1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
91 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
93 raise Exception("EAP method selection timed out")
94 if "CTRL-EVENT-EAP-FAILURE" in ev:
97 raise Exception("Could not select EAP method")
99 raise Exception("Unexpected EAP method")
101 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
103 raise Exception("EAP failure timed out")
104 ev = dev.wait_disconnected(timeout=10)
105 if maybe_local_error and "locally_generated=1" in ev:
107 if not local_error_report:
108 if "reason=23" not in ev:
109 raise Exception("Proper reason code for disconnection not reported")
111 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
113 raise Exception("EAP success timed out")
116 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
118 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
120 raise Exception("Association with the AP timed out")
121 status = dev.get_status()
122 if status["wpa_state"] != "COMPLETED":
123 raise Exception("Connection not completed")
125 if status["suppPortStatus"] != "Authorized":
126 raise Exception("Port not authorized")
127 if method not in status["selectedMethod"]:
128 raise Exception("Incorrect EAP method status")
130 e = "WPA2-EAP-SHA256"
132 e = "WPA2/IEEE 802.1X/EAP"
134 e = "WPA/IEEE 802.1X/EAP"
135 if status["key_mgmt"] != e:
136 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
139 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
140 dev.request("REAUTHENTICATE")
141 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
142 expect_failure=expect_failure)
144 def test_ap_wpa2_eap_sim(dev, apdev):
145 """WPA2-Enterprise connection using EAP-SIM"""
146 check_hlr_auc_gw_support()
147 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
149 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 hwsim_utils.test_connectivity(dev[0], hapd)
152 eap_reauth(dev[0], "SIM")
154 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
155 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
160 logger.info("Negative test with incorrect key")
161 dev[0].request("REMOVE_NETWORK all")
162 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
163 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
166 logger.info("Invalid GSM-Milenage key")
167 dev[0].request("REMOVE_NETWORK all")
168 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
169 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
172 logger.info("Invalid GSM-Milenage key(2)")
173 dev[0].request("REMOVE_NETWORK all")
174 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
175 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
178 logger.info("Invalid GSM-Milenage key(3)")
179 dev[0].request("REMOVE_NETWORK all")
180 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
181 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
184 logger.info("Invalid GSM-Milenage key(4)")
185 dev[0].request("REMOVE_NETWORK all")
186 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
187 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
190 logger.info("Missing key configuration")
191 dev[0].request("REMOVE_NETWORK all")
192 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
195 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
196 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
197 check_hlr_auc_gw_support()
201 raise HwsimSkip("No sqlite3 module available")
202 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
204 params['auth_server_port'] = "1814"
205 hostapd.add_ap(apdev[0]['ifname'], params)
206 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
207 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
209 logger.info("SIM fast re-authentication")
210 eap_reauth(dev[0], "SIM")
212 logger.info("SIM full auth with pseudonym")
215 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
216 eap_reauth(dev[0], "SIM")
218 logger.info("SIM full auth with permanent identity")
221 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
222 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
223 eap_reauth(dev[0], "SIM")
225 logger.info("SIM reauth with mismatching MK")
228 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
229 eap_reauth(dev[0], "SIM", expect_failure=True)
230 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
233 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
236 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
237 eap_reauth(dev[0], "SIM")
240 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with mismatching counter")
242 eap_reauth(dev[0], "SIM")
243 dev[0].request("REMOVE_NETWORK all")
245 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
246 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
250 logger.info("SIM reauth with max reauth count reached")
251 eap_reauth(dev[0], "SIM")
253 def test_ap_wpa2_eap_sim_config(dev, apdev):
254 """EAP-SIM configuration options"""
255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
256 hostapd.add_ap(apdev[0]['ifname'], params)
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=1",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
264 raise Exception("No EAP error message seen")
265 dev[0].request("REMOVE_NETWORK all")
267 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
268 identity="1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=4",
271 wait_connect=False, scan_freq="2412")
272 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
274 raise Exception("No EAP error message seen (2)")
275 dev[0].request("REMOVE_NETWORK all")
277 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
278 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
279 phase1="sim_min_num_chal=2")
280 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
281 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
282 anonymous_identity="345678")
284 def test_ap_wpa2_eap_sim_ext(dev, apdev):
285 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
287 _test_ap_wpa2_eap_sim_ext(dev, apdev)
289 dev[0].request("SET external_sim 0")
291 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
292 check_hlr_auc_gw_support()
293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
294 hostapd.add_ap(apdev[0]['ifname'], params)
295 dev[0].request("SET external_sim 1")
296 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
297 identity="1232010000000000",
298 wait_connect=False, scan_freq="2412")
299 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
301 raise Exception("Network connected timed out")
303 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
305 raise Exception("Wait for external SIM processing request timed out")
307 if p[1] != "GSM-AUTH":
308 raise Exception("Unexpected CTRL-REQ-SIM type")
309 rid = p[0].split('-')[3]
312 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
313 # This will fail during processing, but the ctrl_iface command succeeds
314 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
317 raise Exception("EAP failure not reported")
318 dev[0].request("DISCONNECT")
319 dev[0].wait_disconnected()
322 dev[0].select_network(id, freq="2412")
323 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
325 raise Exception("Wait for external SIM processing request timed out")
327 if p[1] != "GSM-AUTH":
328 raise Exception("Unexpected CTRL-REQ-SIM type")
329 rid = p[0].split('-')[3]
330 # This will fail during GSM auth validation
331 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
332 raise Exception("CTRL-RSP-SIM failed")
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
337 dev[0].wait_disconnected()
340 dev[0].select_network(id, freq="2412")
341 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
343 raise Exception("Wait for external SIM processing request timed out")
345 if p[1] != "GSM-AUTH":
346 raise Exception("Unexpected CTRL-REQ-SIM type")
347 rid = p[0].split('-')[3]
348 # This will fail during GSM auth validation
349 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
350 raise Exception("CTRL-RSP-SIM failed")
351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
353 raise Exception("EAP failure not reported")
354 dev[0].request("DISCONNECT")
355 dev[0].wait_disconnected()
358 dev[0].select_network(id, freq="2412")
359 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
361 raise Exception("Wait for external SIM processing request timed out")
363 if p[1] != "GSM-AUTH":
364 raise Exception("Unexpected CTRL-REQ-SIM type")
365 rid = p[0].split('-')[3]
366 # This will fail during GSM auth validation
367 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
368 raise Exception("CTRL-RSP-SIM failed")
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
371 raise Exception("EAP failure not reported")
372 dev[0].request("DISCONNECT")
373 dev[0].wait_disconnected()
376 dev[0].select_network(id, freq="2412")
377 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
379 raise Exception("Wait for external SIM processing request timed out")
381 if p[1] != "GSM-AUTH":
382 raise Exception("Unexpected CTRL-REQ-SIM type")
383 rid = p[0].split('-')[3]
384 # This will fail during GSM auth validation
385 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
386 raise Exception("CTRL-RSP-SIM failed")
387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
389 raise Exception("EAP failure not reported")
390 dev[0].request("DISCONNECT")
391 dev[0].wait_disconnected()
394 dev[0].select_network(id, freq="2412")
395 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
397 raise Exception("Wait for external SIM processing request timed out")
399 if p[1] != "GSM-AUTH":
400 raise Exception("Unexpected CTRL-REQ-SIM type")
401 rid = p[0].split('-')[3]
402 # This will fail during GSM auth validation
403 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
404 raise Exception("CTRL-RSP-SIM failed")
405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
407 raise Exception("EAP failure not reported")
408 dev[0].request("DISCONNECT")
409 dev[0].wait_disconnected()
412 dev[0].select_network(id, freq="2412")
413 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
415 raise Exception("Wait for external SIM processing request timed out")
417 if p[1] != "GSM-AUTH":
418 raise Exception("Unexpected CTRL-REQ-SIM type")
419 rid = p[0].split('-')[3]
420 # This will fail during GSM auth validation
421 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
422 raise Exception("CTRL-RSP-SIM failed")
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
425 raise Exception("EAP failure not reported")
427 def test_ap_wpa2_eap_sim_oom(dev, apdev):
428 """EAP-SIM and OOM"""
429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
430 hostapd.add_ap(apdev[0]['ifname'], params)
431 tests = [ (1, "milenage_f2345"),
432 (2, "milenage_f2345"),
433 (3, "milenage_f2345"),
434 (4, "milenage_f2345"),
435 (5, "milenage_f2345"),
436 (6, "milenage_f2345"),
437 (7, "milenage_f2345"),
438 (8, "milenage_f2345"),
439 (9, "milenage_f2345"),
440 (10, "milenage_f2345"),
441 (11, "milenage_f2345"),
442 (12, "milenage_f2345") ]
443 for count, func in tests:
444 with alloc_fail(dev[0], count, func):
445 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
446 identity="1232010000000000",
447 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
448 wait_connect=False, scan_freq="2412")
449 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
451 raise Exception("EAP method not selected")
452 dev[0].wait_disconnected()
453 dev[0].request("REMOVE_NETWORK all")
455 def test_ap_wpa2_eap_aka(dev, apdev):
456 """WPA2-Enterprise connection using EAP-AKA"""
457 check_hlr_auc_gw_support()
458 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
459 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
460 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
461 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
462 hwsim_utils.test_connectivity(dev[0], hapd)
463 eap_reauth(dev[0], "AKA")
465 logger.info("Negative test with incorrect key")
466 dev[0].request("REMOVE_NETWORK all")
467 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
468 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
471 logger.info("Invalid Milenage key")
472 dev[0].request("REMOVE_NETWORK all")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
477 logger.info("Invalid Milenage key(2)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
482 logger.info("Invalid Milenage key(3)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
487 logger.info("Invalid Milenage key(4)")
488 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
492 logger.info("Invalid Milenage key(5)")
493 dev[0].request("REMOVE_NETWORK all")
494 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
495 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
498 logger.info("Invalid Milenage key(6)")
499 dev[0].request("REMOVE_NETWORK all")
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
504 logger.info("Missing key configuration")
505 dev[0].request("REMOVE_NETWORK all")
506 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
509 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
510 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
511 check_hlr_auc_gw_support()
515 raise HwsimSkip("No sqlite3 module available")
516 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
517 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
518 params['auth_server_port'] = "1814"
519 hostapd.add_ap(apdev[0]['ifname'], params)
520 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
521 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
523 logger.info("AKA fast re-authentication")
524 eap_reauth(dev[0], "AKA")
526 logger.info("AKA full auth with pseudonym")
529 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
530 eap_reauth(dev[0], "AKA")
532 logger.info("AKA full auth with permanent identity")
535 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
536 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
537 eap_reauth(dev[0], "AKA")
539 logger.info("AKA reauth with mismatching MK")
542 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
543 eap_reauth(dev[0], "AKA", expect_failure=True)
544 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
547 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
550 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
551 eap_reauth(dev[0], "AKA")
554 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with mismatching counter")
556 eap_reauth(dev[0], "AKA")
557 dev[0].request("REMOVE_NETWORK all")
559 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
560 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
564 logger.info("AKA reauth with max reauth count reached")
565 eap_reauth(dev[0], "AKA")
567 def test_ap_wpa2_eap_aka_config(dev, apdev):
568 """EAP-AKA configuration options"""
569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
570 hostapd.add_ap(apdev[0]['ifname'], params)
571 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
572 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
573 anonymous_identity="2345678")
575 def test_ap_wpa2_eap_aka_ext(dev, apdev):
576 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
578 _test_ap_wpa2_eap_aka_ext(dev, apdev)
580 dev[0].request("SET external_sim 0")
582 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
583 check_hlr_auc_gw_support()
584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
585 hostapd.add_ap(apdev[0]['ifname'], params)
586 dev[0].request("SET external_sim 1")
587 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
588 identity="0232010000000000",
589 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
590 wait_connect=False, scan_freq="2412")
591 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
593 raise Exception("Network connected timed out")
595 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p[1] != "UMTS-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid = p[0].split('-')[3]
604 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
605 # This will fail during processing, but the ctrl_iface command succeeds
606 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
607 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
