projects / mech_eap.git / blob
? search:


2c7295daf82384b815040fcf55f9ba6c1ec4edaf
[mech_eap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15
16 import hwsim_utils
17 import hostapd
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
21
22 def check_hlr_auc_gw_support():
23     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24         raise HwsimSkip("No hlr_auc_gw available")
25
26 def check_eap_capa(dev, method):
27     res = dev.get_capability("eap")
28     if method not in res:
29         raise HwsimSkip("EAP method %s not supported in the build" % method)
30
31 def check_subject_match_support(dev):
32     tls = dev.request("GET tls_library")
33     if not tls.startswith("OpenSSL"):
34         raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
35
36 def check_altsubject_match_support(dev):
37     tls = dev.request("GET tls_library")
38     if not tls.startswith("OpenSSL"):
39         raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
40
41 def check_domain_match_full(dev):
42     tls = dev.request("GET tls_library")
43     if not tls.startswith("OpenSSL"):
44         raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
45
46 def check_cert_probe_support(dev):
47     tls = dev.request("GET tls_library")
48     if not tls.startswith("OpenSSL"):
49         raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
50
51 def check_ocsp_support(dev):
52     tls = dev.request("GET tls_library")
53     if "BoringSSL" in tls:
54         raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
55
56 def read_pem(fname):
57     with open(fname, "r") as f:
58         lines = f.readlines()
59         copy = False
60         cert = ""
61         for l in lines:
62             if "-----END" in l:
63                 break
64             if copy:
65                 cert = cert + l
66             if "-----BEGIN" in l:
67                 copy = True
68     return base64.b64decode(cert)
69
70 def eap_connect(dev, ap, method, identity,
71                 sha256=False, expect_failure=False, local_error_report=False,
72                 maybe_local_error=False, **kwargs):
73     hapd = hostapd.Hostapd(ap['ifname'])
74     id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
75                      eap=method, identity=identity,
76                      wait_connect=False, scan_freq="2412", ieee80211w="1",
77                      **kwargs)
78     eap_check_auth(dev, method, True, sha256=sha256,
79                    expect_failure=expect_failure,
80                    local_error_report=local_error_report,
81                    maybe_local_error=maybe_local_error)
82     if expect_failure:
83         return id
84     ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
85     if ev is None:
86         raise Exception("No connection event received from hostapd")
87     return id
88
89 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
90                    expect_failure=False, local_error_report=False,
91                    maybe_local_error=False):
92     ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
93     if ev is None:
94         raise Exception("Association and EAP start timed out")
95     ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
96                          "CTRL-EVENT-EAP-FAILURE"], timeout=10)
97     if ev is None:
98         raise Exception("EAP method selection timed out")
99     if "CTRL-EVENT-EAP-FAILURE" in ev:
100         if maybe_local_error:
101             return
102         raise Exception("Could not select EAP method")
103     if method not in ev:
104         raise Exception("Unexpected EAP method")
105     if expect_failure:
106         ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
107         if ev is None:
108             raise Exception("EAP failure timed out")
109         ev = dev.wait_disconnected(timeout=10)
110         if maybe_local_error and "locally_generated=1" in ev:
111             return
112         if not local_error_report:
113             if "reason=23" not in ev:
114                 raise Exception("Proper reason code for disconnection not reported")
115         return
116     ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
117     if ev is None:
118         raise Exception("EAP success timed out")
119
120     if initial:
121         ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
122     else:
123         ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
124     if ev is None:
125         raise Exception("Association with the AP timed out")
126     status = dev.get_status()
127     if status["wpa_state"] != "COMPLETED":
128         raise Exception("Connection not completed")
129
130     if status["suppPortStatus"] != "Authorized":
131         raise Exception("Port not authorized")
132     if method not in status["selectedMethod"]:
133         raise Exception("Incorrect EAP method status")
134     if sha256:
135         e = "WPA2-EAP-SHA256"
136     elif rsn:
137         e = "WPA2/IEEE 802.1X/EAP"
138     else:
139         e = "WPA/IEEE 802.1X/EAP"
140     if status["key_mgmt"] != e:
141         raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
142     return status
143
144 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
145     dev.request("REAUTHENTICATE")
146     return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
147                           expect_failure=expect_failure)
148
149 def test_ap_wpa2_eap_sim(dev, apdev):
150     """WPA2-Enterprise connection using EAP-SIM"""
151     check_hlr_auc_gw_support()
152     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
153     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
154     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
155                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156     hwsim_utils.test_connectivity(dev[0], hapd)
157     eap_reauth(dev[0], "SIM")
158
159     eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
160                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
161     eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
162                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
163                 expect_failure=True)
164
165     logger.info("Negative test with incorrect key")
166     dev[0].request("REMOVE_NETWORK all")
167     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
168                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
169                 expect_failure=True)
170
171     logger.info("Invalid GSM-Milenage key")
172     dev[0].request("REMOVE_NETWORK all")
173     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
174                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
175                 expect_failure=True)
176
177     logger.info("Invalid GSM-Milenage key(2)")
178     dev[0].request("REMOVE_NETWORK all")
179     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
180                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
181                 expect_failure=True)
182
183     logger.info("Invalid GSM-Milenage key(3)")
184     dev[0].request("REMOVE_NETWORK all")
185     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
187                 expect_failure=True)
188
189     logger.info("Invalid GSM-Milenage key(4)")
190     dev[0].request("REMOVE_NETWORK all")
191     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
192                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
193                 expect_failure=True)
194
195     logger.info("Missing key configuration")
196     dev[0].request("REMOVE_NETWORK all")
197     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198                 expect_failure=True)
199
200 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
201     """WPA2-Enterprise connection using EAP-SIM (SQL)"""
202     check_hlr_auc_gw_support()
203     try:
204         import sqlite3
205     except ImportError:
206         raise HwsimSkip("No sqlite3 module available")
207     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
208     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
209     params['auth_server_port'] = "1814"
210     hostapd.add_ap(apdev[0]['ifname'], params)
211     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
212                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
213
214     logger.info("SIM fast re-authentication")
215     eap_reauth(dev[0], "SIM")
216
217     logger.info("SIM full auth with pseudonym")
218     with con:
219         cur = con.cursor()
220         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
221     eap_reauth(dev[0], "SIM")
222
223     logger.info("SIM full auth with permanent identity")
224     with con:
225         cur = con.cursor()
226         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
227         cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
228     eap_reauth(dev[0], "SIM")
229
230     logger.info("SIM reauth with mismatching MK")
231     with con:
232         cur = con.cursor()
233         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
234     eap_reauth(dev[0], "SIM", expect_failure=True)
235     dev[0].request("REMOVE_NETWORK all")
236
237     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
238                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
239     with con:
240         cur = con.cursor()
241         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
242     eap_reauth(dev[0], "SIM")
243     with con:
244         cur = con.cursor()
245         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
246     logger.info("SIM reauth with mismatching counter")
247     eap_reauth(dev[0], "SIM")
248     dev[0].request("REMOVE_NETWORK all")
249
250     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
251                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
252     with con:
253         cur = con.cursor()
254         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
255     logger.info("SIM reauth with max reauth count reached")
256     eap_reauth(dev[0], "SIM")
257
258 def test_ap_wpa2_eap_sim_config(dev, apdev):
259     """EAP-SIM configuration options"""
260     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
261     hostapd.add_ap(apdev[0]['ifname'], params)
262     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
263                    identity="1232010000000000",
264                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
265                    phase1="sim_min_num_chal=1",
266                    wait_connect=False, scan_freq="2412")
267     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
268     if ev is None:
269         raise Exception("No EAP error message seen")
270     dev[0].request("REMOVE_NETWORK all")
271
272     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
273                    identity="1232010000000000",
274                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
275                    phase1="sim_min_num_chal=4",
276                    wait_connect=False, scan_freq="2412")
277     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
278     if ev is None:
279         raise Exception("No EAP error message seen (2)")
280     dev[0].request("REMOVE_NETWORK all")
281
282     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
283                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
284                 phase1="sim_min_num_chal=2")
285     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
286                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
287                 anonymous_identity="345678")
288
289 def test_ap_wpa2_eap_sim_ext(dev, apdev):
290     """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
291     try:
292         _test_ap_wpa2_eap_sim_ext(dev, apdev)
293     finally:
294         dev[0].request("SET external_sim 0")
295
296 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
297     check_hlr_auc_gw_support()
298     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
299     hostapd.add_ap(apdev[0]['ifname'], params)
300     dev[0].request("SET external_sim 1")
301     id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
302                         identity="1232010000000000",
303                         wait_connect=False, scan_freq="2412")
304     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
305     if ev is None:
306         raise Exception("Network connected timed out")
307
308     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
309     if ev is None:
310         raise Exception("Wait for external SIM processing request timed out")
311     p = ev.split(':', 2)
312     if p[1] != "GSM-AUTH":
313         raise Exception("Unexpected CTRL-REQ-SIM type")
314     rid = p[0].split('-')[3]
315
316     # IK:CK:RES
317     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
318     # This will fail during processing, but the ctrl_iface command succeeds
319     dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
320     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
321     if ev is None:
322         raise Exception("EAP failure not reported")
323     dev[0].request("DISCONNECT")
324     dev[0].wait_disconnected()
325     time.sleep(0.1)
326
327     dev[0].select_network(id, freq="2412")
328     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
329     if ev is None:
330         raise Exception("Wait for external SIM processing request timed out")
331     p = ev.split(':', 2)
332     if p[1] != "GSM-AUTH":
333         raise Exception("Unexpected CTRL-REQ-SIM type")
334     rid = p[0].split('-')[3]
335     # This will fail during GSM auth validation
336     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
337         raise Exception("CTRL-RSP-SIM failed")
338     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
339     if ev is None:
340         raise Exception("EAP failure not reported")
341     dev[0].request("DISCONNECT")
342     dev[0].wait_disconnected()
343     time.sleep(0.1)
344
345     dev[0].select_network(id, freq="2412")
346     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
347     if ev is None:
348         raise Exception("Wait for external SIM processing request timed out")
349     p = ev.split(':', 2)
350     if p[1] != "GSM-AUTH":
351         raise Exception("Unexpected CTRL-REQ-SIM type")
352     rid = p[0].split('-')[3]
353     # This will fail during GSM auth validation
354     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
355         raise Exception("CTRL-RSP-SIM failed")
356     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357     if ev is None:
358         raise Exception("EAP failure not reported")
359     dev[0].request("DISCONNECT")
360     dev[0].wait_disconnected()
361     time.sleep(0.1)
362
363     dev[0].select_network(id, freq="2412")
364     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365     if ev is None:
366         raise Exception("Wait for external SIM processing request timed out")
367     p = ev.split(':', 2)
368     if p[1] != "GSM-AUTH":
369         raise Exception("Unexpected CTRL-REQ-SIM type")
370     rid = p[0].split('-')[3]
371     # This will fail during GSM auth validation
372     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
373         raise Exception("CTRL-RSP-SIM failed")
374     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375     if ev is None:
376         raise Exception("EAP failure not reported")
377     dev[0].request("DISCONNECT")
378     dev[0].wait_disconnected()
379     time.sleep(0.1)
380
381     dev[0].select_network(id, freq="2412")
382     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383     if ev is None:
384         raise Exception("Wait for external SIM processing request timed out")
385     p = ev.split(':', 2)
386     if p[1] != "GSM-AUTH":
387         raise Exception("Unexpected CTRL-REQ-SIM type")
388     rid = p[0].split('-')[3]
389     # This will fail during GSM auth validation
390     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
391         raise Exception("CTRL-RSP-SIM failed")
392     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393     if ev is None:
394         raise Exception("EAP failure not reported")
395     dev[0].request("DISCONNECT")
396     dev[0].wait_disconnected()
397     time.sleep(0.1)
398
399     dev[0].select_network(id, freq="2412")
400     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401     if ev is None:
402         raise Exception("Wait for external SIM processing request timed out")
403     p = ev.split(':', 2)
404     if p[1] != "GSM-AUTH":
405         raise Exception("Unexpected CTRL-REQ-SIM type")
406     rid = p[0].split('-')[3]
407     # This will fail during GSM auth validation
408     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
409         raise Exception("CTRL-RSP-SIM failed")
410     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411     if ev is None:
412         raise Exception("EAP failure not reported")
413     dev[0].request("DISCONNECT")
414     dev[0].wait_disconnected()
415     time.sleep(0.1)
416
417     dev[0].select_network(id, freq="2412")
418     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419     if ev is None:
420         raise Exception("Wait for external SIM processing request timed out")
421     p = ev.split(':', 2)
422     if p[1] != "GSM-AUTH":
423         raise Exception("Unexpected CTRL-REQ-SIM type")
424     rid = p[0].split('-')[3]
425     # This will fail during GSM auth validation
426     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
427         raise Exception("CTRL-RSP-SIM failed")
428     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429     if ev is None:
430         raise Exception("EAP failure not reported")
431
432 def test_ap_wpa2_eap_sim_oom(dev, apdev):
433     """EAP-SIM and OOM"""
434     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
435     hostapd.add_ap(apdev[0]['ifname'], params)
436     tests = [ (1, "milenage_f2345"),
437               (2, "milenage_f2345"),
438               (3, "milenage_f2345"),
439               (4, "milenage_f2345"),
440               (5, "milenage_f2345"),
441               (6, "milenage_f2345"),
442               (7, "milenage_f2345"),
443               (8, "milenage_f2345"),
444               (9, "milenage_f2345"),
445               (10, "milenage_f2345"),
446               (11, "milenage_f2345"),
447               (12, "milenage_f2345") ]
448     for count, func in tests:
449         with alloc_fail(dev[0], count, func):
450             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
451                            identity="1232010000000000",
452                            password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
453                            wait_connect=False, scan_freq="2412")
454             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
455             if ev is None:
456                 raise Exception("EAP method not selected")
457             dev[0].wait_disconnected()
458             dev[0].request("REMOVE_NETWORK all")
459
460 def test_ap_wpa2_eap_aka(dev, apdev):
461     """WPA2-Enterprise connection using EAP-AKA"""
462     check_hlr_auc_gw_support()
463     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
464     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
465     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
466                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
467     hwsim_utils.test_connectivity(dev[0], hapd)
468     eap_reauth(dev[0], "AKA")
469
470     logger.info("Negative test with incorrect key")
471     dev[0].request("REMOVE_NETWORK all")
472     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
473                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
474                 expect_failure=True)
475
476     logger.info("Invalid Milenage key")
477     dev[0].request("REMOVE_NETWORK all")
478     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
480                 expect_failure=True)
481
482     logger.info("Invalid Milenage key(2)")
483     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
485                 expect_failure=True)
486
487     logger.info("Invalid Milenage key(3)")
488     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
490                 expect_failure=True)
491
492     logger.info("Invalid Milenage key(4)")
493     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
494                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
495                 expect_failure=True)
496
497     logger.info("Invalid Milenage key(5)")
498     dev[0].request("REMOVE_NETWORK all")
499     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
501                 expect_failure=True)
502
503     logger.info("Invalid Milenage key(6)")
504     dev[0].request("REMOVE_NETWORK all")
505     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
506                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
507                 expect_failure=True)
508
509     logger.info("Missing key configuration")
510     dev[0].request("REMOVE_NETWORK all")
511     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
512                 expect_failure=True)
513
514 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
515     """WPA2-Enterprise connection using EAP-AKA (SQL)"""
516     check_hlr_auc_gw_support()
517     try:
518         import sqlite3
519     except ImportError:
520         raise HwsimSkip("No sqlite3 module available")
521     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
522     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
523     params['auth_server_port'] = "1814"
524     hostapd.add_ap(apdev[0]['ifname'], params)
525     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
526                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
527
528     logger.info("AKA fast re-authentication")
529     eap_reauth(dev[0], "AKA")
530
531     logger.info("AKA full auth with pseudonym")
532     with con:
533         cur = con.cursor()
534         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
535     eap_reauth(dev[0], "AKA")
536
537     logger.info("AKA full auth with permanent identity")
538     with con:
539         cur = con.cursor()
540         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
541         cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
542     eap_reauth(dev[0], "AKA")
543
544     logger.info("AKA reauth with mismatching MK")
545     with con:
546         cur = con.cursor()
547         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
548     eap_reauth(dev[0], "AKA", expect_failure=True)
549     dev[0].request("REMOVE_NETWORK all")
550
551     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
552                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
553     with con:
554         cur = con.cursor()
555         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
556     eap_reauth(dev[0], "AKA")
557     with con:
558         cur = con.cursor()
559         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
560     logger.info("AKA reauth with mismatching counter")
561     eap_reauth(dev[0], "AKA")
562     dev[0].request("REMOVE_NETWORK all")
563
564     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
565                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
566     with con:
567         cur = con.cursor()
568         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
569     logger.info("AKA reauth with max reauth count reached")
570     eap_reauth(dev[0], "AKA")
571
572 def test_ap_wpa2_eap_aka_config(dev, apdev):
573     """EAP-AKA configuration options"""
574     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
575     hostapd.add_ap(apdev[0]['ifname'], params)
576     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
577                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
578                 anonymous_identity="2345678")
579
580 def test_ap_wpa2_eap_aka_ext(dev, apdev):
581     """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
582     try:
583         _test_ap_wpa2_eap_aka_ext(dev, apdev)
584     finally:
585         dev[0].request("SET external_sim 0")
586
587 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
588     check_hlr_auc_gw_support()
589     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
590     hostapd.add_ap(apdev[0]['ifname'], params)
591     dev[0].request("SET external_sim 1")
592     id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
593                         identity="0232010000000000",
594                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
595                         wait_connect=False, scan_freq="2412")
596     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
597     if ev is None:
598         raise Exception("Network connected timed out")
599
600     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
601     if ev is None:
602         raise Exception("Wait for external SIM processing request timed out")
603     p = ev.split(':', 2)
604     if p[1] != "UMTS-AUTH":
605         raise Exception("Unexpected CTRL-REQ-SIM type")
606     rid = p[0].split('-')[3]
607
608     # IK:CK:RES
609     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
610     # This will fail during processing, but the ctrl_iface command succeeds
