handshake with the AP timed out")
3592 if dev[0].get_status_field("tls_session_reused") != '1':
3593 raise Exception("Session resumption not used on the second connection")
3595 def test_eap_ttls_no_session_resumption(dev, apdev):
3596 """EAP-TTLS session resumption disabled on server"""
3597 params = int_eap_server_params()
3598 params['tls_session_lifetime'] = '0'
3599 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3600 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3601 anonymous_identity="ttls", password="password",
3602 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3604 if dev[0].get_status_field("tls_session_reused") != '0':
3605 raise Exception("Unexpected session resumption on the first connection")
3607 dev[0].request("REAUTHENTICATE")
3608 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3610 raise Exception("EAP success timed out")
3611 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3613 raise Exception("Key handshake with the AP timed out")
3614 if dev[0].get_status_field("tls_session_reused") != '0':
3615 raise Exception("Unexpected session resumption on the second connection")
3617 def test_eap_peap_session_resumption(dev, apdev):
3618 """EAP-PEAP session resumption"""
3619 params = int_eap_server_params()
3620 params['tls_session_lifetime'] = '60'
3621 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3622 check_tls_session_resumption_capa(dev[0], hapd)
3623 eap_connect(dev[0], apdev[0], "PEAP", "user",
3624 anonymous_identity="peap", password="password",
3625 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3626 if dev[0].get_status_field("tls_session_reused") != '0':
3627 raise Exception("Unexpected session resumption on the first connection")
3629 dev[0].request("REAUTHENTICATE")
3630 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3632 raise Exception("EAP success timed out")
3633 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3635 raise Exception("Key handshake with the AP timed out")
3636 if dev[0].get_status_field("tls_session_reused") != '1':
3637 raise Exception("Session resumption not used on the second connection")
3639 def test_eap_peap_no_session_resumption(dev, apdev):
3640 """EAP-PEAP session resumption disabled on server"""
3641 params = int_eap_server_params()
3642 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3643 eap_connect(dev[0], apdev[0], "PEAP", "user",
3644 anonymous_identity="peap", password="password",
3645 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3646 if dev[0].get_status_field("tls_session_reused") != '0':
3647 raise Exception("Unexpected session resumption on the first connection")
3649 dev[0].request("REAUTHENTICATE")
3650 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3652 raise Exception("EAP success timed out")
3653 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3655 raise Exception("Key handshake with the AP timed out")
3656 if dev[0].get_status_field("tls_session_reused") != '0':
3657 raise Exception("Unexpected session resumption on the second connection")
3659 def test_eap_tls_session_resumption(dev, apdev):
3660 """EAP-TLS session resumption"""
3661 params = int_eap_server_params()
3662 params['tls_session_lifetime'] = '60'
3663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3664 check_tls_session_resumption_capa(dev[0], hapd)
3665 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3666 client_cert="auth_serv/user.pem",
3667 private_key="auth_serv/user.key")
3668 if dev[0].get_status_field("tls_session_reused") != '0':
3669 raise Exception("Unexpected session resumption on the first connection")
3671 dev[0].request("REAUTHENTICATE")
3672 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3674 raise Exception("EAP success timed out")
3675 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3677 raise Exception("Key handshake with the AP timed out")
3678 if dev[0].get_status_field("tls_session_reused") != '1':
3679 raise Exception("Session resumption not used on the second connection")
3681 dev[0].request("REAUTHENTICATE")
3682 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3684 raise Exception("EAP success timed out")
3685 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3687 raise Exception("Key handshake with the AP timed out")
3688 if dev[0].get_status_field("tls_session_reused") != '1':
3689 raise Exception("Session resumption not used on the third connection")
3691 def test_eap_tls_session_resumption_expiration(dev, apdev):
3692 """EAP-TLS session resumption"""
3693 params = int_eap_server_params()
3694 params['tls_session_lifetime'] = '1'