609 raise Exception("EAP failure not reported")
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
614 dev[0].select_network(id, freq="2412")
615 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
617 raise Exception("Wait for external SIM processing request timed out")
619 if p[1] != "UMTS-AUTH":
620 raise Exception("Unexpected CTRL-REQ-SIM type")
621 rid = p[0].split('-')[3]
622 # This will fail during UMTS auth validation
623 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
624 raise Exception("CTRL-RSP-SIM failed")
625 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
627 raise Exception("Wait for external SIM processing request timed out")
629 if p[1] != "UMTS-AUTH":
630 raise Exception("Unexpected CTRL-REQ-SIM type")
631 rid = p[0].split('-')[3]
632 # This will fail during UMTS auth validation
633 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
634 raise Exception("CTRL-RSP-SIM failed")
635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
637 raise Exception("EAP failure not reported")
638 dev[0].request("DISCONNECT")
639 dev[0].wait_disconnected()
642 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
644 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
645 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
646 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
647 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
648 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
650 dev[0].select_network(id, freq="2412")
651 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
653 raise Exception("Wait for external SIM processing request timed out")
655 if p[1] != "UMTS-AUTH":
656 raise Exception("Unexpected CTRL-REQ-SIM type")
657 rid = p[0].split('-')[3]
658 # This will fail during UMTS auth validation
659 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
660 raise Exception("CTRL-RSP-SIM failed")
661 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
663 raise Exception("EAP failure not reported")
664 dev[0].request("DISCONNECT")
665 dev[0].wait_disconnected()
668 def test_ap_wpa2_eap_aka_prime(dev, apdev):
669 """WPA2-Enterprise connection using EAP-AKA'"""
670 check_hlr_auc_gw_support()
671 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
672 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
673 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
674 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
675 hwsim_utils.test_connectivity(dev[0], hapd)
676 eap_reauth(dev[0], "AKA'")
678 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
679 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
680 identity="6555444333222111@both",
681 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 wait_connect=False, scan_freq="2412")
683 dev[1].wait_connected(timeout=15)
685 logger.info("Negative test with incorrect key")
686 dev[0].request("REMOVE_NETWORK all")
687 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
688 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
691 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
692 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
693 check_hlr_auc_gw_support()
697 raise HwsimSkip("No sqlite3 module available")
698 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
699 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
700 params['auth_server_port'] = "1814"
701 hostapd.add_ap(apdev[0]['ifname'], params)
702 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
703 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
705 logger.info("AKA' fast re-authentication")
706 eap_reauth(dev[0], "AKA'")
708 logger.info("AKA' full auth with pseudonym")
711 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
712 eap_reauth(dev[0], "AKA'")
714 logger.info("AKA' full auth with permanent identity")
717 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
718 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
719 eap_reauth(dev[0], "AKA'")
721 logger.info("AKA' reauth with mismatching k_aut")
724 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
725 eap_reauth(dev[0], "AKA'", expect_failure=True)
726 dev[0].request("REMOVE_NETWORK all")
728 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
729 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
732 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
733 eap_reauth(dev[0], "AKA'")
736 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with mismatching counter")
738 eap_reauth(dev[0], "AKA'")
739 dev[0].request("REMOVE_NETWORK all")
741 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
742 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
745 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
746 logger.info("AKA' reauth with max reauth count reached")
747 eap_reauth(dev[0], "AKA'")
749 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
750 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
751 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
752 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
753 key_mgmt = hapd.get_config()['key_mgmt']
754 if key_mgmt.split(' ')[0] != "WPA-EAP":
755 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
756 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
757 anonymous_identity="ttls", password="password",
758 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
759 hwsim_utils.test_connectivity(dev[0], hapd)
760 eap_reauth(dev[0], "TTLS")
761 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
762 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
764 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
765 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
766 check_subject_match_support(dev[0])
767 check_altsubject_match_support(dev[0])
768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
769 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
770 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
771 anonymous_identity="ttls", password="password",
772 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
773 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
774 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
775 eap_reauth(dev[0], "TTLS")
777 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
778 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
781 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
782 anonymous_identity="ttls", password="wrong",
783 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 eap_connect(dev[1], apdev[0], "TTLS", "user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
791 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
792 skip_with_fips(dev[0])
793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
794 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
795 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
796 anonymous_identity="ttls", password="password",
797 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
798 hwsim_utils.test_connectivity(dev[0], hapd)
799 eap_reauth(dev[0], "TTLS")
801 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
802 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
803 skip_with_fips(dev[0])
804 check_altsubject_match_support(dev[0])
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
808 anonymous_identity="ttls", password="password",
809 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
810 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
811 eap_reauth(dev[0], "TTLS")
813 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
814 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
815 skip_with_fips(dev[0])
816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
817 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
818 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
819 anonymous_identity="ttls", password="wrong",
820 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 eap_connect(dev[1], apdev[0], "TTLS", "user",
823 anonymous_identity="ttls", password="password",
824 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
827 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
828 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
829 skip_with_fips(dev[0])
830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
831 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
832 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
833 anonymous_identity="ttls", password="password",
834 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
835 domain_suffix_match="server.w1.fi")
836 hwsim_utils.test_connectivity(dev[0], hapd)
837 eap_reauth(dev[0], "TTLS")
838 dev[0].request("REMOVE_NETWORK all")
839 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
844 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
846 skip_with_fips(dev[0])
847 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
848 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
849 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
850 anonymous_identity="ttls", password="wrong",
851 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
853 eap_connect(dev[1], apdev[0], "TTLS", "user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
858 anonymous_identity="ttls", password="password",
859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
862 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
864 check_eap_capa(dev[0], "MSCHAPV2")
865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
866 hostapd.add_ap(apdev[0]['ifname'], params)
867 hapd = hostapd.Hostapd(apdev[0]['ifname'])
868 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
869 anonymous_identity="ttls", password="password",
870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
871 domain_suffix_match="server.w1.fi")
872 hwsim_utils.test_connectivity(dev[0], hapd)
873 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
874 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
875 eap_reauth(dev[0], "TTLS")
876 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
877 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
878 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
879 raise Exception("dot1xAuthEapolFramesRx did not increase")
880 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
881 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
882 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
883 raise Exception("backendAuthSuccesses did not increase")
885 logger.info("Password as hash value")
886 dev[0].request("REMOVE_NETWORK all")
887 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
888 anonymous_identity="ttls",
889 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
892 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
893 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
894 check_domain_match_full(dev[0])
895 skip_with_fips(dev[0])
896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
897 hostapd.add_ap(apdev[0]['ifname'], params)
898 hapd = hostapd.Hostapd(apdev[0]['ifname'])
899 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
900 anonymous_identity="ttls", password="password",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
902 domain_suffix_match="w1.fi")
903 hwsim_utils.test_connectivity(dev[0], hapd)
904 eap_reauth(dev[0], "TTLS")
906 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
908 skip_with_fips(dev[0])
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 hostapd.add_ap(apdev[0]['ifname'], params)
911 hapd = hostapd.Hostapd(apdev[0]['ifname'])
912 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
913 anonymous_identity="ttls", password="password",
914 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 domain_match="Server.w1.fi")
916 hwsim_utils.test_connectivity(dev[0], hapd)
917 eap_reauth(dev[0], "TTLS")
919 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
921 skip_with_fips(dev[0])
922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
923 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
924 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
925 anonymous_identity="ttls", password="password1",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 eap_connect(dev[1], apdev[0], "TTLS", "user",
929 anonymous_identity="ttls", password="password",
930 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
933 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
934 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
935 skip_with_fips(dev[0])
936 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
937 hostapd.add_ap(apdev[0]['ifname'], params)
938 hapd = hostapd.Hostapd(apdev[0]['ifname'])
939 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
940 anonymous_identity="ttls", password="secret-åäö-€-password",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
943 anonymous_identity="ttls",
944 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
945 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
954 hwsim_utils.test_connectivity(dev[0], hapd)
955 eap_reauth(dev[0], "TTLS")
957 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
958 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
959 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
960 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="wrong",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
966 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
967 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
968 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
970 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
971 anonymous_identity="ttls", password="password",
972 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
975 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
976 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
977 params = int_eap_server_params()
978 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
979 with alloc_fail(hapd, 1, "eap_gtc_init"):
980 eap_connect(dev[0], apdev[0], "TTLS", "user",
981 anonymous_identity="ttls", password="password",
982 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
984 dev[0].request("REMOVE_NETWORK all")
986 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
988 eap="TTLS", identity="user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
991 wait_connect=False, scan_freq="2412")
992 # This would eventually time out, but we can stop after having reached
993 # the allocation failure.
996 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
999 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1001 check_eap_capa(dev[0], "MD5")
1002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1003 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1004 eap_connect(dev[0], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1007 hwsim_utils.test_connectivity(dev[0], hapd)
1008 eap_reauth(dev[0], "TTLS")
1010 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1011 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1012 check_eap_capa(dev[0], "MD5")
1013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1014 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1015 eap_connect(dev[0], apdev[0], "TTLS", "user",
1016 anonymous_identity="ttls", password="wrong",
1017 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1018 expect_failure=True)
1020 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1021 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1022 check_eap_capa(dev[0], "MD5")
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1028 expect_failure=True)
1030 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1032 check_eap_capa(dev[0], "MD5")
1033 params = int_eap_server_params()
1034 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1035 with alloc_fail(hapd, 1, "eap_md5_init"):
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1039 expect_failure=True)
1040 dev[0].request("REMOVE_NETWORK all")
1042 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1043 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1044 eap="TTLS", identity="user",
1045 anonymous_identity="ttls", password="password",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1047 wait_connect=False, scan_freq="2412")
1048 # This would eventually time out, but we can stop after having reached
1049 # the allocation failure.