611     dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
612     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
613     if ev is None:
614         raise Exception("EAP failure not reported")
615     dev[0].request("DISCONNECT")
616     dev[0].wait_disconnected()
617     time.sleep(0.1)
618
619     dev[0].select_network(id, freq="2412")
620     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
621     if ev is None:
622         raise Exception("Wait for external SIM processing request timed out")
623     p = ev.split(':', 2)
624     if p[1] != "UMTS-AUTH":
625         raise Exception("Unexpected CTRL-REQ-SIM type")
626     rid = p[0].split('-')[3]
627     # This will fail during UMTS auth validation
628     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
629         raise Exception("CTRL-RSP-SIM failed")
630     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
631     if ev is None:
632         raise Exception("Wait for external SIM processing request timed out")
633     p = ev.split(':', 2)
634     if p[1] != "UMTS-AUTH":
635         raise Exception("Unexpected CTRL-REQ-SIM type")
636     rid = p[0].split('-')[3]
637     # This will fail during UMTS auth validation
638     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
639         raise Exception("CTRL-RSP-SIM failed")
640     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
641     if ev is None:
642         raise Exception("EAP failure not reported")
643     dev[0].request("DISCONNECT")
644     dev[0].wait_disconnected()
645     time.sleep(0.1)
646
647     tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
648               ":UMTS-AUTH:34",
649               ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
650               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
651               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
652               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
653               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
654     for t in tests:
655         dev[0].select_network(id, freq="2412")
656         ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
657         if ev is None:
658             raise Exception("Wait for external SIM processing request timed out")
659         p = ev.split(':', 2)
660         if p[1] != "UMTS-AUTH":
661             raise Exception("Unexpected CTRL-REQ-SIM type")
662         rid = p[0].split('-')[3]
663         # This will fail during UMTS auth validation
664         if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
665             raise Exception("CTRL-RSP-SIM failed")
666         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
667         if ev is None:
668             raise Exception("EAP failure not reported")
669         dev[0].request("DISCONNECT")
670         dev[0].wait_disconnected()
671         time.sleep(0.1)
672
673 def test_ap_wpa2_eap_aka_prime(dev, apdev):
674     """WPA2-Enterprise connection using EAP-AKA'"""
675     check_hlr_auc_gw_support()
676     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
677     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
678     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
680     hwsim_utils.test_connectivity(dev[0], hapd)
681     eap_reauth(dev[0], "AKA'")
682
683     logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
684     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
685                    identity="6555444333222111@both",
686                    password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
687                    wait_connect=False, scan_freq="2412")
688     dev[1].wait_connected(timeout=15)
689
690     logger.info("Negative test with incorrect key")
691     dev[0].request("REMOVE_NETWORK all")
692     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
693                 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
694                 expect_failure=True)
695
696 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
697     """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
698     check_hlr_auc_gw_support()
699     try:
700         import sqlite3
701     except ImportError:
702         raise HwsimSkip("No sqlite3 module available")
703     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
704     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
705     params['auth_server_port'] = "1814"
706     hostapd.add_ap(apdev[0]['ifname'], params)
707     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
708                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
709
710     logger.info("AKA' fast re-authentication")
711     eap_reauth(dev[0], "AKA'")
712
713     logger.info("AKA' full auth with pseudonym")
714     with con:
715         cur = con.cursor()
716         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
717     eap_reauth(dev[0], "AKA'")
718
719     logger.info("AKA' full auth with permanent identity")
720     with con:
721         cur = con.cursor()
722         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
723         cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
724     eap_reauth(dev[0], "AKA'")
725
726     logger.info("AKA' reauth with mismatching k_aut")
727     with con:
728         cur = con.cursor()
729         cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
730     eap_reauth(dev[0], "AKA'", expect_failure=True)
731     dev[0].request("REMOVE_NETWORK all")
732
733     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
734                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
735     with con:
736         cur = con.cursor()
737         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
738     eap_reauth(dev[0], "AKA'")
739     with con:
740         cur = con.cursor()
741         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
742     logger.info("AKA' reauth with mismatching counter")
743     eap_reauth(dev[0], "AKA'")
744     dev[0].request("REMOVE_NETWORK all")
745
746     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
747                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748     with con:
749         cur = con.cursor()
750         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
751     logger.info("AKA' reauth with max reauth count reached")
752     eap_reauth(dev[0], "AKA'")
753
754 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
755     """WPA2-Enterprise connection using EAP-TTLS/PAP"""
756     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
757     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
758     key_mgmt = hapd.get_config()['key_mgmt']
759     if key_mgmt.split(' ')[0] != "WPA-EAP":
760         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
761     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762                 anonymous_identity="ttls", password="password",
763                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
764     hwsim_utils.test_connectivity(dev[0], hapd)
765     eap_reauth(dev[0], "TTLS")
766     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
767                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
768
769 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
770     """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
771     check_subject_match_support(dev[0])
772     check_altsubject_match_support(dev[0])
773     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
774     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
775     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
776                 anonymous_identity="ttls", password="password",
777                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
778                 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
779                 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
780     eap_reauth(dev[0], "TTLS")
781
782 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
783     """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
784     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
785     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
786     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
787                 anonymous_identity="ttls", password="wrong",
788                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
789                 expect_failure=True)
790     eap_connect(dev[1], apdev[0], "TTLS", "user",
791                 anonymous_identity="ttls", password="password",
792                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
793                 expect_failure=True)
794
795 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
796     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
797     skip_with_fips(dev[0])
798     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
799     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
800     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
801                 anonymous_identity="ttls", password="password",
802                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
803     hwsim_utils.test_connectivity(dev[0], hapd)
804     eap_reauth(dev[0], "TTLS")
805
806 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
807     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
808     skip_with_fips(dev[0])
809     check_altsubject_match_support(dev[0])
810     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
811     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
812     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
813                 anonymous_identity="ttls", password="password",
814                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
815                 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
816     eap_reauth(dev[0], "TTLS")
817
818 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
819     """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
820     skip_with_fips(dev[0])
821     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
822     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
823     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
824                 anonymous_identity="ttls", password="wrong",
825                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
826                 expect_failure=True)
827     eap_connect(dev[1], apdev[0], "TTLS", "user",
828                 anonymous_identity="ttls", password="password",
829                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
830                 expect_failure=True)
831
832 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
833     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
834     skip_with_fips(dev[0])
835     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
836     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
837     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
838                 anonymous_identity="ttls", password="password",
839                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
840                 domain_suffix_match="server.w1.fi")
841     hwsim_utils.test_connectivity(dev[0], hapd)
842     eap_reauth(dev[0], "TTLS")
843     dev[0].request("REMOVE_NETWORK all")
844     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
845                 anonymous_identity="ttls", password="password",
846                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
847                 fragment_size="200")
848
849 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
850     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
851     skip_with_fips(dev[0])
852     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
853     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
854     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
855                 anonymous_identity="ttls", password="wrong",
856                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857                 expect_failure=True)
858     eap_connect(dev[1], apdev[0], "TTLS", "user",
859                 anonymous_identity="ttls", password="password",
860                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
861                 expect_failure=True)
862     eap_connect(dev[2], apdev[0], "TTLS", "no such user",
863                 anonymous_identity="ttls", password="password",
864                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
865                 expect_failure=True)
866
867 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
868     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
869     check_eap_capa(dev[0], "MSCHAPV2")
870     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
871     hostapd.add_ap(apdev[0]['ifname'], params)
872     hapd = hostapd.Hostapd(apdev[0]['ifname'])
873     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
874                 anonymous_identity="ttls", password="password",
875                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
876                 domain_suffix_match="server.w1.fi")
877     hwsim_utils.test_connectivity(dev[0], hapd)
878     sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
879     eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
880     eap_reauth(dev[0], "TTLS")
881     sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
882     eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
883     if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
884         raise Exception("dot1xAuthEapolFramesRx did not increase")
885     if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
886         raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
887     if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
888         raise Exception("backendAuthSuccesses did not increase")
889
890     logger.info("Password as hash value")
891     dev[0].request("REMOVE_NETWORK all")
892     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
893                 anonymous_identity="ttls",
894                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
895                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
896
897 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
898     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
899     check_domain_match_full(dev[0])
900     skip_with_fips(dev[0])
901     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
902     hostapd.add_ap(apdev[0]['ifname'], params)
903     hapd = hostapd.Hostapd(apdev[0]['ifname'])
904     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
905                 anonymous_identity="ttls", password="password",
906                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
907                 domain_suffix_match="w1.fi")
908     hwsim_utils.test_connectivity(dev[0], hapd)
909     eap_reauth(dev[0], "TTLS")
910
911 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
912     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
913     skip_with_fips(dev[0])
914     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
915     hostapd.add_ap(apdev[0]['ifname'], params)
916     hapd = hostapd.Hostapd(apdev[0]['ifname'])
917     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
918                 anonymous_identity="ttls", password="password",
919                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
920                 domain_match="Server.w1.fi")
921     hwsim_utils.test_connectivity(dev[0], hapd)
922     eap_reauth(dev[0], "TTLS")
923
924 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
925     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
926     skip_with_fips(dev[0])
927     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
928     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
929     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
930                 anonymous_identity="ttls", password="password1",
931                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
932                 expect_failure=True)
933     eap_connect(dev[1], apdev[0], "TTLS", "user",
934                 anonymous_identity="ttls", password="password",
935                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
936                 expect_failure=True)
937
938 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
939     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
940     skip_with_fips(dev[0])
941     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
942     hostapd.add_ap(apdev[0]['ifname'], params)
943     hapd = hostapd.Hostapd(apdev[0]['ifname'])
944     eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
945                 anonymous_identity="ttls", password="secret-åäö-€-password",
946                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947     eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
948                 anonymous_identity="ttls",
949                 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
950                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
951
952 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
953     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
954     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
955     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
956     eap_connect(dev[0], apdev[0], "TTLS", "user",
957                 anonymous_identity="ttls", password="password",
958                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
959     hwsim_utils.test_connectivity(dev[0], hapd)
960     eap_reauth(dev[0], "TTLS")
961
962 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
963     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
964     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
966     eap_connect(dev[0], apdev[0], "TTLS", "user",
967                 anonymous_identity="ttls", password="wrong",
968                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
969                 expect_failure=True)
970
971 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
972     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
973     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
974     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
975     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
976                 anonymous_identity="ttls", password="password",
977                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
978                 expect_failure=True)
979
980 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
981     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
982     params = int_eap_server_params()
983     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984     with alloc_fail(hapd, 1, "eap_gtc_init"):
985         eap_connect(dev[0], apdev[0], "TTLS", "user",
986                     anonymous_identity="ttls", password="password",
987                     ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
988                     expect_failure=True)
989         dev[0].request("REMOVE_NETWORK all")
990
991     with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
992         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
993                        eap="TTLS", identity="user",
994                        anonymous_identity="ttls", password="password",
995                        ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
996                        wait_connect=False, scan_freq="2412")
997         # This would eventually time out, but we can stop after having reached
998         # the allocation failure.
999         for i in range(20):
1000             time.sleep(0.1)
1001             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1002                 break
1003
1004 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1005     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1006     check_eap_capa(dev[0], "MD5")
1007     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1008     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1009     eap_connect(dev[0], apdev[0], "TTLS", "user",
1010                 anonymous_identity="ttls", password="password",
1011                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1012     hwsim_utils.test_connectivity(dev[0], hapd)
1013     eap_reauth(dev[0], "TTLS")
1014
1015 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1016     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1017     check_eap_capa(dev[0], "MD5")
1018     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1019     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1020     eap_connect(dev[0], apdev[0], "TTLS", "user",
1021                 anonymous_identity="ttls", password="wrong",
1022                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1023                 expect_failure=True)
1024
1025 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1026     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1027     check_eap_capa(dev[0], "MD5")
1028     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1029     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1030     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1031                 anonymous_identity="ttls", password="password",
1032                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1033                 expect_failure=True)
1034
1035 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1036     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1037     check_eap_capa(dev[0], "MD5")
1038     params = int_eap_server_params()
1039     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1040     with alloc_fail(hapd, 1, "eap_md5_init"):
1041         eap_connect(dev[0], apdev[0], "TTLS", "user",
1042                     anonymous_identity="ttls", password="password",
1043                     ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1044                     expect_failure=True)
1045         dev[0].request("REMOVE_NETWORK all")
1046
1047     with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1048         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1049                        eap="TTLS", identity="user",
1050                        anonymous_identity="ttls", password="password",
1051                        ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1052                        wait_connect=False, scan_freq="2412")
1053         # This would eventually time out, but we can stop after having reached
1054         # the allocation failure.
1055         for i in range(20):
1056             time.sleep(0.1)
1057             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1058                 break
1059
1060 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1061     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1062     check_eap_capa(dev[0], "MSCHAPV2")
1063     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1064     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1065     eap_connect(dev[0], apdev[0], "TTLS", "user",
1066                 anonymous_identity="ttls", password="password",
1067                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1068     hwsim_utils.test_connectivity(dev[0], hapd)
1069     eap_reauth(dev[0], "TTLS")
1070
1071     logger.info("Negative test with incorrect password")
1072     dev[0].request("REMOVE_NETWORK all")
1073     eap_connect(dev[0], apdev[0], "TTLS", "user",
1074                 anonymous_identity="ttls", password="password1",
1075                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1076                 expect_failure=True)
1077
1078 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1079     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1080     check_eap_capa(dev[0], "MSCHAPV2")
1081     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1082     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1083     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1084                 anonymous_identity="ttls", password="password",
1085                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1086                 expect_failure=True)
1087
1088 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1089     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1090     check_eap_capa(dev[0], "MSCHAPV2")
1091     params = int_eap_server_params()
1092     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1093     with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1094         eap_connect(dev[0], apdev[0], "TTLS", "user",
1095                     anonymous_identity="ttls", password="password",
1096                     ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1097                     expect_failure=True)
1098         dev[0].request("REMOVE_NETWORK all")
1099
1100     with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1101         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1102                        eap="TTLS", identity="user",
1103                        anonymous_identity="ttls", password="password",
1104                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1105                        wait_connect=False, scan_freq="2412")
1106         # This would eventually time out, but we can stop after having reached
1107         # the allocation failure.