3695 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3696 check_tls_session_resumption_capa(dev[0], hapd)
3697 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3698 client_cert="auth_serv/user.pem",
3699 private_key="auth_serv/user.key")
3700 if dev[0].get_status_field("tls_session_reused") != '0':
3701 raise Exception("Unexpected session resumption on the first connection")
3703 # Allow multiple attempts since OpenSSL may not expire the cached entry
3708 dev[0].request("REAUTHENTICATE")
3709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3711 raise Exception("EAP success timed out")
3712 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3714 raise Exception("Key handshake with the AP timed out")
3715 if dev[0].get_status_field("tls_session_reused") == '0':
3717 if dev[0].get_status_field("tls_session_reused") != '0':
3718 raise Exception("Session resumption used after lifetime expiration")
3720 def test_eap_tls_no_session_resumption(dev, apdev):
3721 """EAP-TLS session resumption disabled on server"""
3722 params = int_eap_server_params()
3723 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3724 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3725 client_cert="auth_serv/user.pem",
3726 private_key="auth_serv/user.key")
3727 if dev[0].get_status_field("tls_session_reused") != '0':
3728 raise Exception("Unexpected session resumption on the first connection")
3730 dev[0].request("REAUTHENTICATE")
3731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3733 raise Exception("EAP success timed out")
3734 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3736 raise Exception("Key handshake with the AP timed out")
3737 if dev[0].get_status_field("tls_session_reused") != '0':
3738 raise Exception("Unexpected session resumption on the second connection")
3740 def test_eap_tls_session_resumption_radius(dev, apdev):
3741 """EAP-TLS session resumption (RADIUS)"""
3742 params = { "ssid": "as", "beacon_int": "2000",
3743 "radius_server_clients": "auth_serv/radius_clients.conf",
3744 "radius_server_auth_port": '18128',
3746 "eap_user_file": "auth_serv/eap_user.conf",
3747 "ca_cert": "auth_serv/ca.pem",
3748 "server_cert": "auth_serv/server.pem",
3749 "private_key": "auth_serv/server.key",
3750 "tls_session_lifetime": "60" }
3751 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
3752 check_tls_session_resumption_capa(dev[0], authsrv)
3754 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3755 params['auth_server_port'] = "18128"
3756 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3757 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3758 client_cert="auth_serv/user.pem",
3759 private_key="auth_serv/user.key")
3760 if dev[0].get_status_field("tls_session_reused") != '0':
3761 raise Exception("Unexpected session resumption on the first connection")
3763 dev[0].request("REAUTHENTICATE")
3764 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3766 raise Exception("EAP success timed out")
3767 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3769 raise Exception("Key handshake with the AP timed out")
3770 if dev[0].get_status_field("tls_session_reused") != '1':
3771 raise Exception("Session resumption not used on the second connection")
3773 def test_eap_tls_no_session_resumption_radius(dev, apdev):
3774 """EAP-TLS session resumption disabled (RADIUS)"""
3775 params = { "ssid": "as", "beacon_int": "2000",
3776 "radius_server_clients": "auth_serv/radius_clients.conf",
3777 "radius_server_auth_port": '18128',
3779 "eap_user_file": "auth_serv/eap_user.conf",
3780 "ca_cert": "auth_serv/ca.pem",
3781 "server_cert": "auth_serv/server.pem",
3782 "private_key": "auth_serv/server.key",
3783 "tls_session_lifetime": "0" }
3784 hostapd.add_ap(apdev[1]['ifname'], params)
3786 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3787 params['auth_server_port'] = "18128"
3788 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3789 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3790 client_cert="auth_serv/user.pem",
3791 private_key="auth_serv/user.key")
3792 if dev[0].get_status_field("tls_session_reused") != '0':
3793 raise Exception("Unexpected session resumption on the first connection")
3795 dev[0].request("REAUTHENTICATE")
3796 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3798 raise Exception("EAP success timed out")
3799 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3801 raise Exception("Key handshake with the AP timed out")
3802 if dev[0].get_status_field("tls_session_reused") != '0':
3803 raise Exception("Unexpected session resumption on the second connection")