1052 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1055 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1057 check_eap_capa(dev[0], "MSCHAPV2")
1058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1059 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="password",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1063 hwsim_utils.test_connectivity(dev[0], hapd)
1064 eap_reauth(dev[0], "TTLS")
1066 logger.info("Negative test with incorrect password")
1067 dev[0].request("REMOVE_NETWORK all")
1068 eap_connect(dev[0], apdev[0], "TTLS", "user",
1069 anonymous_identity="ttls", password="password1",
1070 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1071 expect_failure=True)
1073 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1074 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1075 check_eap_capa(dev[0], "MSCHAPV2")
1076 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1077 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1078 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1079 anonymous_identity="ttls", password="password",
1080 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1081 expect_failure=True)
1083 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1085 check_eap_capa(dev[0], "MSCHAPV2")
1086 params = int_eap_server_params()
1087 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1088 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1089 eap_connect(dev[0], apdev[0], "TTLS", "user",
1090 anonymous_identity="ttls", password="password",
1091 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1092 expect_failure=True)
1093 dev[0].request("REMOVE_NETWORK all")
1095 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1096 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1097 eap="TTLS", identity="user",
1098 anonymous_identity="ttls", password="password",
1099 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1100 wait_connect=False, scan_freq="2412")
1101 # This would eventually time out, but we can stop after having reached
1102 # the allocation failure.
1105 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1107 dev[0].request("REMOVE_NETWORK all")
1109 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1111 eap="TTLS", identity="user",
1112 anonymous_identity="ttls", password="password",
1113 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1114 wait_connect=False, scan_freq="2412")
1115 # This would eventually time out, but we can stop after having reached
1116 # the allocation failure.
1119 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1121 dev[0].request("REMOVE_NETWORK all")
1123 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1125 eap="TTLS", identity="user",
1126 anonymous_identity="ttls", password="wrong",
1127 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1128 wait_connect=False, scan_freq="2412")
1129 # This would eventually time out, but we can stop after having reached
1130 # the allocation failure.
1133 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1135 dev[0].request("REMOVE_NETWORK all")
1137 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1138 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1140 hostapd.add_ap(apdev[0]['ifname'], params)
1141 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1142 anonymous_identity="0232010000000000@ttls",
1143 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1144 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1146 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1147 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1148 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1149 hostapd.add_ap(apdev[0]['ifname'], params)
1150 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1151 anonymous_identity="0232010000000000@peap",
1152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1155 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1156 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1157 check_eap_capa(dev[0], "FAST")
1158 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1159 hostapd.add_ap(apdev[0]['ifname'], params)
1160 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1161 anonymous_identity="0232010000000000@fast",
1162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1163 phase1="fast_provisioning=2",
1164 pac_file="blob://fast_pac_auth_aka",
1165 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1167 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1168 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1169 check_eap_capa(dev[0], "MSCHAPV2")
1170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1171 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1172 eap_connect(dev[0], apdev[0], "PEAP", "user",
1173 anonymous_identity="peap", password="password",
1174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1175 hwsim_utils.test_connectivity(dev[0], hapd)
1176 eap_reauth(dev[0], "PEAP")
1177 dev[0].request("REMOVE_NETWORK all")
1178 eap_connect(dev[0], apdev[0], "PEAP", "user",
1179 anonymous_identity="peap", password="password",
1180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1181 fragment_size="200")
1183 logger.info("Password as hash value")
1184 dev[0].request("REMOVE_NETWORK all")
1185 eap_connect(dev[0], apdev[0], "PEAP", "user",
1186 anonymous_identity="peap",
1187 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1190 logger.info("Negative test with incorrect password")
1191 dev[0].request("REMOVE_NETWORK all")
1192 eap_connect(dev[0], apdev[0], "PEAP", "user",
1193 anonymous_identity="peap", password="password1",
1194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1195 expect_failure=True)
1197 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1198 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1199 check_eap_capa(dev[0], "MSCHAPV2")
1200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1201 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1202 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1203 anonymous_identity="peap", password="password",
1204 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1205 hwsim_utils.test_connectivity(dev[0], hapd)
1206 eap_reauth(dev[0], "PEAP")
1208 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1209 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1210 check_eap_capa(dev[0], "MSCHAPV2")
1211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 eap_connect(dev[0], apdev[0], "PEAP", "user",
1214 anonymous_identity="peap", password="wrong",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1220 check_eap_capa(dev[0], "MSCHAPV2")
1221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1223 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1224 ca_cert="auth_serv/ca.pem",
1225 phase1="peapver=0 crypto_binding=2",
1226 phase2="auth=MSCHAPV2")
1227 hwsim_utils.test_connectivity(dev[0], hapd)
1228 eap_reauth(dev[0], "PEAP")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peapver=0 crypto_binding=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peapver=0 crypto_binding=0",
1237 phase2="auth=MSCHAPV2")
1239 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1240 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1241 check_eap_capa(dev[0], "MSCHAPV2")
1242 params = int_eap_server_params()
1243 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1244 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1245 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1246 ca_cert="auth_serv/ca.pem",
1247 phase1="peapver=0 crypto_binding=2",
1248 phase2="auth=MSCHAPV2",
1249 expect_failure=True, local_error_report=True)
1251 def test_ap_wpa2_eap_peap_params(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1253 check_eap_capa(dev[0], "MSCHAPV2")
1254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1255 hostapd.add_ap(apdev[0]['ifname'], params)
1256 eap_connect(dev[0], apdev[0], "PEAP", "user",
1257 anonymous_identity="peap", password="password",
1258 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1259 phase1="peapver=0 peaplabel=1",
1260 expect_failure=True)
1261 dev[0].request("REMOVE_NETWORK all")
1262 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1263 ca_cert="auth_serv/ca.pem",
1264 phase1="peap_outer_success=1",
1265 phase2="auth=MSCHAPV2")
1266 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1267 ca_cert="auth_serv/ca.pem",
1268 phase1="peap_outer_success=2",
1269 phase2="auth=MSCHAPV2")
1270 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1272 anonymous_identity="peap", password="password",
1273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1274 phase1="peapver=1 peaplabel=1",
1275 wait_connect=False, scan_freq="2412")
1276 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1278 raise Exception("No EAP success seen")
1279 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1281 raise Exception("Unexpected connection")
1283 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1284 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1286 hostapd.add_ap(apdev[0]['ifname'], params)
1287 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1288 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1289 ca_cert2="auth_serv/ca.pem",
1290 client_cert2="auth_serv/user.pem",
1291 private_key2="auth_serv/user.key")
1292 eap_reauth(dev[0], "PEAP")
1294 def test_ap_wpa2_eap_tls(dev, apdev):
1295 """WPA2-Enterprise connection using EAP-TLS"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1299 client_cert="auth_serv/user.pem",
1300 private_key="auth_serv/user.key")
1301 eap_reauth(dev[0], "TLS")
1303 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1304 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1305 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1306 hostapd.add_ap(apdev[0]['ifname'], params)
1307 cert = read_pem("auth_serv/ca.pem")
1308 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1309 raise Exception("Could not set cacert blob")
1310 cert = read_pem("auth_serv/user.pem")
1311 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1312 raise Exception("Could not set usercert blob")
1313 key = read_pem("auth_serv/user.rsa-key")
1314 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1315 raise Exception("Could not set cacert blob")
1316 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1317 client_cert="blob://usercert",
1318 private_key="blob://userkey")
1320 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1321 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1322 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1323 hostapd.add_ap(apdev[0]['ifname'], params)
1324 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1325 private_key="auth_serv/user.pkcs12",
1326 private_key_passwd="whatever")
1327 dev[0].request("REMOVE_NETWORK all")
1328 dev[0].wait_disconnected()
1330 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1331 identity="tls user",
1332 ca_cert="auth_serv/ca.pem",
1333 private_key="auth_serv/user.pkcs12",
1334 wait_connect=False, scan_freq="2412")
1335 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1337 raise Exception("Request for private key passphrase timed out")
1338 id = ev.split(':')[0].split('-')[-1]
1339 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1340 dev[0].wait_connected(timeout=10)
1341 dev[0].request("REMOVE_NETWORK all")
1342 dev[0].wait_disconnected()
1344 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1345 private_key="auth_serv/user2.pkcs12",
1346 private_key_passwd="whatever")
1347 dev[0].request("REMOVE_NETWORK all")
1348 dev[0].wait_disconnected()
1350 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1351 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1353 hostapd.add_ap(apdev[0]['ifname'], params)
1354 cert = read_pem("auth_serv/ca.pem")
1355 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1356 raise Exception("Could not set cacert blob")
1357 with open("auth_serv/user.pkcs12", "rb") as f:
1358 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1359 raise Exception("Could not set pkcs12 blob")
1360 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1361 private_key="blob://pkcs12",
1362 private_key_passwd="whatever")
1364 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1365 """WPA2-Enterprise negative test - incorrect trust root"""
1366 check_eap_capa(dev[0], "MSCHAPV2")
1367 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1368 hostapd.add_ap(apdev[0]['ifname'], params)
1369 cert = read_pem("auth_serv/ca-incorrect.pem")
1370 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1371 raise Exception("Could not set cacert blob")
1372 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1373 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1374 password="password", phase2="auth=MSCHAPV2",
1375 ca_cert="blob://cacert",
1376 wait_connect=False, scan_freq="2412")
1377 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1378 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1379 password="password", phase2="auth=MSCHAPV2",
1380 ca_cert="auth_serv/ca-incorrect.pem",
1381 wait_connect=False, scan_freq="2412")
1383 for dev in (dev[0], dev[1]):
1384 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1386 raise Exception("Association and EAP start timed out")
1388 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1390 raise Exception("EAP method selection timed out")
1391 if "TTLS" not in ev:
1392 raise Exception("Unexpected EAP method")
1394 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1395 "CTRL-EVENT-EAP-SUCCESS",
1396 "CTRL-EVENT-EAP-FAILURE",
1397 "CTRL-EVENT-CONNECTED",
1398 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1400 raise Exception("EAP result timed out")
1401 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1402 raise Exception("TLS certificate error not reported")
1404 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1405 "CTRL-EVENT-EAP-FAILURE",
1406 "CTRL-EVENT-CONNECTED",
1407 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1409 raise Exception("EAP result(2) timed out")
1410 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1411 raise Exception("EAP failure not reported")
1413 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1414 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1416 raise Exception("EAP result(3) timed out")
1417 if "CTRL-EVENT-DISCONNECTED" not in ev:
1418 raise Exception("Disconnection not reported")
1420 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1422 raise Exception("Network block disabling not reported")
1424 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1425 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1427 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1428 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1429 identity="pap user", anonymous_identity="ttls",
1430 password="password", phase2="auth=PAP",
1431 ca_cert="auth_serv/ca.pem",
1432 wait_connect=True, scan_freq="2412")
1433 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1434 identity="pap user", anonymous_identity="ttls",
1435 password="password", phase2="auth=PAP",
1436 ca_cert="auth_serv/ca-incorrect.pem",
1437 only_add_network=True, scan_freq="2412")