1108         for i in range(20):
1109             time.sleep(0.1)
1110             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1111                 break
1112         dev[0].request("REMOVE_NETWORK all")
1113
1114     with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1115         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1116                        eap="TTLS", identity="user",
1117                        anonymous_identity="ttls", password="password",
1118                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1119                        wait_connect=False, scan_freq="2412")
1120         # This would eventually time out, but we can stop after having reached
1121         # the allocation failure.
1122         for i in range(20):
1123             time.sleep(0.1)
1124             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1125                 break
1126         dev[0].request("REMOVE_NETWORK all")
1127
1128     with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1129         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1130                        eap="TTLS", identity="user",
1131                        anonymous_identity="ttls", password="wrong",
1132                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1133                        wait_connect=False, scan_freq="2412")
1134         # This would eventually time out, but we can stop after having reached
1135         # the allocation failure.
1136         for i in range(20):
1137             time.sleep(0.1)
1138             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1139                 break
1140         dev[0].request("REMOVE_NETWORK all")
1141
1142 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1143     """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1144     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1145     hostapd.add_ap(apdev[0]['ifname'], params)
1146     eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1147                 anonymous_identity="0232010000000000@ttls",
1148                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1149                 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1150
1151 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1152     """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1153     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1154     hostapd.add_ap(apdev[0]['ifname'], params)
1155     eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1156                 anonymous_identity="0232010000000000@peap",
1157                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1158                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1159
1160 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1161     """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1162     check_eap_capa(dev[0], "FAST")
1163     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164     hostapd.add_ap(apdev[0]['ifname'], params)
1165     eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1166                 anonymous_identity="0232010000000000@fast",
1167                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1168                 phase1="fast_provisioning=2",
1169                 pac_file="blob://fast_pac_auth_aka",
1170                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1171
1172 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1173     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1174     check_eap_capa(dev[0], "MSCHAPV2")
1175     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1176     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1177     eap_connect(dev[0], apdev[0], "PEAP", "user",
1178                 anonymous_identity="peap", password="password",
1179                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1180     hwsim_utils.test_connectivity(dev[0], hapd)
1181     eap_reauth(dev[0], "PEAP")
1182     dev[0].request("REMOVE_NETWORK all")
1183     eap_connect(dev[0], apdev[0], "PEAP", "user",
1184                 anonymous_identity="peap", password="password",
1185                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1186                 fragment_size="200")
1187
1188     logger.info("Password as hash value")
1189     dev[0].request("REMOVE_NETWORK all")
1190     eap_connect(dev[0], apdev[0], "PEAP", "user",
1191                 anonymous_identity="peap",
1192                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1193                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1194
1195     logger.info("Negative test with incorrect password")
1196     dev[0].request("REMOVE_NETWORK all")
1197     eap_connect(dev[0], apdev[0], "PEAP", "user",
1198                 anonymous_identity="peap", password="password1",
1199                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1200                 expect_failure=True)
1201
1202 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1203     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1204     check_eap_capa(dev[0], "MSCHAPV2")
1205     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1207     eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1208                 anonymous_identity="peap", password="password",
1209                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1210     hwsim_utils.test_connectivity(dev[0], hapd)
1211     eap_reauth(dev[0], "PEAP")
1212
1213 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1214     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1215     check_eap_capa(dev[0], "MSCHAPV2")
1216     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1217     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1218     eap_connect(dev[0], apdev[0], "PEAP", "user",
1219                 anonymous_identity="peap", password="wrong",
1220                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1221                 expect_failure=True)
1222
1223 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1224     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1225     check_eap_capa(dev[0], "MSCHAPV2")
1226     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1228     eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1229                 ca_cert="auth_serv/ca.pem",
1230                 phase1="peapver=0 crypto_binding=2",
1231                 phase2="auth=MSCHAPV2")
1232     hwsim_utils.test_connectivity(dev[0], hapd)
1233     eap_reauth(dev[0], "PEAP")
1234
1235     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1236                 ca_cert="auth_serv/ca.pem",
1237                 phase1="peapver=0 crypto_binding=1",
1238                 phase2="auth=MSCHAPV2")
1239     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1240                 ca_cert="auth_serv/ca.pem",
1241                 phase1="peapver=0 crypto_binding=0",
1242                 phase2="auth=MSCHAPV2")
1243
1244 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1245     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1246     check_eap_capa(dev[0], "MSCHAPV2")
1247     params = int_eap_server_params()
1248     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1249     with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1250         eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1251                     ca_cert="auth_serv/ca.pem",
1252                     phase1="peapver=0 crypto_binding=2",
1253                     phase2="auth=MSCHAPV2",
1254                     expect_failure=True, local_error_report=True)
1255
1256 def test_ap_wpa2_eap_peap_params(dev, apdev):
1257     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1258     check_eap_capa(dev[0], "MSCHAPV2")
1259     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1260     hostapd.add_ap(apdev[0]['ifname'], params)
1261     eap_connect(dev[0], apdev[0], "PEAP", "user",
1262                 anonymous_identity="peap", password="password",
1263                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1264                 phase1="peapver=0 peaplabel=1",
1265                 expect_failure=True)
1266     dev[0].request("REMOVE_NETWORK all")
1267     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1268                 ca_cert="auth_serv/ca.pem",
1269                 phase1="peap_outer_success=1",
1270                 phase2="auth=MSCHAPV2")
1271     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1272                 ca_cert="auth_serv/ca.pem",
1273                 phase1="peap_outer_success=2",
1274                 phase2="auth=MSCHAPV2")
1275     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1276                    identity="user",
1277                    anonymous_identity="peap", password="password",
1278                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1279                    phase1="peapver=1 peaplabel=1",
1280                    wait_connect=False, scan_freq="2412")
1281     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1282     if ev is None:
1283         raise Exception("No EAP success seen")
1284     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1285     if ev is not None:
1286         raise Exception("Unexpected connection")
1287
1288 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1289     """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1290     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291     hostapd.add_ap(apdev[0]['ifname'], params)
1292     eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1293                 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1294                 ca_cert2="auth_serv/ca.pem",
1295                 client_cert2="auth_serv/user.pem",
1296                 private_key2="auth_serv/user.key")
1297     eap_reauth(dev[0], "PEAP")
1298
1299 def test_ap_wpa2_eap_tls(dev, apdev):
1300     """WPA2-Enterprise connection using EAP-TLS"""
1301     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302     hostapd.add_ap(apdev[0]['ifname'], params)
1303     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1304                 client_cert="auth_serv/user.pem",
1305                 private_key="auth_serv/user.key")
1306     eap_reauth(dev[0], "TLS")
1307
1308 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1309     """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1310     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1311     hostapd.add_ap(apdev[0]['ifname'], params)
1312     cert = read_pem("auth_serv/ca.pem")
1313     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1314         raise Exception("Could not set cacert blob")
1315     cert = read_pem("auth_serv/user.pem")
1316     if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1317         raise Exception("Could not set usercert blob")
1318     key = read_pem("auth_serv/user.rsa-key")
1319     if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1320         raise Exception("Could not set cacert blob")
1321     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1322                 client_cert="blob://usercert",
1323                 private_key="blob://userkey")
1324
1325 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1326     """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1327     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1328     hostapd.add_ap(apdev[0]['ifname'], params)
1329     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1330                 private_key="auth_serv/user.pkcs12",
1331                 private_key_passwd="whatever")
1332     dev[0].request("REMOVE_NETWORK all")
1333     dev[0].wait_disconnected()
1334
1335     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1336                    identity="tls user",
1337                    ca_cert="auth_serv/ca.pem",
1338                    private_key="auth_serv/user.pkcs12",
1339                    wait_connect=False, scan_freq="2412")
1340     ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1341     if ev is None:
1342         raise Exception("Request for private key passphrase timed out")
1343     id = ev.split(':')[0].split('-')[-1]
1344     dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1345     dev[0].wait_connected(timeout=10)
1346     dev[0].request("REMOVE_NETWORK all")
1347     dev[0].wait_disconnected()
1348
1349     # Run this twice to verify certificate chain handling with OpenSSL. Use two
1350     # different files to cover both cases of the extra certificate being the
1351     # one that signed the client certificate and it being unrelated to the
1352     # client certificate.
1353     for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1354         for i in range(2):
1355             eap_connect(dev[0], apdev[0], "TLS", "tls user",
1356                         ca_cert="auth_serv/ca.pem",
1357                         private_key=pkcs12,
1358                         private_key_passwd="whatever")
1359             dev[0].request("REMOVE_NETWORK all")
1360             dev[0].wait_disconnected()
1361
1362 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1363     """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1364     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1365     hostapd.add_ap(apdev[0]['ifname'], params)
1366     cert = read_pem("auth_serv/ca.pem")
1367     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1368         raise Exception("Could not set cacert blob")
1369     with open("auth_serv/user.pkcs12", "rb") as f:
1370         if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1371             raise Exception("Could not set pkcs12 blob")
1372     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1373                 private_key="blob://pkcs12",
1374                 private_key_passwd="whatever")
1375
1376 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1377     """WPA2-Enterprise negative test - incorrect trust root"""
1378     check_eap_capa(dev[0], "MSCHAPV2")
1379     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1380     hostapd.add_ap(apdev[0]['ifname'], params)
1381     cert = read_pem("auth_serv/ca-incorrect.pem")
1382     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1383         raise Exception("Could not set cacert blob")
1384     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1386                    password="password", phase2="auth=MSCHAPV2",
1387                    ca_cert="blob://cacert",
1388                    wait_connect=False, scan_freq="2412")
1389     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1390                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1391                    password="password", phase2="auth=MSCHAPV2",
1392                    ca_cert="auth_serv/ca-incorrect.pem",
1393                    wait_connect=False, scan_freq="2412")
1394
1395     for dev in (dev[0], dev[1]):
1396         ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1397         if ev is None:
1398             raise Exception("Association and EAP start timed out")
1399
1400         ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1401         if ev is None:
1402             raise Exception("EAP method selection timed out")
1403         if "TTLS" not in ev:
1404             raise Exception("Unexpected EAP method")
1405
1406         ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1407                              "CTRL-EVENT-EAP-SUCCESS",
1408                              "CTRL-EVENT-EAP-FAILURE",
1409                              "CTRL-EVENT-CONNECTED",
1410                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1411         if ev is None:
1412             raise Exception("EAP result timed out")
1413         if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1414             raise Exception("TLS certificate error not reported")
1415
1416         ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1417                              "CTRL-EVENT-EAP-FAILURE",
1418                              "CTRL-EVENT-CONNECTED",
1419                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1420         if ev is None:
1421             raise Exception("EAP result(2) timed out")
1422         if "CTRL-EVENT-EAP-FAILURE" not in ev:
1423             raise Exception("EAP failure not reported")
1424
1425         ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1426                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1427         if ev is None:
1428             raise Exception("EAP result(3) timed out")
1429         if "CTRL-EVENT-DISCONNECTED" not in ev:
1430             raise Exception("Disconnection not reported")
1431
1432         ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1433         if ev is None:
1434             raise Exception("Network block disabling not reported")
1435
1436 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1437     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1438     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1439     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1440     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1441                    identity="pap user", anonymous_identity="ttls",
1442                    password="password", phase2="auth=PAP",
1443                    ca_cert="auth_serv/ca.pem",
1444                    wait_connect=True, scan_freq="2412")
1445     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1446                         identity="pap user", anonymous_identity="ttls",
1447                         password="password", phase2="auth=PAP",
1448                         ca_cert="auth_serv/ca-incorrect.pem",
1449                         only_add_network=True, scan_freq="2412")
1450
1451     dev[0].request("DISCONNECT")
1452     dev[0].wait_disconnected()
1453     dev[0].dump_monitor()
1454     dev[0].select_network(id, freq="2412")
1455
1456     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1457     if ev is None:
1458         raise Exception("EAP-TTLS not re-started")
1459     
1460     ev = dev[0].wait_disconnected(timeout=15)
1461     if "reason=23" not in ev:
1462         raise Exception("Proper reason code for disconnection not reported")
1463
1464 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1465     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1466     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1468     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1469                    identity="pap user", anonymous_identity="ttls",
1470                    password="password", phase2="auth=PAP",
1471                    wait_connect=True, scan_freq="2412")
1472     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1473                         identity="pap user", anonymous_identity="ttls",
1474                         password="password", phase2="auth=PAP",
1475                         ca_cert="auth_serv/ca-incorrect.pem",
1476                         only_add_network=True, scan_freq="2412")
1477
1478     dev[0].request("DISCONNECT")
1479     dev[0].wait_disconnected()
1480     dev[0].dump_monitor()
1481     dev[0].select_network(id, freq="2412")
1482
1483     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1484     if ev is None:
1485         raise Exception("EAP-TTLS not re-started")
1486     
1487     ev = dev[0].wait_disconnected(timeout=15)
1488     if "reason=23" not in ev:
1489         raise Exception("Proper reason code for disconnection not reported")
1490
1491 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1492     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1493     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1494     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1495     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1496                         identity="pap user", anonymous_identity="ttls",
1497                         password="password", phase2="auth=PAP",
1498                         ca_cert="auth_serv/ca.pem",
1499                         wait_connect=True, scan_freq="2412")
1500     dev[0].request("DISCONNECT")
1501     dev[0].wait_disconnected()
1502     dev[0].dump_monitor()
1503     dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1504     dev[0].select_network(id, freq="2412")
1505
1506     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1507     if ev is None:
1508         raise Exception("EAP-TTLS not re-started")
1509     
1510     ev = dev[0].wait_disconnected(timeout=15)
1511     if "reason=23" not in ev:
1512         raise Exception("Proper reason code for disconnection not reported")
1513
1514 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1515     """WPA2-Enterprise negative test - domain suffix mismatch"""
1516     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1517     hostapd.add_ap(apdev[0]['ifname'], params)
1518     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1519                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1520                    password="password", phase2="auth=MSCHAPV2",
1521                    ca_cert="auth_serv/ca.pem",
1522                    domain_suffix_match="incorrect.example.com",
1523                    wait_connect=False, scan_freq="2412")
1524
1525     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1526     if ev is None:
1527         raise Exception("Association and EAP start timed out")
1528
1529     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1530     if ev is None:
1531         raise Exception("EAP method selection timed out")
1532     if "TTLS" not in ev:
1533         raise Exception("Unexpected EAP method")
1534
1535     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1536                             "CTRL-EVENT-EAP-SUCCESS",
1537                             "CTRL-EVENT-EAP-FAILURE",
1538                             "CTRL-EVENT-CONNECTED",
1539                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1540     if ev is None:
1541         raise Exception("EAP result timed out")
1542     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1543         raise Exception("TLS certificate error not reported")
1544     if "Domain suffix mismatch" not in ev:
1545         raise Exception("Domain suffix mismatch not reported")
1546
1547     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1548                             "CTRL-EVENT-EAP-FAILURE",
1549                             "CTRL-EVENT-CONNECTED",
1550                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1551     if ev is None:
1552         raise Exception("EAP result(2) timed out")
1553     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1554         raise Exception("EAP failure not reported")
1555
1556     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1557                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1558     if ev is None:
1559         raise Exception("EAP result(3) timed out")
1560     if "CTRL-EVENT-DISCONNECTED" not in ev:
1561         raise Exception("Disconnection not reported")
1562
1563     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1564     if ev is None:
1565         raise Exception("Network block disabling not reported")
1566
1567 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1568     """WPA2-Enterprise negative test - domain mismatch"""
1569     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1570     hostapd.add_ap(apdev[0]['ifname'], params)
1571     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1572                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1573                    password="password", phase2="auth=MSCHAPV2",
1574                    ca_cert="auth_serv/ca.pem",
1575                    domain_match="w1.fi",
1576                    wait_connect=False, scan_freq="2412")
1577
1578     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1579     if ev is None:
1580         raise Exception("Association and EAP start timed out")
1581
1582     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1583     if ev is None:
1584         raise Exception("EAP method selection timed out")
1585     if "TTLS" not in ev:
1586         raise Exception("Unexpected EAP method")
1587
1588     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1589                             "CTRL-EVENT-EAP-SUCCESS",
1590                             "CTRL-EVENT-EAP-FAILURE",
1591                             "CTRL-EVENT-CONNECTED",
1592                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1593     if ev is None:
1594         raise Exception("EAP result timed out")
1595     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1596         raise Exception("TLS certificate error not reported")
1597     if "Domain mismatch" not in ev:
1598         raise Exception("Domain mismatch not reported")
1599
1600     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1601                             "CTRL-EVENT-EAP-FAILURE",
1602                             "CTRL-EVENT-CONNECTED",
1603                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1604     if ev is None:
1605         raise Exception("EAP result(2) timed out")
1606     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1607         raise Exception("EAP failure not reported")
1608
1609     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1610                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1611     if ev is None:
1612         raise Exception("EAP result(3) timed out")
1613     if "CTRL-EVENT-DISCONNECTED" not in ev:
1614         raise Exception("Disconnection not reported")
1615
1616     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1617     if ev is None:
1618         raise Exception("Network block disabling not reported")
1619
1620 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1621     """WPA2-Enterprise negative test - subject mismatch"""
1622     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1623     hostapd.add_ap(apdev[0]['ifname'], params)
1624     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1625                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1626                    password="password", phase2="auth=MSCHAPV2",
1627                    ca_cert="auth_serv/ca.pem",
1628                    subject_match="/C=FI/O=w1.fi/CN=example.com",
1629                    wait_connect=False, scan_freq="2412")
1630
1631     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1632     if ev is None:
1633         raise Exception("Association and EAP start timed out")
1634
1635     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1636                             "EAP: Failed to initialize EAP method"], timeout=10)
1637     if ev is None:
1638         raise Exception("EAP method selection timed out")
1639     if "EAP: Failed to initialize EAP method" in ev:
1640         tls = dev[0].request("GET tls_library")
1641         if tls.startswith("OpenSSL"):
1642             raise Exception("Failed to select EAP method")
1643         logger.info("subject_match not supported - connection failed, so test succeeded")
1644         return
1645     if "TTLS" not in ev:
1646         raise Exception("Unexpected EAP method")
1647
1648     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1649                             "CTRL-EVENT-EAP-SUCCESS",
1650                             "CTRL-EVENT-EAP-FAILURE",
1651                             "CTRL-EVENT-CONNECTED",
1652                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1653     if ev is None:
1654         raise Exception("EAP result timed out")
1655     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1656         raise Exception("TLS certificate error not reported")
1657     if "Subject mismatch" not in ev:
1658         raise Exception("Subject mismatch not reported")
1659
1660     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1661                             "CTRL-EVENT-EAP-FAILURE",
1662                             "CTRL-EVENT-CONNECTED",
1663                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1664     if ev is None:
1665         raise Exception("EAP result(2) timed out")
1666     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1667         raise Exception("EAP failure not reported")
1668
1669     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1670                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1671     if ev is None:
1672         raise Exception("EAP result(3) timed out")
1673     if "CTRL-EVENT-DISCONNECTED" not in ev:
1674         raise Exception("Disconnection not reported")
1675
1676     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1677     if ev is None:
1678         raise Exception("Network block disabling not reported")
1679
1680 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1681     """WPA2-Enterprise negative test - altsubject mismatch"""
1682     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1683     hostapd.add_ap(apdev[0]['ifname'], params)
1684
1685     tests = [ "incorrect.example.com",
1686               "DNS:incorrect.example.com",
1687               "DNS:w1.fi",
1688               "DNS:erver.w1.fi" ]
1689     for match in tests:
1690         _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1691
1692 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1693     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1694                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1695                    password="password", phase2="auth=MSCHAPV2",
1696                    ca_cert="auth_serv/ca.pem",
1697                    altsubject_match=match,
1698                    wait_connect=False, scan_freq="2412")
1699
1700     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1701     if ev is None:
1702         raise Exception("Association and EAP start timed out")
1703
1704     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1705                             "EAP: Failed to initialize EAP method"], timeout=10)
1706     if ev is None:
1707         raise Exception("EAP method selection timed out")
1708     if "EAP: Failed to initialize EAP method" in ev:
1709         tls = dev[0].request("GET tls_library")
1710         if tls.startswith("OpenSSL"):
1711             raise Exception("Failed to select EAP method")
1712         logger.info("altsubject_match not supported - connection failed, so test succeeded")
1713         return
1714     if "TTLS" not in ev:
1715         raise Exception("Unexpected EAP method")
1716
1717     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1718                             "CTRL-EVENT-EAP-SUCCESS",
1719                             "CTRL-EVENT-EAP-FAILURE",
1720                             "CTRL-EVENT-CONNECTED",
1721                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1722     if ev is None:
1723         raise Exception("EAP result timed out")
1724     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1725         raise Exception("TLS certificate error not reported")
1726     if "AltSubject mismatch" not in ev:
1727         raise Exception("altsubject mismatch not reported")
1728
1729     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1730                             "CTRL-EVENT-EAP-FAILURE",
1731                             "CTRL-EVENT-CONNECTED",
1732                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1733     if ev is None:
1734         raise Exception("EAP result(2) timed out")
1735     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1736         raise Exception("EAP failure not reported")
1737
1738     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1739                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1740     if ev is None:
1741         raise Exception("EAP result(3) timed out")
1742     if "CTRL-EVENT-DISCONNECTED" not in ev:
1743         raise Exception("Disconnection not reported")
1744
1745     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1746     if ev is None:
1747         raise Exception("Network block disabling not reported")
1748
1749     dev[0].request("REMOVE_NETWORK all")
1750
1751 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1752     """WPA2-Enterprise connection using UNAUTH-TLS"""
1753     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1754     hostapd.add_ap(apdev[0]['ifname'], params)
1755     eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1756                 ca_cert="auth_serv/ca.pem")
1757     eap_reauth(dev[0], "UNAUTH-TLS")
1758
1759 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1760     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1761     check_cert_probe_support(dev[0])
1762     skip_with_fips(dev[0])
1763     srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1764     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1765     hostapd.add_ap(apdev[0]['ifname'], params)
1766     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1767                    identity="probe", ca_cert="probe://",
1768                    wait_connect=False, scan_freq="2412")
1769     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1770     if ev is None:
1771         raise Exception("Association and EAP start timed out")
1772     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1773     if ev is None:
1774         raise Exception("No peer server certificate event seen")
1775     if "hash=" + srv_cert_hash not in ev:
1776         raise Exception("Expected server certificate hash not reported")
1777     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1778     if ev is None:
1779         raise Exception("EAP result timed out")
1780     if "Server certificate chain probe" not in ev:
1781         raise Exception("Server certificate probe not reported")
1782     dev[0].wait_disconnected(timeout=10)
1783     dev[0].request("REMOVE_NETWORK all")
1784
1785     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1786                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1787                    password="password", phase2="auth=MSCHAPV2",
1788                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1789                    wait_connect=False, scan_freq="2412")
1790     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1791     if ev is None:
1792         raise Exception("Association and EAP start timed out")
1793     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1794     if ev is None:
1795         raise Exception("EAP result timed out")
1796     if "Server certificate mismatch" not in ev:
1797         raise Exception("Server certificate mismatch not reported")
1798     dev[0].wait_disconnected(timeout=10)
1799     dev[0].request("REMOVE_NETWORK all")
1800
1801     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1802                 anonymous_identity="ttls", password="password",
1803                 ca_cert="hash://server/sha256/" + srv_cert_hash,
1804                 phase2="auth=MSCHAPV2")
1805
1806 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1807     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1808     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1809     hostapd.add_ap(apdev[0]['ifname'], params)
1810     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1811                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1812                    password="password", phase2="auth=MSCHAPV2",
1813                    ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1814                    wait_connect=False, scan_freq="2412")
1815     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1816                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1817                    password="password", phase2="auth=MSCHAPV2",
1818                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1819                    wait_connect=False, scan_freq="2412")
1820     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1821                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1822                    password="password", phase2="auth=MSCHAPV2",
1823                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1824                    wait_connect=False, scan_freq="2412")
1825     for i in range(0, 3):
1826         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1827         if ev is None:
1828             raise Exception("Association and EAP start timed out")
1829         ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1830         if ev is None:
1831             raise Exception("Did not report EAP method initialization failure")
1832
1833 def test_ap_wpa2_eap_pwd(dev, apdev):
1834     """WPA2-Enterprise connection using EAP-pwd"""
1835     check_eap_capa(dev[0], "PWD")
1836     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1837     hostapd.add_ap(apdev[0]['ifname'], params)
1838     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1839     eap_reauth(dev[0], "PWD")
1840     dev[0].request("REMOVE_NETWORK all")
1841
1842     eap_connect(dev[1], apdev[0], "PWD",
1843                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1844                 password="secret password",
1845                 fragment_size="90")
1846
1847     logger.info("Negative test with incorrect password")
1848     eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1849                 expect_failure=True, local_error_report=True)
1850
1851     eap_connect(dev[0], apdev[0], "PWD",
1852                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1853                 password="secret password",
1854                 fragment_size="31")
1855
1856 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1857     """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1858     check_eap_capa(dev[0], "PWD")
1859     skip_with_fips(dev[0])
1860     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1861     hostapd.add_ap(apdev[0]['ifname'], params)
1862     eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1863     eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1864                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1865     eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1866                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1867                 expect_failure=True, local_error_report=True)
1868
1869 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1870     """WPA2-Enterprise connection using various EAP-pwd groups"""
1871     check_eap_capa(dev[0], "PWD")
1872     tls = dev[0].request("GET tls_library")
1873     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1874                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1875                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1876     for i in [ 19, 20, 21, 25, 26 ]:
1877         params['pwd_group'] = str(i)
1878         hostapd.add_ap(apdev[0]['ifname'], params)
1879         dev[0].request("REMOVE_NETWORK all")
1880         try:
1881             eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1882                         password="secret password")
1883         except:
1884             if "BoringSSL" in tls and i in [ 25 ]:
1885                 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1886                 dev[0].request("DISCONNECT")
1887                 time.sleep(0.1)
1888                 continue
1889             raise
1890
1891 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1892     """WPA2-Enterprise connection using invalid EAP-pwd group"""
1893     check_eap_capa(dev[0], "PWD")
1894     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1895                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1896                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1897     params['pwd_group'] = "0"
1898     hostapd.add_ap(apdev[0]['ifname'], params)
1899     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1900                    identity="pwd user", password="secret password",
1901                    scan_freq="2412", wait_connect=False)
1902     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1903     if ev is None:
1904         raise Exception("Timeout on EAP failure report")
1905
1906 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1907     """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1908     check_eap_capa(dev[0], "PWD")
1909     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1910     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1911                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1912                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1913                "pwd_group": "19", "fragment_size": "40" }
1914     hostapd.add_ap(apdev[0]['ifname'], params)
1915     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1916
1917 def test_ap_wpa2_eap_gpsk(dev, apdev):
1918     """WPA2-Enterprise connection using EAP-GPSK"""
1919     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1920     hostapd.add_ap(apdev[0]['ifname'], params)
1921     id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1922                      password="abcdefghijklmnop0123456789abcdef")
1923     eap_reauth(dev[0], "GPSK")
1924
1925     logger.info("Test forced algorithm selection")
1926     for phase1 in [ "cipher=1", "cipher=2" ]:
1927         dev[0].set_network_quoted(id, "phase1", phase1)
1928         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1929         if ev is None:
1930             raise Exception("EAP success timed out")
1931         dev[0].wait_connected(timeout=10)
1932
1933     logger.info("Test failed algorithm negotiation")
1934     dev[0].set_network_quoted(id, "phase1", "cipher=9")
1935     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1936     if ev is None:
1937         raise Exception("EAP failure timed out")
1938
1939     logger.info("Negative test with incorrect password")
1940     dev[0].request("REMOVE_NETWORK all")
1941     eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1942                 password="ffcdefghijklmnop0123456789abcdef",
1943                 expect_failure=True)
1944
1945 def test_ap_wpa2_eap_sake(dev, apdev):
1946     """WPA2-Enterprise connection using EAP-SAKE"""
1947     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1948     hostapd.add_ap(apdev[0]['ifname'], params)
1949     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1950                 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1951     eap_reauth(dev[0], "SAKE")
1952
1953     logger.info("Negative test with incorrect password")
1954     dev[0].request("REMOVE_NETWORK all")
1955     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1956                 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1957                 expect_failure=True)
1958
1959 def test_ap_wpa2_eap_eke(dev, apdev):
1960     """WPA2-Enterprise connection using EAP-EKE"""
1961     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1962     hostapd.add_ap(apdev[0]['ifname'], params)
1963     id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1964     eap_reauth(dev[0], "EKE")
1965
1966     logger.info("Test forced algorithm selection")
1967     for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1968                     "dhgroup=4 encr=1 prf=2 mac=2",
1969                     "dhgroup=3 encr=1 prf=2 mac=2",
1970                     "dhgroup=3 encr=1 prf=1 mac=1" ]:
1971         dev[0].set_network_quoted(id, "phase1", phase1)
1972         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1973         if ev is None:
1974             raise Exception("EAP success timed out")
1975         dev[0].wait_connected(timeout=10)
1976
1977     logger.info("Test failed algorithm negotiation")
1978     dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1979     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1980     if ev is None:
1981         raise Exception("EAP failure timed out")
1982
1983     logger.info("Negative test with incorrect password")
1984     dev[0].request("REMOVE_NETWORK all")
1985     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1986                 expect_failure=True)
1987
1988 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1989     """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1990     params = int_eap_server_params()
1991     params['server_id'] = 'example.server@w1.fi'
1992     hostapd.add_ap(apdev[0]['ifname'], params)
1993     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1994
1995 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1996     """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1997     params = int_eap_server_params()
1998     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1999     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2000
2001     for count,func in [ (1, "eap_eke_build_commit"),
2002                         (2, "eap_eke_build_commit"),
2003                         (3, "eap_eke_build_commit"),
2004                         (1, "eap_eke_build_confirm"),
2005                         (2, "eap_eke_build_confirm"),
2006                         (1, "eap_eke_process_commit"),
2007                         (2, "eap_eke_process_commit"),
2008                         (1, "eap_eke_process_confirm"),
2009                         (1, "eap_eke_process_identity"),
2010                         (2, "eap_eke_process_identity"),
2011                         (3, "eap_eke_process_identity"),
2012                         (4, "eap_eke_process_identity") ]:
2013         with alloc_fail(hapd, count, func):
2014             eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2015                         expect_failure=True)
2016             dev[0].request("REMOVE_NETWORK all")
2017
2018     for count,func,pw in [ (1, "eap_eke_init", "hello"),
2019                            (1, "eap_eke_get_session_id", "hello"),
2020                            (1, "eap_eke_getKey", "hello"),
2021                            (1, "eap_eke_build_msg", "hello"),
2022                            (1, "eap_eke_build_failure", "wrong"),
2023                            (1, "eap_eke_build_identity", "hello"),
2024                            (2, "eap_eke_build_identity", "hello") ]:
2025         with alloc_fail(hapd, count, func):
2026             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2027                            eap="EKE", identity="eke user", password=pw,
2028                            wait_connect=False, scan_freq="2412")
2029             # This would eventually time out, but we can stop after having
2030             # reached the allocation failure.