1439 dev[0].request("DISCONNECT")
1440 dev[0].wait_disconnected()
1441 dev[0].dump_monitor()
1442 dev[0].select_network(id, freq="2412")
1444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1446 raise Exception("EAP-TTLS not re-started")
1448 ev = dev[0].wait_disconnected(timeout=15)
1449 if "reason=23" not in ev:
1450 raise Exception("Proper reason code for disconnection not reported")
1452 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1453 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1455 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1456 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1457 identity="pap user", anonymous_identity="ttls",
1458 password="password", phase2="auth=PAP",
1459 wait_connect=True, scan_freq="2412")
1460 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1461 identity="pap user", anonymous_identity="ttls",
1462 password="password", phase2="auth=PAP",
1463 ca_cert="auth_serv/ca-incorrect.pem",
1464 only_add_network=True, scan_freq="2412")
1466 dev[0].request("DISCONNECT")
1467 dev[0].wait_disconnected()
1468 dev[0].dump_monitor()
1469 dev[0].select_network(id, freq="2412")
1471 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1473 raise Exception("EAP-TTLS not re-started")
1475 ev = dev[0].wait_disconnected(timeout=15)
1476 if "reason=23" not in ev:
1477 raise Exception("Proper reason code for disconnection not reported")
1479 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1480 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1481 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1482 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1483 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1484 identity="pap user", anonymous_identity="ttls",
1485 password="password", phase2="auth=PAP",
1486 ca_cert="auth_serv/ca.pem",
1487 wait_connect=True, scan_freq="2412")
1488 dev[0].request("DISCONNECT")
1489 dev[0].wait_disconnected()
1490 dev[0].dump_monitor()
1491 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1492 dev[0].select_network(id, freq="2412")
1494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1496 raise Exception("EAP-TTLS not re-started")
1498 ev = dev[0].wait_disconnected(timeout=15)
1499 if "reason=23" not in ev:
1500 raise Exception("Proper reason code for disconnection not reported")
1502 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1503 """WPA2-Enterprise negative test - domain suffix mismatch"""
1504 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1505 hostapd.add_ap(apdev[0]['ifname'], params)
1506 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1507 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1508 password="password", phase2="auth=MSCHAPV2",
1509 ca_cert="auth_serv/ca.pem",
1510 domain_suffix_match="incorrect.example.com",
1511 wait_connect=False, scan_freq="2412")
1513 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1515 raise Exception("Association and EAP start timed out")
1517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1519 raise Exception("EAP method selection timed out")
1520 if "TTLS" not in ev:
1521 raise Exception("Unexpected EAP method")
1523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1524 "CTRL-EVENT-EAP-SUCCESS",
1525 "CTRL-EVENT-EAP-FAILURE",
1526 "CTRL-EVENT-CONNECTED",
1527 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1529 raise Exception("EAP result timed out")
1530 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1531 raise Exception("TLS certificate error not reported")
1532 if "Domain suffix mismatch" not in ev:
1533 raise Exception("Domain suffix mismatch not reported")
1535 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1536 "CTRL-EVENT-EAP-FAILURE",
1537 "CTRL-EVENT-CONNECTED",
1538 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1540 raise Exception("EAP result(2) timed out")
1541 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1542 raise Exception("EAP failure not reported")
1544 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1545 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1547 raise Exception("EAP result(3) timed out")
1548 if "CTRL-EVENT-DISCONNECTED" not in ev:
1549 raise Exception("Disconnection not reported")
1551 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1553 raise Exception("Network block disabling not reported")
1555 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1556 """WPA2-Enterprise negative test - domain mismatch"""
1557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1558 hostapd.add_ap(apdev[0]['ifname'], params)
1559 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1560 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1561 password="password", phase2="auth=MSCHAPV2",
1562 ca_cert="auth_serv/ca.pem",
1563 domain_match="w1.fi",
1564 wait_connect=False, scan_freq="2412")
1566 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1568 raise Exception("Association and EAP start timed out")
1570 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1572 raise Exception("EAP method selection timed out")
1573 if "TTLS" not in ev:
1574 raise Exception("Unexpected EAP method")
1576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1577 "CTRL-EVENT-EAP-SUCCESS",
1578 "CTRL-EVENT-EAP-FAILURE",
1579 "CTRL-EVENT-CONNECTED",
1580 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1582 raise Exception("EAP result timed out")
1583 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1584 raise Exception("TLS certificate error not reported")
1585 if "Domain mismatch" not in ev:
1586 raise Exception("Domain mismatch not reported")
1588 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1589 "CTRL-EVENT-EAP-FAILURE",
1590 "CTRL-EVENT-CONNECTED",
1591 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1593 raise Exception("EAP result(2) timed out")
1594 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1595 raise Exception("EAP failure not reported")
1597 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1598 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1600 raise Exception("EAP result(3) timed out")
1601 if "CTRL-EVENT-DISCONNECTED" not in ev:
1602 raise Exception("Disconnection not reported")
1604 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1606 raise Exception("Network block disabling not reported")
1608 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1609 """WPA2-Enterprise negative test - subject mismatch"""
1610 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1611 hostapd.add_ap(apdev[0]['ifname'], params)
1612 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1613 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1614 password="password", phase2="auth=MSCHAPV2",
1615 ca_cert="auth_serv/ca.pem",
1616 subject_match="/C=FI/O=w1.fi/CN=example.com",
1617 wait_connect=False, scan_freq="2412")
1619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1621 raise Exception("Association and EAP start timed out")
1623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1624 "EAP: Failed to initialize EAP method"], timeout=10)
1626 raise Exception("EAP method selection timed out")
1627 if "EAP: Failed to initialize EAP method" in ev:
1628 tls = dev[0].request("GET tls_library")
1629 if tls.startswith("OpenSSL"):
1630 raise Exception("Failed to select EAP method")
1631 logger.info("subject_match not supported - connection failed, so test succeeded")
1633 if "TTLS" not in ev:
1634 raise Exception("Unexpected EAP method")
1636 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1637 "CTRL-EVENT-EAP-SUCCESS",
1638 "CTRL-EVENT-EAP-FAILURE",
1639 "CTRL-EVENT-CONNECTED",
1640 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1642 raise Exception("EAP result timed out")
1643 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1644 raise Exception("TLS certificate error not reported")
1645 if "Subject mismatch" not in ev:
1646 raise Exception("Subject mismatch not reported")
1648 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1649 "CTRL-EVENT-EAP-FAILURE",
1650 "CTRL-EVENT-CONNECTED",
1651 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1653 raise Exception("EAP result(2) timed out")
1654 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1655 raise Exception("EAP failure not reported")
1657 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1658 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1660 raise Exception("EAP result(3) timed out")
1661 if "CTRL-EVENT-DISCONNECTED" not in ev:
1662 raise Exception("Disconnection not reported")
1664 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1666 raise Exception("Network block disabling not reported")
1668 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1669 """WPA2-Enterprise negative test - altsubject mismatch"""
1670 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1671 hostapd.add_ap(apdev[0]['ifname'], params)
1673 tests = [ "incorrect.example.com",
1674 "DNS:incorrect.example.com",
1678 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1680 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1681 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1682 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1683 password="password", phase2="auth=MSCHAPV2",
1684 ca_cert="auth_serv/ca.pem",
1685 altsubject_match=match,
1686 wait_connect=False, scan_freq="2412")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1690 raise Exception("Association and EAP start timed out")
1692 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1693 "EAP: Failed to initialize EAP method"], timeout=10)
1695 raise Exception("EAP method selection timed out")
1696 if "EAP: Failed to initialize EAP method" in ev:
1697 tls = dev[0].request("GET tls_library")
1698 if tls.startswith("OpenSSL"):
1699 raise Exception("Failed to select EAP method")
1700 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1702 if "TTLS" not in ev:
1703 raise Exception("Unexpected EAP method")
1705 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1706 "CTRL-EVENT-EAP-SUCCESS",
1707 "CTRL-EVENT-EAP-FAILURE",
1708 "CTRL-EVENT-CONNECTED",
1709 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1711 raise Exception("EAP result timed out")
1712 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1713 raise Exception("TLS certificate error not reported")
1714 if "AltSubject mismatch" not in ev:
1715 raise Exception("altsubject mismatch not reported")
1717 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1718 "CTRL-EVENT-EAP-FAILURE",
1719 "CTRL-EVENT-CONNECTED",
1720 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1722 raise Exception("EAP result(2) timed out")
1723 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1724 raise Exception("EAP failure not reported")
1726 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1727 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1729 raise Exception("EAP result(3) timed out")
1730 if "CTRL-EVENT-DISCONNECTED" not in ev:
1731 raise Exception("Disconnection not reported")
1733 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1735 raise Exception("Network block disabling not reported")
1737 dev[0].request("REMOVE_NETWORK all")
1739 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1740 """WPA2-Enterprise connection using UNAUTH-TLS"""
1741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1742 hostapd.add_ap(apdev[0]['ifname'], params)
1743 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1744 ca_cert="auth_serv/ca.pem")
1745 eap_reauth(dev[0], "UNAUTH-TLS")
1747 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1748 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1749 check_cert_probe_support(dev[0])
1750 skip_with_fips(dev[0])
1751 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1755 identity="probe", ca_cert="probe://",
1756 wait_connect=False, scan_freq="2412")
1757 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1759 raise Exception("Association and EAP start timed out")
1760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1762 raise Exception("No peer server certificate event seen")
1763 if "hash=" + srv_cert_hash not in ev:
1764 raise Exception("Expected server certificate hash not reported")
1765 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1767 raise Exception("EAP result timed out")
1768 if "Server certificate chain probe" not in ev:
1769 raise Exception("Server certificate probe not reported")
1770 dev[0].wait_disconnected(timeout=10)
1771 dev[0].request("REMOVE_NETWORK all")
1773 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1774 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1775 password="password", phase2="auth=MSCHAPV2",
1776 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1777 wait_connect=False, scan_freq="2412")
1778 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1780 raise Exception("Association and EAP start timed out")
1781 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1783 raise Exception("EAP result timed out")
1784 if "Server certificate mismatch" not in ev:
1785 raise Exception("Server certificate mismatch not reported")
1786 dev[0].wait_disconnected(timeout=10)
1787 dev[0].request("REMOVE_NETWORK all")
1789 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1790 anonymous_identity="ttls", password="password",
1791 ca_cert="hash://server/sha256/" + srv_cert_hash,
1792 phase2="auth=MSCHAPV2")
1794 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1795 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1797 hostapd.add_ap(apdev[0]['ifname'], params)
1798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1799 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1800 password="password", phase2="auth=MSCHAPV2",
1801 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1802 wait_connect=False, scan_freq="2412")
1803 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1804 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1805 password="password", phase2="auth=MSCHAPV2",
1806 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1807 wait_connect=False, scan_freq="2412")
1808 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1809 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1810 password="password", phase2="auth=MSCHAPV2",
1811 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1812 wait_connect=False, scan_freq="2412")
1813 for i in range(0, 3):
1814 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1816 raise Exception("Association and EAP start timed out")
1817 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1819 raise Exception("Did not report EAP method initialization failure")
1821 def test_ap_wpa2_eap_pwd(dev, apdev):
1822 """WPA2-Enterprise connection using EAP-pwd"""
1823 check_eap_capa(dev[0], "PWD")
1824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1825 hostapd.add_ap(apdev[0]['ifname'], params)
1826 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1827 eap_reauth(dev[0], "PWD")
1828 dev[0].request("REMOVE_NETWORK all")
1830 eap_connect(dev[1], apdev[0], "PWD",
1831 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1832 password="secret password",
1835 logger.info("Negative test with incorrect password")
1836 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1837 expect_failure=True, local_error_report=True)
1839 eap_connect(dev[0], apdev[0], "PWD",
1840 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1841 password="secret password",
1844 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1845 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1846 check_eap_capa(dev[0], "PWD")
1847 skip_with_fips(dev[0])
1848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1849 hostapd.add_ap(apdev[0]['ifname'], params)
1850 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1851 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1852 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1853 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1854 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1855 expect_failure=True, local_error_report=True)
1857 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1858 """WPA2-Enterprise connection using various EAP-pwd groups"""
1859 check_eap_capa(dev[0], "PWD")
1860 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1861 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1862 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1863 for i in [ 19, 20, 21, 25, 26 ]:
1864 params['pwd_group'] = str(i)
1865 hostapd.add_ap(apdev[0]['ifname'], params)
1866 dev[0].request("REMOVE_NETWORK all")
1867 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1869 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1870 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1871 check_eap_capa(dev[0], "PWD")
1872 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1873 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1874 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1875 params['pwd_group'] = "0"
1876 hostapd.add_ap(apdev[0]['ifname'], params)
1877 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1878 identity="pwd user", password="secret password",
1879 scan_freq="2412", wait_connect=False)
1880 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1882 raise Exception("Timeout on EAP failure report")
1884 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1885 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1886 check_eap_capa(dev[0], "PWD")
1887 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1888 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1889 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1890 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1891 "pwd_group": "19", "fragment_size": "40" }
1892 hostapd.add_ap(apdev[0]['ifname'], params)
1893 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1895 def test_ap_wpa2_eap_gpsk(dev, apdev):
1896 """WPA2-Enterprise connection using EAP-GPSK"""
1897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1898 hostapd.add_ap(apdev[0]['ifname'], params)
1899 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1900 password="abcdefghijklmnop0123456789abcdef")
1901 eap_reauth(dev[0], "GPSK")
1903 logger.info("Test forced algorithm selection")
1904 for phase1 in [ "cipher=1", "cipher=2" ]:
1905 dev[0].set_network_quoted(id, "phase1", phase1)
1906 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1908 raise Exception("EAP success timed out")
1909 dev[0].wait_connected(timeout=10)
1911 logger.info("Test failed algorithm negotiation")
1912 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1913 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1915 raise Exception("EAP failure timed out")
1917 logger.info("Negative test with incorrect password")
1918 dev[0].request("REMOVE_NETWORK all")
1919 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1920 password="ffcdefghijklmnop0123456789abcdef",
1921 expect_failure=True)
1923 def test_ap_wpa2_eap_sake(dev, apdev):
1924 """WPA2-Enterprise connection using EAP-SAKE"""
1925 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1926 hostapd.add_ap(apdev[0]['ifname'], params)
1927 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1928 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1929 eap_reauth(dev[0], "SAKE")
1931 logger.info("Negative test with incorrect password")
1932 dev[0].request("REMOVE_NETWORK all")
1933 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1934 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1935 expect_failure=True)
1937 def test_ap_wpa2_eap_eke(dev, apdev):
1938 """WPA2-Enterprise connection using EAP-EKE"""
1939 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1940 hostapd.add_ap(apdev[0]['ifname'], params)
1941 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1942 eap_reauth(dev[0], "EKE")
1944 logger.info("Test forced algorithm selection")
1945 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1946 "dhgroup=4 encr=1 prf=2 mac=2",
1947 "dhgroup=3 encr=1 prf=2 mac=2",
1948 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1949 dev[0].set_network_quoted(id, "phase1", phase1)
1950 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1952 raise Exception("EAP success timed out")
1953 dev[0].wait_connected(timeout=10)
1955 logger.info("Test failed algorithm negotiation")
1956 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1957 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1959 raise Exception("EAP failure timed out")
1961 logger.info("Negative test with incorrect password")
1962 dev[0].request("REMOVE_NETWORK all")
1963 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1964 expect_failure=True)
1966 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1967 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1968 params = int_eap_server_params()
1969 params['server_id'] = 'example.server@w1.fi'
1970 hostapd.add_ap(apdev[0]['ifname'], params)
1971 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1973 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1974 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1975 params = int_eap_server_params()
1976 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1977 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1979 for count,func in [ (1, "eap_eke_build_commit"),
1980 (2, "eap_eke_build_commit"),
1981 (3, "eap_eke_build_commit"),
1982 (1, "eap_eke_build_confirm"),
1983 (2, "eap_eke_build_confirm"),
1984 (1, "eap_eke_process_commit"),
1985 (2, "eap_eke_process_commit"),
1986 (1, "eap_eke_process_confirm"),
1987 (1, "eap_eke_process_identity"),
1988 (2, "eap_eke_process_identity"),
1989 (3, "eap_eke_process_identity"),
1990 (4, "eap_eke_process_identity") ]:
1991 with alloc_fail(hapd, count, func):
1992 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1993 expect_failure=True)
1994 dev[0].request("REMOVE_NETWORK all")
1996 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1997 (1, "eap_eke_get_session_id", "hello"),
1998 (1, "eap_eke_getKey", "hello"),
1999 (1, "eap_eke_build_msg", "hello"),
2000 (1, "eap_eke_build_failure", "wrong"),
2001 (1, "eap_eke_build_identity", "hello"),
2002 (2, "eap_eke_build_identity", "hello") ]:
2003 with alloc_fail(hapd, count, func):
2004 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2005 eap="EKE", identity="eke user", password=pw,
2006 wait_connect=False, scan_freq="2412")
2007 # This would eventually time out, but we can stop after having
2008 # reached the allocation failure.
2011 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2013 dev[0].request("REMOVE_NETWORK all")
2015 for count in range(1, 1000):
2017 with alloc_fail(hapd, count, "eap_server_sm_step"):
2018 dev[0].connect("test-wpa2-eap",
2019 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2020 eap="EKE", identity="eke user", password=pw,
2021 wait_connect=False, scan_freq="2412")
2022 # This would eventually time out, but we can stop after having
2023 # reached the allocation failure.
2026 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2028 dev[0].request("REMOVE_NETWORK all")
2029 except Exception, e:
2030 if str(e) == "Allocation failure did not trigger":
2032 raise Exception("Too few allocation failures")
2033 logger.info("%d allocation failures tested" % (count - 1))
2037 def test_ap_wpa2_eap_ikev2(dev, apdev):
2038 """WPA2-Enterprise connection using EAP-IKEv2"""
2039 check_eap_capa(dev[0], "IKEV2")
2040 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2041 hostapd.add_ap(apdev[0]['ifname'], params)
2042 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2043 password="ike password")
2044 eap_reauth(dev[0], "IKEV2")
2045 dev[0].request("REMOVE_NETWORK all")
2046 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2047 password="ike password", fragment_size="50")
2049 logger.info("Negative test with incorrect password")
2050 dev[0].request("REMOVE_NETWORK all")
2051 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2052 password="ike-password", expect_failure=True)
2054 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2055 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2056 check_eap_capa(dev[0], "IKEV2")
2057 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2058 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2059 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2060 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2061 "fragment_size": "50" }
2062 hostapd.add_ap(apdev[0]['ifname'], params)
2063 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2064 password="ike password")
2065 eap_reauth(dev[0], "IKEV2")
2067 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2068 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2069 check_eap_capa(dev[0], "IKEV2")
2070 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2071 hostapd.add_ap(apdev[0]['ifname'], params)
2073 tests = [ (1, "dh_init"),
2075 (1, "dh_derive_shared") ]
2076 for count, func in tests:
2077 with alloc_fail(dev[0], count, func):
2078 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2079 identity="ikev2 user", password="ike password",
2080 wait_connect=False, scan_freq="2412")
2081 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2083 raise Exception("EAP method not selected")
2085 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2088 dev[0].request("REMOVE_NETWORK all")
2090 tests = [ (1, "os_get_random;dh_init") ]
2091 for count, func in tests:
2092 with fail_test(dev[0], count, func):
2093 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2094 identity="ikev2 user", password="ike password",
2095 wait_connect=False, scan_freq="2412")
2096 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2098 raise Exception("EAP method not selected")
2100 if "0:" in dev[0].request("GET_FAIL"):
2103 dev[0].request("REMOVE_NETWORK all")
2105 def test_ap_wpa2_eap_pax(dev, apdev):
2106 """WPA2-Enterprise connection using EAP-PAX"""
2107 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2108 hostapd.add_ap(apdev[0]['ifname'], params)
2109 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2110 password_hex="0123456789abcdef0123456789abcdef")
2111 eap_reauth(dev[0], "PAX")
2113 logger.info("Negative test with incorrect password")
2114 dev[0].request("REMOVE_NETWORK all")
2115 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2116 password_hex="ff23456789abcdef0123456789abcdef",
2117 expect_failure=True)
2119 def test_ap_wpa2_eap_psk(dev, apdev):
2120 """WPA2-Enterprise connection using EAP-PSK"""
2121 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2122 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2123 params["ieee80211w"] = "2"
2124 hostapd.add_ap(apdev[0]['ifname'], params)
2125 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2126 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2127 eap_reauth(dev[0], "PSK", sha256=True)
2128 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2129 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2131 bss = dev[0].get_bss(apdev[0]['bssid'])
2132 if 'flags' not in bss:
2133 raise Exception("Could not get BSS flags from BSS table")
2134 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2135 raise Exception("Unexpected BSS flags: " + bss['flags'])
2137 logger.info("Negative test with incorrect password")
2138 dev[0].request("REMOVE_NETWORK all")
2139 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2140 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2141 expect_failure=True)
2143 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2144 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2145 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2146 hostapd.add_ap(apdev[0]['ifname'], params)
2147 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2148 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2149 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2150 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2151 (1, "=aes_128_eax_encrypt"),
2152 (1, "omac1_aes_vector"),
2153 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2154 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2155 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2156 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2157 (1, "=aes_128_eax_decrypt") ]
2158 for count, func in tests:
2159 with alloc_fail(dev[0], count, func):
2160 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2161 identity="psk.user@example.com",
2162 password_hex="0123456789abcdef0123456789abcdef",
2163 wait_connect=False, scan_freq="2412")
2164 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2166 raise Exception("EAP method not selected")
2168 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2171 dev[0].request("REMOVE_NETWORK all")
2173 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2174 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2175 identity="psk.user@example.com",
2176 password_hex="0123456789abcdef0123456789abcdef",
2177 wait_connect=False, scan_freq="2412")
2178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2180 raise Exception("EAP method failure not reported")
2181 dev[0].request("REMOVE_NETWORK all")
2183 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2184 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2185 check_eap_capa(dev[0], "MSCHAPV2")
2186 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2187 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2188 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2189 identity="user", password="password", phase2="auth=MSCHAPV2",
2190 ca_cert="auth_serv/ca.pem", wait_connect=False,
2192 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2193 hwsim_utils.test_connectivity(dev[0], hapd)
2194 eap_reauth(dev[0], "PEAP", rsn=False)
2195 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2196 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2197 status = dev[0].get_status(extra="VERBOSE")
2198 if 'portControl' not in status:
2199 raise Exception("portControl missing from STATUS-VERBOSE")
2200 if status['portControl'] != 'Auto':
2201 raise Exception("Unexpected portControl value: " + status['portControl'])
2202 if 'eap_session_id' not in status:
2203 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2204 if not status['eap_session_id'].startswith("19"):
2205 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2207 def test_ap_wpa2_eap_interactive(dev, apdev):