2031             for i in range(20):
2032                 time.sleep(0.1)
2033                 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2034                     break
2035             dev[0].request("REMOVE_NETWORK all")
2036
2037     for count in range(1, 1000):
2038         try:
2039             with alloc_fail(hapd, count, "eap_server_sm_step"):
2040                 dev[0].connect("test-wpa2-eap",
2041                                key_mgmt="WPA-EAP WPA-EAP-SHA256",
2042                                eap="EKE", identity="eke user", password=pw,
2043                                wait_connect=False, scan_freq="2412")
2044                 # This would eventually time out, but we can stop after having
2045                 # reached the allocation failure.
2046                 for i in range(10):
2047                     time.sleep(0.1)
2048                     if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2049                         break
2050                 dev[0].request("REMOVE_NETWORK all")
2051         except Exception, e:
2052             if str(e) == "Allocation failure did not trigger":
2053                 if count < 30:
2054                     raise Exception("Too few allocation failures")
2055                 logger.info("%d allocation failures tested" % (count - 1))
2056                 break
2057             raise e
2058
2059 def test_ap_wpa2_eap_ikev2(dev, apdev):
2060     """WPA2-Enterprise connection using EAP-IKEv2"""
2061     check_eap_capa(dev[0], "IKEV2")
2062     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2063     hostapd.add_ap(apdev[0]['ifname'], params)
2064     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2065                 password="ike password")
2066     eap_reauth(dev[0], "IKEV2")
2067     dev[0].request("REMOVE_NETWORK all")
2068     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2069                 password="ike password", fragment_size="50")
2070
2071     logger.info("Negative test with incorrect password")
2072     dev[0].request("REMOVE_NETWORK all")
2073     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2074                 password="ike-password", expect_failure=True)
2075
2076 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2077     """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2078     check_eap_capa(dev[0], "IKEV2")
2079     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2080     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2081                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2082                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2083                "fragment_size": "50" }
2084     hostapd.add_ap(apdev[0]['ifname'], params)
2085     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2086                 password="ike password")
2087     eap_reauth(dev[0], "IKEV2")
2088
2089 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2090     """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2091     check_eap_capa(dev[0], "IKEV2")
2092     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2093     hostapd.add_ap(apdev[0]['ifname'], params)
2094
2095     tests = [ (1, "dh_init"),
2096               (2, "dh_init"),
2097               (1, "dh_derive_shared") ]
2098     for count, func in tests:
2099         with alloc_fail(dev[0], count, func):
2100             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2101                            identity="ikev2 user", password="ike password",
2102                            wait_connect=False, scan_freq="2412")
2103             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2104             if ev is None:
2105                 raise Exception("EAP method not selected")
2106             for i in range(10):
2107                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2108                     break
2109                 time.sleep(0.02)
2110             dev[0].request("REMOVE_NETWORK all")
2111
2112     tests = [ (1, "os_get_random;dh_init") ]
2113     for count, func in tests:
2114         with fail_test(dev[0], count, func):
2115             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2116                            identity="ikev2 user", password="ike password",
2117                            wait_connect=False, scan_freq="2412")
2118             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2119             if ev is None:
2120                 raise Exception("EAP method not selected")
2121             for i in range(10):
2122                 if "0:" in dev[0].request("GET_FAIL"):
2123                     break
2124                 time.sleep(0.02)
2125             dev[0].request("REMOVE_NETWORK all")
2126
2127 def test_ap_wpa2_eap_pax(dev, apdev):
2128     """WPA2-Enterprise connection using EAP-PAX"""
2129     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2130     hostapd.add_ap(apdev[0]['ifname'], params)
2131     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2132                 password_hex="0123456789abcdef0123456789abcdef")
2133     eap_reauth(dev[0], "PAX")
2134
2135     logger.info("Negative test with incorrect password")
2136     dev[0].request("REMOVE_NETWORK all")
2137     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2138                 password_hex="ff23456789abcdef0123456789abcdef",
2139                 expect_failure=True)
2140
2141 def test_ap_wpa2_eap_psk(dev, apdev):
2142     """WPA2-Enterprise connection using EAP-PSK"""
2143     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2144     params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2145     params["ieee80211w"] = "2"
2146     hostapd.add_ap(apdev[0]['ifname'], params)
2147     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2148                 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2149     eap_reauth(dev[0], "PSK", sha256=True)
2150     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2151                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2152
2153     bss = dev[0].get_bss(apdev[0]['bssid'])
2154     if 'flags' not in bss:
2155         raise Exception("Could not get BSS flags from BSS table")
2156     if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2157         raise Exception("Unexpected BSS flags: " + bss['flags'])
2158
2159     logger.info("Negative test with incorrect password")
2160     dev[0].request("REMOVE_NETWORK all")
2161     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2162                 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2163                 expect_failure=True)
2164
2165 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2166     """WPA2-Enterprise connection using EAP-PSK and OOM"""
2167     skip_with_fips(dev[0])
2168     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2169     hostapd.add_ap(apdev[0]['ifname'], params)
2170     tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2171               (1, "omac1_aes_128;aes_128_eax_encrypt"),
2172               (2, "omac1_aes_128;aes_128_eax_encrypt"),
2173               (3, "omac1_aes_128;aes_128_eax_encrypt"),
2174               (1, "=aes_128_eax_encrypt"),
2175               (1, "omac1_aes_vector"),
2176               (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2177               (1, "omac1_aes_128;aes_128_eax_decrypt"),
2178               (2, "omac1_aes_128;aes_128_eax_decrypt"),
2179               (3, "omac1_aes_128;aes_128_eax_decrypt"),
2180               (1, "=aes_128_eax_decrypt") ]
2181     for count, func in tests:
2182         with alloc_fail(dev[0], count, func):
2183             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2184                            identity="psk.user@example.com",
2185                            password_hex="0123456789abcdef0123456789abcdef",
2186                            wait_connect=False, scan_freq="2412")
2187             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2188             if ev is None:
2189                 raise Exception("EAP method not selected")
2190             for i in range(10):
2191                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2192                     break
2193                 time.sleep(0.02)
2194             dev[0].request("REMOVE_NETWORK all")
2195
2196     with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2197             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2198                            identity="psk.user@example.com",
2199                            password_hex="0123456789abcdef0123456789abcdef",
2200                            wait_connect=False, scan_freq="2412")
2201             ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2202             if ev is None:
2203                 raise Exception("EAP method failure not reported")
2204             dev[0].request("REMOVE_NETWORK all")
2205
2206 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2207     """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2208     check_eap_capa(dev[0], "MSCHAPV2")
2209     params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2210     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2211     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2212                    identity="user", password="password", phase2="auth=MSCHAPV2",
2213                    ca_cert="auth_serv/ca.pem", wait_connect=False,
2214                    scan_freq="2412")
2215     eap_check_auth(dev[0], "PEAP", True, rsn=False)
2216     hwsim_utils.test_connectivity(dev[0], hapd)
2217     eap_reauth(dev[0], "PEAP", rsn=False)
2218     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2219                         ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2220     status = dev[0].get_status(extra="VERBOSE")
2221     if 'portControl' not in status:
2222         raise Exception("portControl missing from STATUS-VERBOSE")
2223     if status['portControl'] != 'Auto':
2224         raise Exception("Unexpected portControl value: " + status['portControl'])
2225     if 'eap_session_id' not in status:
2226         raise Exception("eap_session_id missing from STATUS-VERBOSE")
2227     if not status['eap_session_id'].startswith("19"):
2228         raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2229
2230 def test_ap_wpa2_eap_interactive(dev, apdev):
2231     """WPA2-Enterprise connection using interactive identity/password entry"""
2232     check_eap_capa(dev[0], "MSCHAPV2")
2233     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2234     hostapd.add_ap(apdev[0]['ifname'], params)
2235     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2236
2237     tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2238                "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2239                None, "password"),
2240               ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2241                "TTLS", "ttls", None, "auth=MSCHAPV2",
2242                "DOMAIN\mschapv2 user", "password"),
2243               ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2244                "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2245               ("Connection with dynamic TTLS/EAP-MD5 password entry",
2246                "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2247               ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2248                "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2249               ("Connection with dynamic PEAP/EAP-GTC password entry",
2250                "PEAP", None, "user", "auth=GTC", None, "password") ]
2251     for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2252         logger.info(desc)
2253         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2254                        anonymous_identity=anon, identity=identity,
2255                        ca_cert="auth_serv/ca.pem", phase2=phase2,
2256                        wait_connect=False, scan_freq="2412")
2257         if req_id:
2258             ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2259             if ev is None:
2260                 raise Exception("Request for identity timed out")
2261             id = ev.split(':')[0].split('-')[-1]
2262             dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2263         ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2264         if ev is None:
2265             raise Exception("Request for password timed out")
2266         id = ev.split(':')[0].split('-')[-1]
2267         type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2268         dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2269         dev[0].wait_connected(timeout=10)
2270         dev[0].request("REMOVE_NETWORK all")
2271
2272 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2273     """WPA2-Enterprise connection using EAP vendor test"""
2274     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2275     hostapd.add_ap(apdev[0]['ifname'], params)
2276     eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2277     eap_reauth(dev[0], "VENDOR-TEST")
2278     eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2279                 password="pending")
2280
2281 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2282     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2283     check_eap_capa(dev[0], "FAST")
2284     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2285     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2286     eap_connect(dev[0], apdev[0], "FAST", "user",
2287                 anonymous_identity="FAST", password="password",
2288                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2289                 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2290     hwsim_utils.test_connectivity(dev[0], hapd)
2291     res = eap_reauth(dev[0], "FAST")
2292     if res['tls_session_reused'] != '1':
2293         raise Exception("EAP-FAST could not use PAC session ticket")
2294
2295 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2296     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2297     check_eap_capa(dev[0], "FAST")
2298     pac_file = os.path.join(params['logdir'], "fast.pac")
2299     pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2300     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2301     hostapd.add_ap(apdev[0]['ifname'], params)
2302
2303     try:
2304         eap_connect(dev[0], apdev[0], "FAST", "user",
2305                     anonymous_identity="FAST", password="password",
2306                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2307                     phase1="fast_provisioning=1", pac_file=pac_file)
2308         with open(pac_file, "r") as f:
2309             data = f.read()
2310             if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2311                 raise Exception("PAC file header missing")
2312             if "PAC-Key=" not in data:
2313                 raise Exception("PAC-Key missing from PAC file")
2314         dev[0].request("REMOVE_NETWORK all")
2315         eap_connect(dev[0], apdev[0], "FAST", "user",
2316                     anonymous_identity="FAST", password="password",
2317                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2318                     pac_file=pac_file)
2319
2320         eap_connect(dev[1], apdev[0], "FAST", "user",
2321                     anonymous_identity="FAST", password="password",
2322                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2323                     phase1="fast_provisioning=1 fast_pac_format=binary",
2324                     pac_file=pac_file2)
2325         dev[1].request("REMOVE_NETWORK all")
2326         eap_connect(dev[1], apdev[0], "FAST", "user",
2327                     anonymous_identity="FAST", password="password",
2328                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2329                     phase1="fast_pac_format=binary",
2330                     pac_file=pac_file2)
2331     finally:
2332         try:
2333             os.remove(pac_file)
2334         except:
2335             pass
2336         try:
2337             os.remove(pac_file2)
2338         except:
2339             pass
2340
2341 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2342     """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2343     check_eap_capa(dev[0], "FAST")
2344     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2345     hostapd.add_ap(apdev[0]['ifname'], params)
2346     eap_connect(dev[0], apdev[0], "FAST", "user",
2347                 anonymous_identity="FAST", password="password",
2348                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2349                 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2350                 pac_file="blob://fast_pac_bin")
2351     res = eap_reauth(dev[0], "FAST")
2352     if res['tls_session_reused'] != '1':
2353         raise Exception("EAP-FAST could not use PAC session ticket")
2354
2355 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2356     """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2357     check_eap_capa(dev[0], "FAST")
2358     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359     hostapd.add_ap(apdev[0]['ifname'], params)
2360
2361     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2362                    identity="user", anonymous_identity="FAST",
2363                    password="password",
2364                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2365                    pac_file="blob://fast_pac_not_in_use",
2366                    wait_connect=False, scan_freq="2412")
2367     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2368     if ev is None:
2369         raise Exception("Timeout on EAP failure report")
2370     dev[0].request("REMOVE_NETWORK all")
2371
2372     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2373                    identity="user", anonymous_identity="FAST",
2374                    password="password",
2375                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2376                    wait_connect=False, scan_freq="2412")
2377     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2378     if ev is None:
2379         raise Exception("Timeout on EAP failure report")
2380
2381 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2382     """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2383     check_eap_capa(dev[0], "FAST")
2384     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2385     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2386     eap_connect(dev[0], apdev[0], "FAST", "user",
2387                 anonymous_identity="FAST", password="password",
2388                 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2389                 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2390     hwsim_utils.test_connectivity(dev[0], hapd)
2391     res = eap_reauth(dev[0], "FAST")
2392     if res['tls_session_reused'] != '1':
2393         raise Exception("EAP-FAST could not use PAC session ticket")
2394
2395 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2396     """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2397     check_eap_capa(dev[0], "FAST")
2398     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2399     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2400     id = eap_connect(dev[0], apdev[0], "FAST", "user",
2401                      anonymous_identity="FAST", password="password",
2402                      ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2403                      phase1="fast_provisioning=2",
2404                      pac_file="blob://fast_pac_auth")
2405     dev[0].set_network_quoted(id, "identity", "user2")
2406     dev[0].wait_disconnected()
2407     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2408     if ev is None:
2409         raise Exception("EAP-FAST not started")
2410     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2411     if ev is None:
2412         raise Exception("EAP failure not reported")
2413     dev[0].wait_disconnected()
2414
2415 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2416     """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2417     check_eap_capa(dev[0], "FAST")
2418     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2419     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2420     with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2421         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2422                        identity="user", anonymous_identity="FAST",
2423                        password="password", ca_cert="auth_serv/ca.pem",
2424                        phase2="auth=GTC",
2425                        phase1="fast_provisioning=2",
2426                        pac_file="blob://fast_pac_auth",
2427                        wait_connect=False, scan_freq="2412")
2428         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2429         if ev is None:
2430             raise Exception("EAP failure not reported")
2431     dev[0].request("DISCONNECT")
2432
2433 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2434     """EAP-FAST/MSCHAPv2 and server OOM"""
2435     check_eap_capa(dev[0], "FAST")
2436
2437     params = int_eap_server_params()
2438     params['dh_file'] = 'auth_serv/dh.conf'
2439     params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2440     params['eap_fast_a_id'] = '1011'
2441     params['eap_fast_a_id_info'] = 'another test server'
2442     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2443
2444     with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2445         id = eap_connect(dev[0], apdev[0], "FAST", "user",
2446                          anonymous_identity="FAST", password="password",
2447                          ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2448                          phase1="fast_provisioning=1",
2449                          pac_file="blob://fast_pac",
2450                          expect_failure=True)
2451         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2452         if ev is None:
2453             raise Exception("No EAP failure reported")
2454         dev[0].wait_disconnected()
2455         dev[0].request("DISCONNECT")
2456
2457     dev[0].select_network(id, freq="2412")
2458
2459 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2460     """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2461     check_ocsp_support(dev[0])
2462     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2463     hostapd.add_ap(apdev[0]['ifname'], params)
2464     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2465                 private_key="auth_serv/user.pkcs12",
2466                 private_key_passwd="whatever", ocsp=2)
2467
2468 def int_eap_server_params():
2469     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2470                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2471                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2472                "ca_cert": "auth_serv/ca.pem",
2473                "server_cert": "auth_serv/server.pem",