2208 """WPA2-Enterprise connection using interactive identity/password entry"""
2209 check_eap_capa(dev[0], "MSCHAPV2")
2210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2211 hostapd.add_ap(apdev[0]['ifname'], params)
2212 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2214 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2215 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2217 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2218 "TTLS", "ttls", None, "auth=MSCHAPV2",
2219 "DOMAIN\mschapv2 user", "password"),
2220 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2221 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2222 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2223 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2224 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2225 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2226 ("Connection with dynamic PEAP/EAP-GTC password entry",
2227 "PEAP", None, "user", "auth=GTC", None, "password") ]
2228 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2230 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2231 anonymous_identity=anon, identity=identity,
2232 ca_cert="auth_serv/ca.pem", phase2=phase2,
2233 wait_connect=False, scan_freq="2412")
2235 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2237 raise Exception("Request for identity timed out")
2238 id = ev.split(':')[0].split('-')[-1]
2239 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2240 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2242 raise Exception("Request for password timed out")
2243 id = ev.split(':')[0].split('-')[-1]
2244 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2245 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2246 dev[0].wait_connected(timeout=10)
2247 dev[0].request("REMOVE_NETWORK all")
2249 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2250 """WPA2-Enterprise connection using EAP vendor test"""
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252 hostapd.add_ap(apdev[0]['ifname'], params)
2253 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2254 eap_reauth(dev[0], "VENDOR-TEST")
2255 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2258 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2259 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2260 check_eap_capa(dev[0], "FAST")
2261 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2262 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2263 eap_connect(dev[0], apdev[0], "FAST", "user",
2264 anonymous_identity="FAST", password="password",
2265 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2266 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2267 hwsim_utils.test_connectivity(dev[0], hapd)
2268 res = eap_reauth(dev[0], "FAST")
2269 if res['tls_session_reused'] != '1':
2270 raise Exception("EAP-FAST could not use PAC session ticket")
2272 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2273 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2274 check_eap_capa(dev[0], "FAST")
2275 pac_file = os.path.join(params['logdir'], "fast.pac")
2276 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2277 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2278 hostapd.add_ap(apdev[0]['ifname'], params)
2281 eap_connect(dev[0], apdev[0], "FAST", "user",
2282 anonymous_identity="FAST", password="password",
2283 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2284 phase1="fast_provisioning=1", pac_file=pac_file)
2285 with open(pac_file, "r") as f:
2287 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2288 raise Exception("PAC file header missing")
2289 if "PAC-Key=" not in data:
2290 raise Exception("PAC-Key missing from PAC file")
2291 dev[0].request("REMOVE_NETWORK all")
2292 eap_connect(dev[0], apdev[0], "FAST", "user",
2293 anonymous_identity="FAST", password="password",
2294 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2297 eap_connect(dev[1], apdev[0], "FAST", "user",
2298 anonymous_identity="FAST", password="password",
2299 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2300 phase1="fast_provisioning=1 fast_pac_format=binary",
2302 dev[1].request("REMOVE_NETWORK all")
2303 eap_connect(dev[1], apdev[0], "FAST", "user",
2304 anonymous_identity="FAST", password="password",
2305 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2306 phase1="fast_pac_format=binary",
2314 os.remove(pac_file2)
2318 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2319 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2320 check_eap_capa(dev[0], "FAST")
2321 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2322 hostapd.add_ap(apdev[0]['ifname'], params)
2323 eap_connect(dev[0], apdev[0], "FAST", "user",
2324 anonymous_identity="FAST", password="password",
2325 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2326 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2327 pac_file="blob://fast_pac_bin")
2328 res = eap_reauth(dev[0], "FAST")
2329 if res['tls_session_reused'] != '1':
2330 raise Exception("EAP-FAST could not use PAC session ticket")
2332 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2333 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2334 check_eap_capa(dev[0], "FAST")
2335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2336 hostapd.add_ap(apdev[0]['ifname'], params)
2338 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2339 identity="user", anonymous_identity="FAST",
2340 password="password",
2341 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2342 pac_file="blob://fast_pac_not_in_use",
2343 wait_connect=False, scan_freq="2412")
2344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2346 raise Exception("Timeout on EAP failure report")
2347 dev[0].request("REMOVE_NETWORK all")
2349 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2350 identity="user", anonymous_identity="FAST",
2351 password="password",
2352 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2353 wait_connect=False, scan_freq="2412")
2354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2356 raise Exception("Timeout on EAP failure report")
2358 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2359 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2360 check_eap_capa(dev[0], "FAST")
2361 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2362 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2363 eap_connect(dev[0], apdev[0], "FAST", "user",
2364 anonymous_identity="FAST", password="password",
2365 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2366 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2367 hwsim_utils.test_connectivity(dev[0], hapd)
2368 res = eap_reauth(dev[0], "FAST")
2369 if res['tls_session_reused'] != '1':
2370 raise Exception("EAP-FAST could not use PAC session ticket")
2372 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2373 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2374 check_eap_capa(dev[0], "FAST")
2375 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2376 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2377 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2378 anonymous_identity="FAST", password="password",
2379 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2380 phase1="fast_provisioning=2",
2381 pac_file="blob://fast_pac_auth")
2382 dev[0].set_network_quoted(id, "identity", "user2")
2383 dev[0].wait_disconnected()
2384 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2386 raise Exception("EAP-FAST not started")
2387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2389 raise Exception("EAP failure not reported")
2390 dev[0].wait_disconnected()
2392 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2393 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2394 check_eap_capa(dev[0], "FAST")
2395 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2396 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2397 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2399 identity="user", anonymous_identity="FAST",
2400 password="password", ca_cert="auth_serv/ca.pem",
2402 phase1="fast_provisioning=2",
2403 pac_file="blob://fast_pac_auth",
2404 wait_connect=False, scan_freq="2412")
2405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2407 raise Exception("EAP failure not reported")
2408 dev[0].request("DISCONNECT")
2410 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2411 """EAP-FAST/MSCHAPv2 and server OOM"""
2412 check_eap_capa(dev[0], "FAST")
2414 params = int_eap_server_params()
2415 params['dh_file'] = 'auth_serv/dh.conf'
2416 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2417 params['eap_fast_a_id'] = '1011'
2418 params['eap_fast_a_id_info'] = 'another test server'
2419 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2421 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2422 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2423 anonymous_identity="FAST", password="password",
2424 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2425 phase1="fast_provisioning=1",
2426 pac_file="blob://fast_pac",
2427 expect_failure=True)
2428 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2430 raise Exception("No EAP failure reported")
2431 dev[0].wait_disconnected()
2432 dev[0].request("DISCONNECT")
2434 dev[0].select_network(id, freq="2412")
2436 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2437 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2438 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2439 hostapd.add_ap(apdev[0]['ifname'], params)
2440 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2441 private_key="auth_serv/user.pkcs12",
2442 private_key_passwd="whatever", ocsp=2)
2444 def int_eap_server_params():
2445 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2446 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2447 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2448 "ca_cert": "auth_serv/ca.pem",
2449 "server_cert": "auth_serv/server.pem",
2450 "private_key": "auth_serv/server.key" }
2453 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2454 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2455 params = int_eap_server_params()
2456 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2457 hostapd.add_ap(apdev[0]['ifname'], params)
2458 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2459 identity="tls user", ca_cert="auth_serv/ca.pem",
2460 private_key="auth_serv/user.pkcs12",
2461 private_key_passwd="whatever", ocsp=2,
2462 wait_connect=False, scan_freq="2412")
2465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2467 raise Exception("Timeout on EAP status")
2468 if 'bad certificate status response' in ev:
2472 raise Exception("Unexpected number of EAP status messages")
2474 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2476 raise Exception("Timeout on EAP failure report")
2478 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2479 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2480 params = int_eap_server_params()
2481 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2482 hostapd.add_ap(apdev[0]['ifname'], params)
2483 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2484 identity="tls user", ca_cert="auth_serv/ca.pem",
2485 private_key="auth_serv/user.pkcs12",
2486 private_key_passwd="whatever", ocsp=2,
2487 wait_connect=False, scan_freq="2412")
2490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2492 raise Exception("Timeout on EAP status")
2493 if 'bad certificate status response' in ev:
2497 raise Exception("Unexpected number of EAP status messages")
2499 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2501 raise Exception("Timeout on EAP failure report")
2503 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2504 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2505 params = int_eap_server_params()
2506 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2507 hostapd.add_ap(apdev[0]['ifname'], params)
2508 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2509 identity="tls user", ca_cert="auth_serv/ca.pem",
2510 private_key="auth_serv/user.pkcs12",
2511 private_key_passwd="whatever", ocsp=2,
2512 wait_connect=False, scan_freq="2412")
2515 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2517 raise Exception("Timeout on EAP status")
2518 if 'bad certificate status response' in ev:
2522 raise Exception("Unexpected number of EAP status messages")
2524 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2526 raise Exception("Timeout on EAP failure report")
2528 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2529 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2530 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2531 if not os.path.exists(ocsp):
2532 raise HwsimSkip("No OCSP response available")
2533 params = int_eap_server_params()
2534 params["ocsp_stapling_response"] = ocsp
2535 hostapd.add_ap(apdev[0]['ifname'], params)
2536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2537 identity="pap user", ca_cert="auth_serv/ca.pem",
2538 anonymous_identity="ttls", password="password",
2539 phase2="auth=PAP", ocsp=2,
2540 wait_connect=False, scan_freq="2412")
2543 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2545 raise Exception("Timeout on EAP status")
2546 if 'bad certificate status response' in ev:
2548 if 'certificate revoked' in ev:
2552 raise Exception("Unexpected number of EAP status messages")
2554 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2556 raise Exception("Timeout on EAP failure report")
2558 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2559 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2560 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2561 if not os.path.exists(ocsp):
2562 raise HwsimSkip("No OCSP response available")
2563 params = int_eap_server_params()
2564 params["ocsp_stapling_response"] = ocsp
2565 hostapd.add_ap(apdev[0]['ifname'], params)
2566 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2567 identity="pap user", ca_cert="auth_serv/ca.pem",
2568 anonymous_identity="ttls", password="password",
2569 phase2="auth=PAP", ocsp=2,
2570 wait_connect=False, scan_freq="2412")
2573 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2575 raise Exception("Timeout on EAP status")
2576 if 'bad certificate status response' in ev:
2580 raise Exception("Unexpected number of EAP status messages")
2582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2584 raise Exception("Timeout on EAP failure report")
2586 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2587 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2588 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2589 if not os.path.exists(ocsp):
2590 raise HwsimSkip("No OCSP response available")
2591 params = int_eap_server_params()
2592 params["ocsp_stapling_response"] = ocsp
2593 hostapd.add_ap(apdev[0]['ifname'], params)
2594 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2595 identity="pap user", ca_cert="auth_serv/ca.pem",
2596 anonymous_identity="ttls", password="password",
2597 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2599 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2600 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2601 params = int_eap_server_params()
2602 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2603 params["private_key"] = "auth_serv/server-no-dnsname.key"
2604 hostapd.add_ap(apdev[0]['ifname'], params)
2605 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2606 identity="tls user", ca_cert="auth_serv/ca.pem",
2607 private_key="auth_serv/user.pkcs12",
2608 private_key_passwd="whatever",
2609 domain_suffix_match="server3.w1.fi",
2612 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2613 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2614 params = int_eap_server_params()
2615 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2616 params["private_key"] = "auth_serv/server-no-dnsname.key"
2617 hostapd.add_ap(apdev[0]['ifname'], params)
2618 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2619 identity="tls user", ca_cert="auth_serv/ca.pem",
2620 private_key="auth_serv/user.pkcs12",
2621 private_key_passwd="whatever",
2622 domain_match="server3.w1.fi",
2625 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2626 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2627 check_domain_match_full(dev[0])
2628 params = int_eap_server_params()
2629 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2630 params["private_key"] = "auth_serv/server-no-dnsname.key"
2631 hostapd.add_ap(apdev[0]['ifname'], params)
2632 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2633 identity="tls user", ca_cert="auth_serv/ca.pem",
2634 private_key="auth_serv/user.pkcs12",
2635 private_key_passwd="whatever",
2636 domain_suffix_match="w1.fi",
2639 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2640 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2641 params = int_eap_server_params()
2642 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2643 params["private_key"] = "auth_serv/server-no-dnsname.key"
2644 hostapd.add_ap(apdev[0]['ifname'], params)
2645 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2646 identity="tls user", ca_cert="auth_serv/ca.pem",
2647 private_key="auth_serv/user.pkcs12",
2648 private_key_passwd="whatever",
2649 domain_suffix_match="example.com",
2652 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2653 identity="tls user", ca_cert="auth_serv/ca.pem",
2654 private_key="auth_serv/user.pkcs12",
2655 private_key_passwd="whatever",
2656 domain_suffix_match="erver3.w1.fi",
2659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2661 raise Exception("Timeout on EAP failure report")
2662 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2664 raise Exception("Timeout on EAP failure report (2)")
2666 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2667 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2668 params = int_eap_server_params()
2669 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2670 params["private_key"] = "auth_serv/server-no-dnsname.key"
2671 hostapd.add_ap(apdev[0]['ifname'], params)
2672 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2673 identity="tls user", ca_cert="auth_serv/ca.pem",
2674 private_key="auth_serv/user.pkcs12",
2675 private_key_passwd="whatever",
2676 domain_match="example.com",
2679 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2680 identity="tls user", ca_cert="auth_serv/ca.pem",
2681 private_key="auth_serv/user.pkcs12",
2682 private_key_passwd="whatever",
2683 domain_match="w1.fi",
2686 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2688 raise Exception("Timeout on EAP failure report")
2689 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2691 raise Exception("Timeout on EAP failure report (2)")
2693 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2694 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2695 skip_with_fips(dev[0])
2696 params = int_eap_server_params()
2697 params["server_cert"] = "auth_serv/server-expired.pem"
2698 params["private_key"] = "auth_serv/server-expired.key"
2699 hostapd.add_ap(apdev[0]['ifname'], params)
2700 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2701 identity="mschap user", password="password",
2702 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2705 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2707 raise Exception("Timeout on EAP certificate error report")
2708 if "reason=4" not in ev or "certificate has expired" not in ev:
2709 raise Exception("Unexpected failure reason: " + ev)
2710 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2712 raise Exception("Timeout on EAP failure report")
2714 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2715 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2716 skip_with_fips(dev[0])
2717 params = int_eap_server_params()
2718 params["server_cert"] = "auth_serv/server-expired.pem"
2719 params["private_key"] = "auth_serv/server-expired.key"
2720 hostapd.add_ap(apdev[0]['ifname'], params)
2721 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2722 identity="mschap user", password="password",
2723 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2724 phase1="tls_disable_time_checks=1",
2727 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2728 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2729 skip_with_fips(dev[0])
2730 params = int_eap_server_params()
2731 params["server_cert"] = "auth_serv/server-long-duration.pem"
2732 params["private_key"] = "auth_serv/server-long-duration.key"
2733 hostapd.add_ap(apdev[0]['ifname'], params)
2734 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2735 identity="mschap user", password="password",
2736 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2739 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2740 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2741 skip_with_fips(dev[0])
2742 params = int_eap_server_params()
2743 params["server_cert"] = "auth_serv/server-eku-client.pem"
2744 params["private_key"] = "auth_serv/server-eku-client.key"
2745 hostapd.add_ap(apdev[0]['ifname'], params)
2746 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2747 identity="mschap user", password="password",
2748 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2751 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2753 raise Exception("Timeout on EAP failure report")
2755 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2756 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2757 skip_with_fips(dev[0])
2758 params = int_eap_server_params()
2759 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2760 params["private_key"] = "auth_serv/server-eku-client-server.key"
2761 hostapd.add_ap(apdev[0]['ifname'], params)
2762 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2763 identity="mschap user", password="password",
2764 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2767 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2768 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2769 skip_with_fips(dev[0])
2770 params = int_eap_server_params()
2771 del params["server_cert"]
2772 params["private_key"] = "auth_serv/server.pkcs12"
2773 hostapd.add_ap(apdev[0]['ifname'], params)
2774 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2775 identity="mschap user", password="password",
2776 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2779 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2780 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2781 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2782 hostapd.add_ap(apdev[0]['ifname'], params)
2783 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2784 anonymous_identity="ttls", password="password",
2785 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2786 dh_file="auth_serv/dh.conf")
2788 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2789 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2790 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2791 hostapd.add_ap(apdev[0]['ifname'], params)
2792 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2793 anonymous_identity="ttls", password="password",
2794 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2795 dh_file="auth_serv/dsaparam.pem")
2797 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2798 """EAP-TTLS and DH params file not found"""
2799 skip_with_fips(dev[0])
2800 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2801 hostapd.add_ap(apdev[0]['ifname'], params)
2802 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2803 identity="mschap user", password="password",
2804 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2805 dh_file="auth_serv/dh-no-such-file.conf",
2806 scan_freq="2412", wait_connect=False)
2807 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2809 raise Exception("EAP failure timed out")
2810 dev[0].request("REMOVE_NETWORK all")
2811 dev[0].wait_disconnected()
2813 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2814 """EAP-TTLS and invalid DH params file"""
2815 skip_with_fips(dev[0])
2816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2817 hostapd.add_ap(apdev[0]['ifname'], params)
2818 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2819 identity="mschap user", password="password",
2820 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2821 dh_file="auth_serv/ca.pem",
2822 scan_freq="2412", wait_connect=False)
2823 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2825 raise Exception("EAP failure timed out")
2826 dev[0].request("REMOVE_NETWORK all")
2827 dev[0].wait_disconnected()
2829 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2830 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2831 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2832 hostapd.add_ap(apdev[0]['ifname'], params)
2833 dh = read_pem("auth_serv/dh2.conf")
2834 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2835 raise Exception("Could not set dhparams blob")
2836 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2837 anonymous_identity="ttls", password="password",
2838 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2839 dh_file="blob://dhparams")
2841 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2842 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2843 params = int_eap_server_params()
2844 params["dh_file"] = "auth_serv/dh2.conf"
2845 hostapd.add_ap(apdev[0]['ifname'], params)
2846 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2847 anonymous_identity="ttls", password="password",
2848 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2850 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2851 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2852 params = int_eap_server_params()
2853 params["dh_file"] = "auth_serv/dsaparam.pem"
2854 hostapd.add_ap(apdev[0]['ifname'], params)
2855 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2856 anonymous_identity="ttls", password="password",
2857 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2859 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2860 """EAP-TLS server and dhparams file not found"""
2861 params = int_eap_server_params()
2862 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2863 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2864 if "FAIL" not in hapd.request("ENABLE"):
2865 raise Exception("Invalid configuration accepted")
2867 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2868 """EAP-TLS server and invalid dhparams file"""
2869 params = int_eap_server_params()
2870 params["dh_file"] = "auth_serv/ca.pem"
2871 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2872 if "FAIL" not in hapd.request("ENABLE"):
2873 raise Exception("Invalid configuration accepted")
2875 def test_ap_wpa2_eap_reauth(dev, apdev):
2876 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2877 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2878 params['eap_reauth_period'] = '2'
2879 hostapd.add_ap(apdev[0]['ifname'], params)
2880 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2881 password_hex="0123456789abcdef0123456789abcdef")
2882 logger.info("Wait for reauthentication")
2883 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2885 raise Exception("Timeout on reauthentication")
2886 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2888 raise Exception("Timeout on reauthentication")
2889 for i in range(0, 20):
2890 state = dev[0].get_status_field("wpa_state")
2891 if state == "COMPLETED":
2894 if state != "COMPLETED":
2895 raise Exception("Reauthentication did not complete")
2897 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2898 """Optional displayable message in EAP Request-Identity"""
2899 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2900 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2901 hostapd.add_ap(apdev[0]['ifname'], params)
2902 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2903 password_hex="0123456789abcdef0123456789abcdef")
2905 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2906 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2907 check_hlr_auc_gw_support()
2908 params = int_eap_server_params()
2909 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2910 params['eap_sim_aka_result_ind'] = "1"
2911 hostapd.add_ap(apdev[0]['ifname'], params)
2913 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2914 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2915 phase1="result_ind=1")
2916 eap_reauth(dev[0], "SIM")
2917 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2918 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2920 dev[0].request("REMOVE_NETWORK all")
2921 dev[1].request("REMOVE_NETWORK all")
2923 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2924 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2925 phase1="result_ind=1")
2926 eap_reauth(dev[0], "AKA")
2927 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2928 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2930 dev[0].request("REMOVE_NETWORK all")
2931 dev[1].request("REMOVE_NETWORK all")
2933 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2934 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2935 phase1="result_ind=1")
2936 eap_reauth(dev[0], "AKA'")
2937 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2938 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2940 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2941 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2942 skip_with_fips(dev[0])
2943 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2944 hostapd.add_ap(apdev[0]['ifname'], params)
2945 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2946 eap="TTLS", identity="mschap user",
2947 wait_connect=False, scan_freq="2412", ieee80211w="1",
2948 anonymous_identity="ttls", password="password",
2949 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2951 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2953 raise Exception("EAP roundtrip limit not reached")
2955 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2956 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2957 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2958 hostapd.add_ap(apdev[0]['ifname'], params)
2959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2960 eap="PSK", identity="vendor-test",