2474                "private_key": "auth_serv/server.key" }
2475     return params
2476
2477 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2478     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2479     check_ocsp_support(dev[0])
2480     params = int_eap_server_params()
2481     params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2482     hostapd.add_ap(apdev[0]['ifname'], params)
2483     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2484                    identity="tls user", ca_cert="auth_serv/ca.pem",
2485                    private_key="auth_serv/user.pkcs12",
2486                    private_key_passwd="whatever", ocsp=2,
2487                    wait_connect=False, scan_freq="2412")
2488     count = 0
2489     while True:
2490         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2491         if ev is None:
2492             raise Exception("Timeout on EAP status")
2493         if 'bad certificate status response' in ev:
2494             break
2495         count = count + 1
2496         if count > 10:
2497             raise Exception("Unexpected number of EAP status messages")
2498
2499     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2500     if ev is None:
2501         raise Exception("Timeout on EAP failure report")
2502
2503 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2504     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2505     check_ocsp_support(dev[0])
2506     params = int_eap_server_params()
2507     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2508     hostapd.add_ap(apdev[0]['ifname'], params)
2509     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2510                    identity="tls user", ca_cert="auth_serv/ca.pem",
2511                    private_key="auth_serv/user.pkcs12",
2512                    private_key_passwd="whatever", ocsp=2,
2513                    wait_connect=False, scan_freq="2412")
2514     count = 0
2515     while True:
2516         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2517         if ev is None:
2518             raise Exception("Timeout on EAP status")
2519         if 'bad certificate status response' in ev:
2520             break
2521         count = count + 1
2522         if count > 10:
2523             raise Exception("Unexpected number of EAP status messages")
2524
2525     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2526     if ev is None:
2527         raise Exception("Timeout on EAP failure report")
2528
2529 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2530     """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2531     check_ocsp_support(dev[0])
2532     params = int_eap_server_params()
2533     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2534     hostapd.add_ap(apdev[0]['ifname'], params)
2535     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2536                    identity="tls user", ca_cert="auth_serv/ca.pem",
2537                    private_key="auth_serv/user.pkcs12",
2538                    private_key_passwd="whatever", ocsp=2,
2539                    wait_connect=False, scan_freq="2412")
2540     count = 0
2541     while True:
2542         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2543         if ev is None:
2544             raise Exception("Timeout on EAP status")
2545         if 'bad certificate status response' in ev:
2546             break
2547         count = count + 1
2548         if count > 10:
2549             raise Exception("Unexpected number of EAP status messages")
2550
2551     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2552     if ev is None:
2553         raise Exception("Timeout on EAP failure report")
2554
2555 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2556     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2557     check_ocsp_support(dev[0])
2558     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2559     if not os.path.exists(ocsp):
2560         raise HwsimSkip("No OCSP response available")
2561     params = int_eap_server_params()
2562     params["ocsp_stapling_response"] = ocsp
2563     hostapd.add_ap(apdev[0]['ifname'], params)
2564     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2565                    identity="pap user", ca_cert="auth_serv/ca.pem",
2566                    anonymous_identity="ttls", password="password",
2567                    phase2="auth=PAP", ocsp=2,
2568                    wait_connect=False, scan_freq="2412")
2569     count = 0
2570     while True:
2571         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2572         if ev is None:
2573             raise Exception("Timeout on EAP status")
2574         if 'bad certificate status response' in ev:
2575             break
2576         if 'certificate revoked' in ev:
2577             break
2578         count = count + 1
2579         if count > 10:
2580             raise Exception("Unexpected number of EAP status messages")
2581
2582     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2583     if ev is None:
2584         raise Exception("Timeout on EAP failure report")
2585
2586 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2587     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2588     check_ocsp_support(dev[0])
2589     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2590     if not os.path.exists(ocsp):
2591         raise HwsimSkip("No OCSP response available")
2592     params = int_eap_server_params()
2593     params["ocsp_stapling_response"] = ocsp
2594     hostapd.add_ap(apdev[0]['ifname'], params)
2595     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2596                    identity="pap user", ca_cert="auth_serv/ca.pem",
2597                    anonymous_identity="ttls", password="password",
2598                    phase2="auth=PAP", ocsp=2,
2599                    wait_connect=False, scan_freq="2412")
2600     count = 0
2601     while True:
2602         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2603         if ev is None:
2604             raise Exception("Timeout on EAP status")
2605         if 'bad certificate status response' in ev:
2606             break
2607         count = count + 1
2608         if count > 10:
2609             raise Exception("Unexpected number of EAP status messages")
2610
2611     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2612     if ev is None:
2613         raise Exception("Timeout on EAP failure report")
2614
2615 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2616     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2617     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2618     if not os.path.exists(ocsp):
2619         raise HwsimSkip("No OCSP response available")
2620     params = int_eap_server_params()
2621     params["ocsp_stapling_response"] = ocsp
2622     hostapd.add_ap(apdev[0]['ifname'], params)
2623     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2624                    identity="pap user", ca_cert="auth_serv/ca.pem",
2625                    anonymous_identity="ttls", password="password",
2626                    phase2="auth=PAP", ocsp=1, scan_freq="2412")
2627
2628 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2629     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2630     params = int_eap_server_params()
2631     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2632     params["private_key"] = "auth_serv/server-no-dnsname.key"
2633     hostapd.add_ap(apdev[0]['ifname'], params)
2634     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2635                    identity="tls user", ca_cert="auth_serv/ca.pem",
2636                    private_key="auth_serv/user.pkcs12",
2637                    private_key_passwd="whatever",
2638                    domain_suffix_match="server3.w1.fi",
2639                    scan_freq="2412")
2640
2641 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2642     """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2643     params = int_eap_server_params()
2644     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2645     params["private_key"] = "auth_serv/server-no-dnsname.key"
2646     hostapd.add_ap(apdev[0]['ifname'], params)
2647     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2648                    identity="tls user", ca_cert="auth_serv/ca.pem",
2649                    private_key="auth_serv/user.pkcs12",
2650                    private_key_passwd="whatever",
2651                    domain_match="server3.w1.fi",
2652                    scan_freq="2412")
2653
2654 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2655     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2656     check_domain_match_full(dev[0])
2657     params = int_eap_server_params()
2658     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2659     params["private_key"] = "auth_serv/server-no-dnsname.key"
2660     hostapd.add_ap(apdev[0]['ifname'], params)
2661     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2662                    identity="tls user", ca_cert="auth_serv/ca.pem",
2663                    private_key="auth_serv/user.pkcs12",
2664                    private_key_passwd="whatever",
2665                    domain_suffix_match="w1.fi",
2666                    scan_freq="2412")
2667
2668 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2669     """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2670     params = int_eap_server_params()
2671     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2672     params["private_key"] = "auth_serv/server-no-dnsname.key"
2673     hostapd.add_ap(apdev[0]['ifname'], params)
2674     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2675                    identity="tls user", ca_cert="auth_serv/ca.pem",
2676                    private_key="auth_serv/user.pkcs12",
2677                    private_key_passwd="whatever",
2678                    domain_suffix_match="example.com",
2679                    wait_connect=False,
2680                    scan_freq="2412")
2681     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2682                    identity="tls user", ca_cert="auth_serv/ca.pem",
2683                    private_key="auth_serv/user.pkcs12",
2684                    private_key_passwd="whatever",
2685                    domain_suffix_match="erver3.w1.fi",
2686                    wait_connect=False,
2687                    scan_freq="2412")
2688     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2689     if ev is None:
2690         raise Exception("Timeout on EAP failure report")
2691     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2692     if ev is None:
2693         raise Exception("Timeout on EAP failure report (2)")
2694
2695 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2696     """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2697     params = int_eap_server_params()
2698     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2699     params["private_key"] = "auth_serv/server-no-dnsname.key"
2700     hostapd.add_ap(apdev[0]['ifname'], params)
2701     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2702                    identity="tls user", ca_cert="auth_serv/ca.pem",
2703                    private_key="auth_serv/user.pkcs12",
2704                    private_key_passwd="whatever",
2705                    domain_match="example.com",
2706                    wait_connect=False,
2707                    scan_freq="2412")
2708     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2709                    identity="tls user", ca_cert="auth_serv/ca.pem",
2710                    private_key="auth_serv/user.pkcs12",
2711                    private_key_passwd="whatever",
2712                    domain_match="w1.fi",
2713                    wait_connect=False,
2714                    scan_freq="2412")
2715     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2716     if ev is None:
2717         raise Exception("Timeout on EAP failure report")
2718     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2719     if ev is None:
2720         raise Exception("Timeout on EAP failure report (2)")
2721
2722 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2723     """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2724     skip_with_fips(dev[0])
2725     params = int_eap_server_params()
2726     params["server_cert"] = "auth_serv/server-expired.pem"
2727     params["private_key"] = "auth_serv/server-expired.key"
2728     hostapd.add_ap(apdev[0]['ifname'], params)
2729     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2730                    identity="mschap user", password="password",
2731                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2732                    wait_connect=False,
2733                    scan_freq="2412")
2734     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2735     if ev is None:
2736         raise Exception("Timeout on EAP certificate error report")
2737     if "reason=4" not in ev or "certificate has expired" not in ev:
2738         raise Exception("Unexpected failure reason: " + ev)
2739     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2740     if ev is None:
2741         raise Exception("Timeout on EAP failure report")
2742
2743 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2744     """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2745     skip_with_fips(dev[0])
2746     params = int_eap_server_params()
2747     params["server_cert"] = "auth_serv/server-expired.pem"
2748     params["private_key"] = "auth_serv/server-expired.key"
2749     hostapd.add_ap(apdev[0]['ifname'], params)
2750     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2751                    identity="mschap user", password="password",
2752                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2753                    phase1="tls_disable_time_checks=1",
2754                    scan_freq="2412")
2755
2756 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2757     """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2758     skip_with_fips(dev[0])
2759     params = int_eap_server_params()
2760     params["server_cert"] = "auth_serv/server-long-duration.pem"
2761     params["private_key"] = "auth_serv/server-long-duration.key"
2762     hostapd.add_ap(apdev[0]['ifname'], params)
2763     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2764                    identity="mschap user", password="password",
2765                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2766                    scan_freq="2412")
2767
2768 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2769     """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2770     skip_with_fips(dev[0])
2771     params = int_eap_server_params()
2772     params["server_cert"] = "auth_serv/server-eku-client.pem"
2773     params["private_key"] = "auth_serv/server-eku-client.key"
2774     hostapd.add_ap(apdev[0]['ifname'], params)
2775     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2776                    identity="mschap user", password="password",
2777                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2778                    wait_connect=False,
2779                    scan_freq="2412")
2780     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2781     if ev is None:
2782         raise Exception("Timeout on EAP failure report")
2783
2784 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2785     """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2786     skip_with_fips(dev[0])
2787     params = int_eap_server_params()
2788     params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2789     params["private_key"] = "auth_serv/server-eku-client-server.key"
2790     hostapd.add_ap(apdev[0]['ifname'], params)
2791     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2792                    identity="mschap user", password="password",
2793                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2794                    scan_freq="2412")
2795
2796 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2797     """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2798     skip_with_fips(dev[0])
2799     params = int_eap_server_params()
2800     del params["server_cert"]
2801     params["private_key"] = "auth_serv/server.pkcs12"
2802     hostapd.add_ap(apdev[0]['ifname'], params)
2803     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2804                    identity="mschap user", password="password",
2805                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2806                    scan_freq="2412")
2807
2808 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2809     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2810     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2811     hostapd.add_ap(apdev[0]['ifname'], params)
2812     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2813                 anonymous_identity="ttls", password="password",
2814                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2815                 dh_file="auth_serv/dh.conf")
2816
2817 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2818     """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2819     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2820     hostapd.add_ap(apdev[0]['ifname'], params)
2821     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2822                 anonymous_identity="ttls", password="password",
2823                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2824                 dh_file="auth_serv/dsaparam.pem")
2825
2826 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2827     """EAP-TTLS and DH params file not found"""
2828     skip_with_fips(dev[0])
2829     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2830     hostapd.add_ap(apdev[0]['ifname'], params)
2831     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2832                    identity="mschap user", password="password",
2833                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2834                    dh_file="auth_serv/dh-no-such-file.conf",
2835                    scan_freq="2412", wait_connect=False)
2836     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2837     if ev is None:
2838         raise Exception("EAP failure timed out")
2839     dev[0].request("REMOVE_NETWORK all")
2840     dev[0].wait_disconnected()
2841
2842 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2843     """EAP-TTLS and invalid DH params file"""
2844     skip_with_fips(dev[0])
2845     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2846     hostapd.add_ap(apdev[0]['ifname'], params)
2847     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2848                    identity="mschap user", password="password",
2849                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2850                    dh_file="auth_serv/ca.pem",
2851                    scan_freq="2412", wait_connect=False)
2852     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2853     if ev is None:
2854         raise Exception("EAP failure timed out")
2855     dev[0].request("REMOVE_NETWORK all")
2856     dev[0].wait_disconnected()
2857
2858 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2859     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2860     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2861     hostapd.add_ap(apdev[0]['ifname'], params)
2862     dh = read_pem("auth_serv/dh2.conf")
2863     if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2864         raise Exception("Could not set dhparams blob")
2865     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2866                 anonymous_identity="ttls", password="password",
2867                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2868                 dh_file="blob://dhparams")
2869
2870 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2871     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2872     params = int_eap_server_params()
2873     params["dh_file"] = "auth_serv/dh2.conf"
2874     hostapd.add_ap(apdev[0]['ifname'], params)
2875     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2876                 anonymous_identity="ttls", password="password",
2877                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2878
2879 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2880     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2881     params = int_eap_server_params()
2882     params["dh_file"] = "auth_serv/dsaparam.pem"
2883     hostapd.add_ap(apdev[0]['ifname'], params)
2884     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2885                 anonymous_identity="ttls", password="password",
2886                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2887
2888 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2889     """EAP-TLS server and dhparams file not found"""
2890     params = int_eap_server_params()
2891     params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2892     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2893     if "FAIL" not in hapd.request("ENABLE"):
2894         raise Exception("Invalid configuration accepted")
2895
2896 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2897     """EAP-TLS server and invalid dhparams file"""
2898     params = int_eap_server_params()
2899     params["dh_file"] = "auth_serv/ca.pem"
2900     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2901     if "FAIL" not in hapd.request("ENABLE"):
2902         raise Exception("Invalid configuration accepted")
2903
2904 def test_ap_wpa2_eap_reauth(dev, apdev):
2905     """WPA2-Enterprise and Authenticator forcing reauthentication"""
2906     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2907     params['eap_reauth_period'] = '2'
2908     hostapd.add_ap(apdev[0]['ifname'], params)
2909     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2910                 password_hex="0123456789abcdef0123456789abcdef")
2911     logger.info("Wait for reauthentication")
2912     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2913     if ev is None:
2914         raise Exception("Timeout on reauthentication")
2915     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2916     if ev is None:
2917         raise Exception("Timeout on reauthentication")
2918     for i in range(0, 20):
2919         state = dev[0].get_status_field("wpa_state")
2920         if state == "COMPLETED":
2921             break
2922         time.sleep(0.1)
2923     if state != "COMPLETED":
2924         raise Exception("Reauthentication did not complete")
2925
2926 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2927     """Optional displayable message in EAP Request-Identity"""
2928     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2929     params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2930     hostapd.add_ap(apdev[0]['ifname'], params)
2931     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2932                 password_hex="0123456789abcdef0123456789abcdef")
2933
2934 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2935     """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2936     check_hlr_auc_gw_support()
2937     params = int_eap_server_params()
2938     params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2939     params['eap_sim_aka_result_ind'] = "1"
2940     hostapd.add_ap(apdev[0]['ifname'], params)
2941
2942     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2943                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2944                 phase1="result_ind=1")
2945     eap_reauth(dev[0], "SIM")
2946     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2947                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2948
2949     dev[0].request("REMOVE_NETWORK all")
2950     dev[1].request("REMOVE_NETWORK all")
2951
2952     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2953                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2954                 phase1="result_ind=1")
2955     eap_reauth(dev[0], "AKA")
2956     eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2957                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2958
2959     dev[0].request("REMOVE_NETWORK all")
2960     dev[1].request("REMOVE_NETWORK all")
2961
2962     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2963                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2964                 phase1="result_ind=1")
2965     eap_reauth(dev[0], "AKA'")
2966     eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2967                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2968
2969 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2970     """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2971     skip_with_fips(dev[0])
2972     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2973     hostapd.add_ap(apdev[0]['ifname'], params)
2974     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2975                    eap="TTLS", identity="mschap user",
2976                    wait_connect=False, scan_freq="2412", ieee80211w="1",
2977                    anonymous_identity="ttls", password="password",
2978                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2979                    fragment_size="10")
2980     ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2981     if ev is None:
2982         raise Exception("EAP roundtrip limit not reached")
2983
2984 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2985     """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2986     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2987     hostapd.add_ap(apdev[0]['ifname'], params)
2988     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2989                    eap="PSK", identity="vendor-test",
2990                    password_hex="ff23456789abcdef0123456789abcdef",
2991                    wait_connect=False)
2992
2993     found = False
2994     for i in range(0, 5):
2995         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2996         if ev is None:
2997             raise Exception("Association and EAP start timed out")
2998         if "refuse proposed method" in ev:
2999             found = True
3000             break
3001     if not found:
3002         raise Exception("Unexpected EAP status: " + ev)
3003
3004     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3005     if ev is None:
3006         raise Exception("EAP failure timed out")
3007
3008 def test_ap_wpa2_eap_sql(dev, apdev, params):
3009     """WPA2-Enterprise connection using SQLite for user DB"""
3010     skip_with_fips(dev[0])
3011     try:
3012         import sqlite3
3013     except ImportError:
3014         raise HwsimSkip("No sqlite3 module available")
3015     dbfile = os.path.join(params['logdir'], "eap-user.db")
3016     try:
3017         os.remove(dbfile)
3018     except:
3019         pass
3020     con = sqlite3.connect(dbfile)
3021     with con:
3022         cur = con.cursor()
3023         cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3024         cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3025         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3026         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3027         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3028         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3029         cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3030         cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3031
3032     try:
3033         params = int_eap_server_params()
3034         params["eap_user_file"] = "sqlite:" + dbfile
3035         hostapd.add_ap(apdev[0]['ifname'], params)
3036         eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3037                     anonymous_identity="ttls", password="password",
3038                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3039         dev[0].request("REMOVE_NETWORK all")
3040         eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3041                     anonymous_identity="ttls", password="password",
3042                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3043         dev[1].request("REMOVE_NETWORK all")
3044         eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3045                     anonymous_identity="ttls", password="password",
3046                     ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3047         eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3048                     anonymous_identity="ttls", password="password",
3049                     ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3050     finally:
3051         os.remove(dbfile)
3052
3053 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3054     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3055     params = int_eap_server_params()
3056     hostapd.add_ap(apdev[0]['ifname'], params)
3057     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3058                    identity="\x80", password="password", wait_connect=False)
3059     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3060                    identity="a\x80", password="password", wait_connect=False)
3061     for i in range(0, 2):
3062         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3063         if ev is None:
3064             raise Exception("Association and EAP start timed out")
3065         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3066         if ev is None:
3067             raise Exception("EAP method selection timed out")
3068
3069 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3070     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3071     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3072     hostapd.add_ap(apdev[0]['ifname'], params)
3073     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3074                    identity="\x80", password="password", wait_connect=False)
3075     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3076                    identity="a\x80", password="password", wait_connect=False)
3077     for i in range(0, 2):
3078         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3079         if ev is None:
3080             raise Exception("Association and EAP start timed out")
3081         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3082         if ev is None:
3083             raise Exception("EAP method selection timed out")
3084
3085 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3086     """OpenSSL cipher suite configuration on wpa_supplicant"""
3087     tls = dev[0].request("GET tls_library")
3088     if not tls.startswith("OpenSSL"):
3089         raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3090     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3091     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3092     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3093                 anonymous_identity="ttls", password="password",
3094                 openssl_ciphers="AES128",
3095                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3096     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3097                 anonymous_identity="ttls", password="password",
3098                 openssl_ciphers="EXPORT",
3099                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3100                 expect_failure=True, maybe_local_error=True)
3101     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3102                    identity="pap user", anonymous_identity="ttls",
3103                    password="password",
3104                    openssl_ciphers="FOO",
3105                    ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3106                    wait_connect=False)
3107     ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3108     if ev is None:
3109         raise Exception("EAP failure after invalid openssl_ciphers not reported")
3110     dev[2].request("DISCONNECT")
3111
3112 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3113     """OpenSSL cipher suite configuration on hostapd"""
3114     tls = dev[0].request("GET tls_library")
3115     if not tls.startswith("OpenSSL"):
3116         raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3117     params = int_eap_server_params()
3118     params['openssl_ciphers'] = "AES256"
3119     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3120     tls = hapd.request("GET tls_library")
3121     if not tls.startswith("OpenSSL"):
3122         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3123     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3124                 anonymous_identity="ttls", password="password",
3125                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3126     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3127                 anonymous_identity="ttls", password="password",
3128                 openssl_ciphers="AES128",
3129                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3130                 expect_failure=True)
3131     eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3132                 anonymous_identity="ttls", password="password",
3133                 openssl_ciphers="HIGH:!ADH",
3134                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3135
3136     params['openssl_ciphers'] = "FOO"
3137     hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3138     if "FAIL" not in hapd2.request("ENABLE"):
3139         raise Exception("Invalid openssl_ciphers value accepted")
3140
3141 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3142     """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3143     p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3144     hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3145     password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3146     pid = find_wpas_process(dev[0])
3147     id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3148                      anonymous_identity="ttls", password=password,
3149                      ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3150     time.sleep(1)
3151     buf = read_process_memory(pid, password)
3152
3153     dev[0].request("DISCONNECT")
3154     dev[0].wait_disconnected()
3155
3156     dev[0].relog()
3157     msk = None
3158     emsk = None
3159     pmk = None
3160     ptk = None
3161     gtk = None
3162     with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3163         for l in f.readlines():
3164             if "EAP-TTLS: Derived key - hexdump" in l:
3165                 val = l.strip().split(':')[3].replace(' ', '')
3166                 msk = binascii.unhexlify(val)
3167             if "EAP-TTLS: Derived EMSK - hexdump" in l:
3168                 val = l.strip().split(':')[3].replace(' ', '')
3169                 emsk = binascii.unhexlify(val)
3170             if "WPA: PMK - hexdump" in l:
3171                 val = l.strip().split(':')[3].replace(' ', '')
3172                 pmk = binascii.unhexlify(val)
3173             if "WPA: PTK - hexdump" in l:
3174                 val = l.strip().split(':')[3].replace(' ', '')
3175                 ptk = binascii.unhexlify(val)
3176             if "WPA: Group Key - hexdump" in l:
3177                 val = l.strip().split(':')[3].replace(' ', '')
3178                 gtk = binascii.unhexlify(val)
3179     if not msk or not emsk or not pmk or not ptk or not gtk:
3180         raise Exception("Could not find keys from debug log")
3181     if len(gtk) != 16:
3182         raise Exception("Unexpected GTK length")
3183
3184     kck = ptk[0:16]
3185     kek = ptk[16:32]
3186     tk = ptk[32:48]
3187
3188     fname = os.path.join(params['logdir'],
3189                          'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3190
3191     logger.info("Checking keys in memory while associated")
3192     get_key_locations(buf, password, "Password")
3193     get_key_locations(buf, pmk, "PMK")
3194     get_key_locations(buf, msk, "MSK")
3195     get_key_locations(buf, emsk, "EMSK")
3196     if password not in buf:
3197         raise HwsimSkip("Password not found while associated")
3198     if pmk not in buf:
3199         raise HwsimSkip("PMK not found while associated")
3200     if kck not in buf:
3201         raise Exception("KCK not found while associated")
3202     if kek not in buf:
3203         raise Exception("KEK not found while associated")
3204     if tk in buf:
3205         raise Exception("TK found from memory")
3206     if gtk in buf:
3207         raise Exception("GTK found from memory")
3208
3209     logger.info("Checking keys in memory after disassociation")
3210     buf = read_process_memory(pid, password)
3211
3212     # Note: Password is still present in network configuration
3213     # Note: PMK is in PMKSA cache and EAP fast re-auth data
3214
3215     get_key_locations(buf, password, "Password")
3216     get_key_locations(buf, pmk, "PMK")
3217     get_key_locations(buf, msk, "MSK")
3218     get_key_locations(buf, emsk, "EMSK")
3219     verify_not_present(buf, kck, fname, "KCK")
3220     verify_not_present(buf, kek, fname, "KEK")
3221     verify_not_present(buf, tk, fname, "TK")
3222     verify_not_present(buf, gtk, fname, "GTK")
3223
3224     dev[0].request("PMKSA_FLUSH")
3225     dev[0].set_network_quoted(id, "identity", "foo")
3226     logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3227     buf = read_process_memory(pid, password)
3228     get_key_locations(buf, password, "Password")
3229     get_key_locations(buf, pmk, "PMK")
3230     get_key_locations(buf, msk, "MSK")
3231     get_key_locations(buf, emsk, "EMSK")
3232     verify_not_present(buf, pmk, fname, "PMK")
3233
3234     dev[0].request("REMOVE_NETWORK all")
3235
3236     logger.info("Checking keys in memory after network profile removal")
3237     buf = read_process_memory(pid, password)
3238
3239     get_key_locations(buf, password, "Password")
3240     get_key_locations(buf, pmk, "PMK")
3241     get_key_locations(buf, msk, "MSK")
3242     get_key_locations(buf, emsk, "EMSK")
3243     verify_not_present(buf, password, fname, "password")
3244     verify_not_present(buf, pmk, fname, "PMK")
3245     verify_not_present(buf, kck, fname, "KCK")
3246     verify_not_present(buf, kek, fname, "KEK")
3247     verify_not_present(buf, tk, fname, "TK")
3248     verify_not_present(buf, gtk, fname, "GTK")
3249     verify_not_present(buf, msk, fname, "MSK")
3250     verify_not_present(buf, emsk, fname, "EMSK")
3251
3252 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3253     """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3254     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3255     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3256     bssid = apdev[0]['bssid']
3257     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3258                 anonymous_identity="ttls", password="password",
3259                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3260
3261     # Send unexpected WEP EAPOL-Key; this gets dropped
3262     res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3263     if "OK" not in res:
3264         raise Exception("EAPOL_RX to wpa_supplicant failed")
3265
3266 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3267     """WPA2-EAP and wpas interface in a bridge"""
3268     br_ifname='sta-br0'
3269     ifname='wlan5'
3270     try:
3271         _test_ap_wpa2_eap_in_bridge(dev, apdev)
3272     finally:
3273         subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3274         subprocess.call(['brctl', 'delif', br_ifname, ifname])
3275         subprocess.call(['brctl', 'delbr', br_ifname])
3276         subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3277
3278 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3279     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3280     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3281
3282     br_ifname='sta-br0'
3283     ifname='wlan5'
3284     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3285     subprocess.call(['brctl', 'addbr', br_ifname])
3286     subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3287     subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3288     subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3289     subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3290     wpas.interface_add(ifname, br_ifname=br_ifname)
3291
3292     id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3293                      password_hex="0123456789abcdef0123456789abcdef")
3294     eap_reauth(wpas, "PAX")
3295     # Try again as a regression test for packet socket workaround
3296     eap_reauth(wpas, "PAX")
3297     wpas.request("DISCONNECT")
3298     wpas.wait_disconnected()
3299     wpas.request("RECONNECT")
3300     wpas.wait_connected()
3301
3302 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3303     """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3304     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3305     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3306     key_mgmt = hapd.get_config()['key_mgmt']
3307     if key_mgmt.split(' ')[0] != "WPA-EAP":
3308         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3309     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3310                 anonymous_identity="ttls", password="password",
3311                 ca_cert="auth_serv/ca.pem",
3312                 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3313     eap_reauth(dev[0], "TTLS")
3314
3315 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3316     """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3317     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3318     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3319     key_mgmt = hapd.get_config()['key_mgmt']
3320     if key_mgmt.split(' ')[0] != "WPA-EAP":
3321         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3322     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3323                 anonymous_identity="ttls", password="password",
3324                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3325                 phase2="auth=PAP")
3326     eap_reauth(dev[0], "TTLS")
3327
3328 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3329     """EAP-TLS and server checking CRL"""
3330     params = int_eap_server_params()
3331     params['check_crl'] = '1'
3332     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3333
3334     # check_crl=1 and no CRL available --> reject connection
3335     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3336                 client_cert="auth_serv/user.pem",
3337                 private_key="auth_serv/user.key", expect_failure=True)
3338     dev[0].request("REMOVE_NETWORK all")
3339
3340     hapd.disable()
3341     hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3342     hapd.enable()
3343
3344     # check_crl=1 and valid CRL --> accept
3345     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3346                 client_cert="auth_serv/user.pem",
3347                 private_key="auth_serv/user.key")
3348     dev[0].request("REMOVE_NETWORK all")
3349
3350     hapd.disable()
3351     hapd.set("check_crl", "2")
3352     hapd.enable()
3353
3354     # check_crl=2 and valid CRL --> accept
3355     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3356                 client_cert="auth_serv/user.pem",
3357                 private_key="auth_serv/user.key")
3358     dev[0].request("REMOVE_NETWORK all")
3359
3360 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3361     """EAP-TLS and OOM"""
3362     check_subject_match_support(dev[0])
3363     check_altsubject_match_support(dev[0])
3364     check_domain_match_full(dev[0])
3365
3366     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3367     hostapd.add_ap(apdev[0]['ifname'], params)
3368
3369     tests = [ (1, "tls_connection_set_subject_match"),
3370               (2, "tls_connection_set_subject_match"),
3371               (3, "tls_connection_set_subject_match"),
3372               (4, "tls_connection_set_subject_match") ]
3373     for count, func in tests:
3374         with alloc_fail(dev[0], count, func):
3375             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3376                            identity="tls user", ca_cert="auth_serv/ca.pem",
3377                            client_cert="auth_serv/user.pem",
3378                            private_key="auth_serv/user.key",
3379                            subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3380                            altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3381                            domain_suffix_match="server.w1.fi",
3382                            domain_match="server.w1.fi",
3383                            wait_connect=False, scan_freq="2412")
3384             # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3385             ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3386             if ev is None:
3387                 raise Exception("No passphrase request")
3388             dev[0].request("REMOVE_NETWORK all")
3389             dev[0].wait_disconnected()
3390
3391 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3392     """WPA2-Enterprise connection using MAC ACL"""
3393     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3394     params["macaddr_acl"] = "2"
3395     hostapd.add_ap(apdev[0]['ifname'], params)
3396     eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3397                 client_cert="auth_serv/user.pem",
3398                 private_key="auth_serv/user.key")
3399
3400 def test_ap_wpa2_eap_oom(dev, apdev):
3401     """EAP server and OOM"""
3402     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3403     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3404     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3405
3406     with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3407         # The first attempt fails, but STA will send EAPOL-Start to retry and
3408         # that succeeds.
3409         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3410                        identity="tls user", ca_cert="auth_serv/ca.pem",
3411                        client_cert="auth_serv/user.pem",
3412                        private_key="auth_serv/user.key",
3413                        scan_freq="2412")
3414
3415 def check_tls_ver(dev, ap, phase1, expected):
3416     eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3417                 client_cert="auth_serv/user.pem",
3418                 private_key="auth_serv/user.key",
3419                 phase1=phase1)
3420     ver = dev.get_status_field("eap_tls_version")
3421     if ver != expected:
3422         raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3423
3424 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3425     """EAP-TLS and TLS version configuration"""
3426     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3427     hostapd.add_ap(apdev[0]['ifname'], params)
3428
3429     tls = dev[0].request("GET tls_library")
3430     if tls.startswith("OpenSSL"):
3431         if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3432             check_tls_ver(dev[0], apdev[0],
3433                           "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3434                           "TLSv1.2")
3435     check_tls_ver(dev[1], apdev[0],
3436                   "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3437     check_tls_ver(dev[2], apdev[0],
3438                   "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3439
3440 def test_rsn_ie_proto_eap_sta(dev, apdev):
3441     """RSN element protocol testing for EAP cases on STA side"""
3442     bssid = apdev[0]['bssid']
3443     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3444     # This is the RSN element used normally by hostapd
3445     params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3446     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3447     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3448                         identity="gpsk user",
3449                         password="abcdefghijklmnop0123456789abcdef",
3450                         scan_freq="2412")
3451
3452     tests = [ ('No RSN Capabilities field',
3453                '30120100000fac040100000fac040100000fac01'),
3454               ('No AKM Suite fields',
3455                '300c0100000fac040100000fac04'),
3456               ('No Pairwise Cipher Suite fields',
3457                '30060100000fac04'),
3458               ('No Group Data Cipher Suite field',
3459                '30020100') ]
3460     for txt,ie in tests:
3461         dev[0].request("DISCONNECT")
3462         dev[0].wait_disconnected()
3463         logger.info(txt)
3464         hapd.disable()
3465         hapd.set('own_ie_override', ie)
3466         hapd.enable()
3467         dev[0].request("BSS_FLUSH 0")
3468         dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3469         dev[0].select_network(id, freq=2412)
3470         dev[0].wait_connected()
3471
3472 def check_tls_session_resumption_capa(dev, hapd):
3473     tls = hapd.request("GET tls_library")
3474     if not tls.startswith("OpenSSL"):
3475         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3476
3477     tls = dev.request("GET tls_library")
3478     if not tls.startswith("OpenSSL"):
3479         raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3480
3481 def test_eap_ttls_pap_session_resumption(dev, apdev):
3482     """EAP-TTLS/PAP session resumption"""
3483     params = int_eap_server_params()
3484     params['tls_session_lifetime'] = '60'
3485     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3486     check_tls_session_resumption_capa(dev[0], hapd)
3487     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3488                 anonymous_identity="ttls", password="password",
3489                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3490                 phase2="auth=PAP")
3491     if dev[0].get_status_field("tls_session_reused") != '0':
3492         raise Exception("Unexpected session resumption on the first connection")
3493
3494     dev[0].request("REAUTHENTICATE")
3495     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3496     if ev is None:
3497         raise Exception("EAP success timed out")
3498     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3499     if ev is None:
3500         raise Exception("Key handshake with the AP timed out")
3501     if dev[0].get_status_field("tls_session_reused") != '1':
3502         raise Exception("Session resumption not used on the second connection")
3503
3504 def test_eap_ttls_chap_session_resumption(dev, apdev):
3505     """EAP-TTLS/CHAP session resumption"""
3506     params = int_eap_server_params()
3507     params['tls_session_lifetime'] = '60'
3508     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3509     check_tls_session_resumption_capa(dev[0], hapd)
3510     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3511                 anonymous_identity="ttls", password="password",
3512                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3513     if dev[0].get_status_field("tls_session_reused") != '0':
3514         raise Exception("Unexpected session resumption on the first connection")
3515
3516     dev[0].request("REAUTHENTICATE")
3517     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3518     if ev is None:
3519         raise Exception("EAP success timed out")
3520     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3521     if ev is None:
3522         raise Exception("Key handshake with the AP timed out")
3523     if dev[0].get_status_field("tls_session_reused") != '1':
3524         raise Exception("Session resumption not used on the second connection")
3525
3526 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3527     """EAP-TTLS/MSCHAP session resumption"""
3528     params = int_eap_server_params()
3529     params['tls_session_lifetime'] = '60'
3530     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3531     check_tls_session_resumption_capa(dev[0], hapd)
3532     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3533                 anonymous_identity="ttls", password="password",
3534                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3535                 domain_suffix_match="server.w1.fi")
3536     if dev[0].get_status_field("tls_session_reused") != '0':
3537         raise Exception("Unexpected session resumption on the first connection")
3538
3539     dev[0].request("REAUTHENTICATE")
3540     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3541     if ev is None:
3542         raise Exception("EAP success timed out")
3543     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3544     if ev is None:
3545         raise Exception("Key handshake with the AP timed out")
3546     if dev[0].get_status_field("tls_session_reused") != '1':
3547         raise Exception("Session resumption not used on the second connection")
3548
3549 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3550     """EAP-TTLS/MSCHAPv2 session resumption"""
3551     check_eap_capa(dev[0], "MSCHAPV2")
3552     params = int_eap_server_params()
3553     params['tls_session_lifetime'] = '60'
3554     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3555     check_tls_session_resumption_capa(dev[0], hapd)
3556     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3557                 anonymous_identity="ttls", password="password",
3558                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3559                 domain_suffix_match="server.w1.fi")
3560     if dev[0].get_status_field("tls_session_reused") != '0':
3561         raise Exception("Unexpected session resumption on the first connection")
3562
3563     dev[0].request("REAUTHENTICATE")
3564     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3565     if ev is None:
3566         raise Exception("EAP success timed out")
3567     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3568     if ev is None:
3569         raise Exception("Key handshake with the AP timed out")
3570     if dev[0].get_status_field("tls_session_reused") != '1':
3571         raise Exception("Session resumption not used on the second connection")
3572
3573 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3574     """EAP-TTLS/EAP-GTC session resumption"""
3575     params = int_eap_server_params()
3576     params['tls_session_lifetime'] = '60'
3577     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3578     check_tls_session_resumption_capa(dev[0], hapd)
3579     eap_connect(dev[0], apdev[0], "TTLS", "user",
3580                 anonymous_identity="ttls", password="password",
3581                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3582     if dev[0].get_status_field("tls_session_reused") != '0':
3583         raise Exception("Unexpected session resumption on the first connection")
3584
3585     dev[0].request("REAUTHENTICATE")
3586     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3587     if ev is None:
3588         raise Exception("EAP success timed out")
3589     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3590     if ev is None:
3591         raise Exception("Key handshake with the AP timed out")
3592     if dev[0].get_status_field("tls_session_reused") != '1':
3593         raise Exception("Session resumption not used on the second connection")
3594
3595 def test_eap_ttls_no_session_resumption(dev, apdev):
3596     """EAP-TTLS session resumption disabled on server"""
3597     params = int_eap_server_params()
3598     params['tls_session_lifetime'] = '0'
3599     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3600     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3601                 anonymous_identity="ttls", password="password",
3602                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3603                 phase2="auth=PAP")
3604     if dev[0].get_status_field("tls_session_reused") != '0':
3605         raise Exception("Unexpected session resumption on the first connection")
3606
3607     dev[0].request("REAUTHENTICATE")
3608     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3609     if ev is None:
3610         raise Exception("EAP success timed out")
3611     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3612     if ev is None:
3613         raise Exception("Key handshake with the AP timed out")
3614     if dev[0].get_status_field("tls_session_reused") != '0':
3615         raise Exception("Unexpected session resumption on the second connection")
3616
3617 def test_eap_peap_session_resumption(dev, apdev):
3618     """EAP-PEAP session resumption"""
3619     params = int_eap_server_params()
3620     params['tls_session_lifetime'] = '60'
3621     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3622     check_tls_session_resumption_capa(dev[0], hapd)
3623     eap_connect(dev[0], apdev[0], "PEAP", "user",
3624                 anonymous_identity="peap", password="password",
3625                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3626     if dev[0].get_status_field("tls_session_reused") != '0':
3627         raise Exception("Unexpected session resumption on the first connection")
3628
3629     dev[0].request("REAUTHENTICATE")
3630     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3631     if ev is None:
3632         raise Exception("EAP success timed out")
3633     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3634     if ev is None:
3635         raise Exception("Key handshake with the AP timed out")
3636     if dev[0].get_status_field("tls_session_reused") != '1':
3637         raise Exception("Session resumption not used on the second connection")
3638
3639 def test_eap_peap_no_session_resumption(dev, apdev):
3640     """EAP-PEAP session resumption disabled on server"""
3641     params = int_eap_server_params()
3642     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3643     eap_connect(dev[0], apdev[0], "PEAP", "user",
3644                 anonymous_identity="peap", password="password",
3645                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3646     if dev[0].get_status_field("tls_session_reused") != '0':
3647         raise Exception("Unexpected session resumption on the first connection")
3648
3649     dev[0].request("REAUTHENTICATE")
3650     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3651     if ev is None:
3652         raise Exception("EAP success timed out")
3653     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3654     if ev is None:
3655         raise Exception("Key handshake with the AP timed out")
3656     if dev[0].get_status_field("tls_session_reused") != '0':
3657         raise Exception("Unexpected session resumption on the second connection")
3658
3659 def test_eap_tls_session_resumption(dev, apdev):
3660     """EAP-TLS session resumption"""
3661     params = int_eap_server_params()
3662     params['tls_session_lifetime'] = '60'
3663     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3664     check_tls_session_resumption_capa(dev[0], hapd)
3665     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3666                 client_cert="auth_serv/user.pem",
3667                 private_key="auth_serv/user.key")
3668     if dev[0].get_status_field("tls_session_reused") != '0':
3669         raise Exception("Unexpected session resumption on the first connection")
3670
3671     dev[0].request("REAUTHENTICATE")
3672     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3673     if ev is None:
3674         raise Exception("EAP success timed out")
3675     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3676     if ev is None:
3677         raise Exception("Key handshake with the AP timed out")
3678     if dev[0].get_status_field("tls_session_reused") != '1':
3679         raise Exception("Session resumption not used on the second connection")
3680
3681     dev[0].request("REAUTHENTICATE")
3682     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3683     if ev is None:
3684         raise Exception("EAP success timed out")
3685     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3686     if ev is None:
3687         raise Exception("Key handshake with the AP timed out")
3688     if dev[0].get_status_field("tls_session_reused") != '1':
3689         raise Exception("Session resumption not used on the third connection")
3690
3691 def test_eap_tls_session_resumption_expiration(dev, apdev):
3692     """EAP-TLS session resumption"""
3693     params = int_eap_server_params()
3694     params['tls_session_lifetime'] = '1'
3695     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3696     check_tls_session_resumption_capa(dev[0], hapd)
3697     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3698                 client_cert="auth_serv/user.pem",
3699                 private_key="auth_serv/user.key")
3700     if dev[0].get_status_field("tls_session_reused") != '0':
3701         raise Exception("Unexpected session resumption on the first connection")
3702
3703     # Allow multiple attempts since OpenSSL may not expire the cached entry
3704     # immediately.
3705     for i in range(10):
3706         time.sleep(1.2)
3707
3708         dev[0].request("REAUTHENTICATE")
3709         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3710         if ev is None:
3711             raise Exception("EAP success timed out")
3712         ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3713         if ev is None:
3714             raise Exception("Key handshake with the AP timed out")
3715         if dev[0].get_status_field("tls_session_reused") == '0':
3716             break
3717     if dev[0].get_status_field("tls_session_reused") != '0':
3718         raise Exception("Session resumption used after lifetime expiration")
3719
3720 def test_eap_tls_no_session_resumption(dev, apdev):
3721     """EAP-TLS session resumption disabled on server"""
3722     params = int_eap_server_params()
3723     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3724     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3725                 client_cert="auth_serv/user.pem",
3726                 private_key="auth_serv/user.key")
3727     if dev[0].get_status_field("tls_session_reused") != '0':
3728         raise Exception("Unexpected session resumption on the first connection")
3729
3730     dev[0].request("REAUTHENTICATE")
3731     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3732     if ev is None:
3733         raise Exception("EAP success timed out")
3734     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3735     if ev is None:
3736         raise Exception("Key handshake with the AP timed out")
3737     if dev[0].get_status_field("tls_session_reused") != '0':
3738         raise Exception("Unexpected session resumption on the second connection")
3739
3740 def test_eap_tls_session_resumption_radius(dev, apdev):
3741     """EAP-TLS session resumption (RADIUS)"""
3742     params = { "ssid": "as", "beacon_int": "2000",
3743                "radius_server_clients": "auth_serv/radius_clients.conf",
3744                "radius_server_auth_port": '18128',
3745                "eap_server": "1",
3746                "eap_user_file": "auth_serv/eap_user.conf",
3747                "ca_cert": "auth_serv/ca.pem",
3748                "server_cert": "auth_serv/server.pem",
3749                "private_key": "auth_serv/server.key",
3750                "tls_session_lifetime": "60" }
3751     authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
3752     check_tls_session_resumption_capa(dev[0], authsrv)
3753
3754     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3755     params['auth_server_port'] = "18128"
3756     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3757     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3758                 client_cert="auth_serv/user.pem",
3759                 private_key="auth_serv/user.key")
3760     if dev[0].get_status_field("tls_session_reused") != '0':
3761         raise Exception("Unexpected session resumption on the first connection")
3762
3763     dev[0].request("REAUTHENTICATE")
3764     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3765     if ev is None:
3766         raise Exception("EAP success timed out")
3767     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3768     if ev is None:
3769         raise Exception("Key handshake with the AP timed out")
3770     if dev[0].get_status_field("tls_session_reused") != '1':
3771         raise Exception("Session resumption not used on the second connection")
3772
3773 def test_eap_tls_no_session_resumption_radius(dev, apdev):
3774     """EAP-TLS session resumption disabled (RADIUS)"""
3775     params = { "ssid": "as", "beacon_int": "2000",
3776                "radius_server_clients": "auth_serv/radius_clients.conf",
3777                "radius_server_auth_port": '18128',
3778                "eap_server": "1",
3779                "eap_user_file": "auth_serv/eap_user.conf",
3780                "ca_cert": "auth_serv/ca.pem",
3781                "server_cert": "auth_serv/server.pem",
3782                "private_key": "auth_serv/server.key",
3783                "tls_session_lifetime": "0" }
3784     hostapd.add_ap(apdev[1]['ifname'], params)
3785
3786     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3787     params['auth_server_port'] = "18128"
3788     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3789     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3790                 client_cert="auth_serv/user.pem",
3791                 private_key="auth_serv/user.key")
3792     if dev[0].get_status_field("tls_session_reused") != '0':
3793         raise Exception("Unexpected session resumption on the first connection")
3794
3795     dev[0].request("REAUTHENTICATE")
3796     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3797     if ev is None:
3798         raise Exception("EAP success timed out")
3799     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3800     if ev is None:
3801         raise Exception("Key handshake with the AP timed out")
3802     if dev[0].get_status_field("tls_session_reused") != '0':
3803         raise Exception("Unexpected session resumption on the second connection")
Moonshot GSS-API mechanism