2961 password_hex="ff23456789abcdef0123456789abcdef",
2965 for i in range(0, 5):
2966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2968 raise Exception("Association and EAP start timed out")
2969 if "refuse proposed method" in ev:
2973 raise Exception("Unexpected EAP status: " + ev)
2975 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2977 raise Exception("EAP failure timed out")
2979 def test_ap_wpa2_eap_sql(dev, apdev, params):
2980 """WPA2-Enterprise connection using SQLite for user DB"""
2981 skip_with_fips(dev[0])
2985 raise HwsimSkip("No sqlite3 module available")
2986 dbfile = os.path.join(params['logdir'], "eap-user.db")
2991 con = sqlite3.connect(dbfile)
2994 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2995 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2996 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2997 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2998 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2999 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3000 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3001 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3004 params = int_eap_server_params()
3005 params["eap_user_file"] = "sqlite:" + dbfile
3006 hostapd.add_ap(apdev[0]['ifname'], params)
3007 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3008 anonymous_identity="ttls", password="password",
3009 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3010 dev[0].request("REMOVE_NETWORK all")
3011 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3012 anonymous_identity="ttls", password="password",
3013 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3014 dev[1].request("REMOVE_NETWORK all")
3015 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3016 anonymous_identity="ttls", password="password",
3017 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3018 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3019 anonymous_identity="ttls", password="password",
3020 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3024 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3025 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3026 params = int_eap_server_params()
3027 hostapd.add_ap(apdev[0]['ifname'], params)
3028 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3029 identity="\x80", password="password", wait_connect=False)
3030 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3031 identity="a\x80", password="password", wait_connect=False)
3032 for i in range(0, 2):
3033 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3035 raise Exception("Association and EAP start timed out")
3036 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3038 raise Exception("EAP method selection timed out")
3040 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3041 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3042 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3043 hostapd.add_ap(apdev[0]['ifname'], params)
3044 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3045 identity="\x80", password="password", wait_connect=False)
3046 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3047 identity="a\x80", password="password", wait_connect=False)
3048 for i in range(0, 2):
3049 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3051 raise Exception("Association and EAP start timed out")
3052 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3054 raise Exception("EAP method selection timed out")
3056 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3057 """OpenSSL cipher suite configuration on wpa_supplicant"""
3058 tls = dev[0].request("GET tls_library")
3059 if not tls.startswith("OpenSSL"):
3060 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3061 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3062 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3063 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3064 anonymous_identity="ttls", password="password",
3065 openssl_ciphers="AES128",
3066 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3067 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3068 anonymous_identity="ttls", password="password",
3069 openssl_ciphers="EXPORT",
3070 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3071 expect_failure=True, maybe_local_error=True)
3072 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3073 identity="pap user", anonymous_identity="ttls",
3074 password="password",
3075 openssl_ciphers="FOO",
3076 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3078 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3080 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3081 dev[2].request("DISCONNECT")
3083 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3084 """OpenSSL cipher suite configuration on hostapd"""
3085 tls = dev[0].request("GET tls_library")
3086 if not tls.startswith("OpenSSL"):
3087 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3088 params = int_eap_server_params()
3089 params['openssl_ciphers'] = "AES256"
3090 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3091 tls = hapd.request("GET tls_library")
3092 if not tls.startswith("OpenSSL"):
3093 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3094 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3095 anonymous_identity="ttls", password="password",
3096 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3097 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3098 anonymous_identity="ttls", password="password",
3099 openssl_ciphers="AES128",
3100 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3101 expect_failure=True)
3102 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3103 anonymous_identity="ttls", password="password",
3104 openssl_ciphers="HIGH:!ADH",
3105 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3107 params['openssl_ciphers'] = "FOO"
3108 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3109 if "FAIL" not in hapd2.request("ENABLE"):
3110 raise Exception("Invalid openssl_ciphers value accepted")
3112 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3113 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3114 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3115 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3116 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3117 pid = find_wpas_process(dev[0])
3118 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3119 anonymous_identity="ttls", password=password,
3120 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3122 buf = read_process_memory(pid, password)
3124 dev[0].request("DISCONNECT")
3125 dev[0].wait_disconnected()
3133 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3134 for l in f.readlines():
3135 if "EAP-TTLS: Derived key - hexdump" in l:
3136 val = l.strip().split(':')[3].replace(' ', '')
3137 msk = binascii.unhexlify(val)
3138 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3139 val = l.strip().split(':')[3].replace(' ', '')
3140 emsk = binascii.unhexlify(val)
3141 if "WPA: PMK - hexdump" in l:
3142 val = l.strip().split(':')[3].replace(' ', '')
3143 pmk = binascii.unhexlify(val)
3144 if "WPA: PTK - hexdump" in l:
3145 val = l.strip().split(':')[3].replace(' ', '')
3146 ptk = binascii.unhexlify(val)
3147 if "WPA: Group Key - hexdump" in l:
3148 val = l.strip().split(':')[3].replace(' ', '')
3149 gtk = binascii.unhexlify(val)
3150 if not msk or not emsk or not pmk or not ptk or not gtk:
3151 raise Exception("Could not find keys from debug log")
3153 raise Exception("Unexpected GTK length")
3159 fname = os.path.join(params['logdir'],
3160 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3162 logger.info("Checking keys in memory while associated")
3163 get_key_locations(buf, password, "Password")
3164 get_key_locations(buf, pmk, "PMK")
3165 get_key_locations(buf, msk, "MSK")
3166 get_key_locations(buf, emsk, "EMSK")
3167 if password not in buf:
3168 raise HwsimSkip("Password not found while associated")
3170 raise HwsimSkip("PMK not found while associated")
3172 raise Exception("KCK not found while associated")
3174 raise Exception("KEK not found while associated")
3176 raise Exception("TK found from memory")
3178 raise Exception("GTK found from memory")
3180 logger.info("Checking keys in memory after disassociation")
3181 buf = read_process_memory(pid, password)
3183 # Note: Password is still present in network configuration
3184 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3186 get_key_locations(buf, password, "Password")
3187 get_key_locations(buf, pmk, "PMK")
3188 get_key_locations(buf, msk, "MSK")
3189 get_key_locations(buf, emsk, "EMSK")
3190 verify_not_present(buf, kck, fname, "KCK")
3191 verify_not_present(buf, kek, fname, "KEK")
3192 verify_not_present(buf, tk, fname, "TK")
3193 verify_not_present(buf, gtk, fname, "GTK")
3195 dev[0].request("PMKSA_FLUSH")
3196 dev[0].set_network_quoted(id, "identity", "foo")
3197 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3198 buf = read_process_memory(pid, password)
3199 get_key_locations(buf, password, "Password")
3200 get_key_locations(buf, pmk, "PMK")
3201 get_key_locations(buf, msk, "MSK")
3202 get_key_locations(buf, emsk, "EMSK")
3203 verify_not_present(buf, pmk, fname, "PMK")
3205 dev[0].request("REMOVE_NETWORK all")
3207 logger.info("Checking keys in memory after network profile removal")
3208 buf = read_process_memory(pid, password)
3210 get_key_locations(buf, password, "Password")
3211 get_key_locations(buf, pmk, "PMK")
3212 get_key_locations(buf, msk, "MSK")
3213 get_key_locations(buf, emsk, "EMSK")
3214 verify_not_present(buf, password, fname, "password")
3215 verify_not_present(buf, pmk, fname, "PMK")
3216 verify_not_present(buf, kck, fname, "KCK")
3217 verify_not_present(buf, kek, fname, "KEK")
3218 verify_not_present(buf, tk, fname, "TK")
3219 verify_not_present(buf, gtk, fname, "GTK")
3220 verify_not_present(buf, msk, fname, "MSK")
3221 verify_not_present(buf, emsk, fname, "EMSK")
3223 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3224 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3226 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3227 bssid = apdev[0]['bssid']
3228 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3229 anonymous_identity="ttls", password="password",
3230 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3232 # Send unexpected WEP EAPOL-Key; this gets dropped
3233 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3235 raise Exception("EAPOL_RX to wpa_supplicant failed")
3237 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3238 """WPA2-EAP and wpas interface in a bridge"""
3242 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3244 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3245 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3246 subprocess.call(['brctl', 'delbr', br_ifname])
3247 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3249 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3251 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3255 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3256 subprocess.call(['brctl', 'addbr', br_ifname])
3257 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3258 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3259 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3260 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3261 wpas.interface_add(ifname, br_ifname=br_ifname)
3263 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3264 password_hex="0123456789abcdef0123456789abcdef")
3265 eap_reauth(wpas, "PAX")
3266 # Try again as a regression test for packet socket workaround
3267 eap_reauth(wpas, "PAX")
3268 wpas.request("DISCONNECT")
3269 wpas.wait_disconnected()
3270 wpas.request("RECONNECT")
3271 wpas.wait_connected()
3273 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3274 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3275 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3276 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3277 key_mgmt = hapd.get_config()['key_mgmt']
3278 if key_mgmt.split(' ')[0] != "WPA-EAP":
3279 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3280 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3281 anonymous_identity="ttls", password="password",
3282 ca_cert="auth_serv/ca.pem",
3283 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3284 eap_reauth(dev[0], "TTLS")
3286 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3287 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3289 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3290 key_mgmt = hapd.get_config()['key_mgmt']
3291 if key_mgmt.split(' ')[0] != "WPA-EAP":
3292 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3293 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3294 anonymous_identity="ttls", password="password",
3295 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3297 eap_reauth(dev[0], "TTLS")
3299 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3300 """EAP-TLS and server checking CRL"""
3301 params = int_eap_server_params()
3302 params['check_crl'] = '1'
3303 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3305 # check_crl=1 and no CRL available --> reject connection
3306 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3307 client_cert="auth_serv/user.pem",
3308 private_key="auth_serv/user.key", expect_failure=True)
3309 dev[0].request("REMOVE_NETWORK all")
3312 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3315 # check_crl=1 and valid CRL --> accept
3316 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3317 client_cert="auth_serv/user.pem",
3318 private_key="auth_serv/user.key")
3319 dev[0].request("REMOVE_NETWORK all")
3322 hapd.set("check_crl", "2")
3325 # check_crl=2 and valid CRL --> accept
3326 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3327 client_cert="auth_serv/user.pem",
3328 private_key="auth_serv/user.key")
3329 dev[0].request("REMOVE_NETWORK all")
3331 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3332 """EAP-TLS and OOM"""
3333 check_subject_match_support(dev[0])
3334 check_altsubject_match_support(dev[0])
3335 check_domain_match_full(dev[0])
3337 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3338 hostapd.add_ap(apdev[0]['ifname'], params)
3340 tests = [ (1, "tls_connection_set_subject_match"),
3341 (2, "tls_connection_set_subject_match"),
3342 (3, "tls_connection_set_subject_match"),
3343 (4, "tls_connection_set_subject_match") ]
3344 for count, func in tests:
3345 with alloc_fail(dev[0], count, func):
3346 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3347 identity="tls user", ca_cert="auth_serv/ca.pem",
3348 client_cert="auth_serv/user.pem",
3349 private_key="auth_serv/user.key",
3350 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3351 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3352 domain_suffix_match="server.w1.fi",
3353 domain_match="server.w1.fi",
3354 wait_connect=False, scan_freq="2412")
3355 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3356 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3358 raise Exception("No passphrase request")
3359 dev[0].request("REMOVE_NETWORK all")
3360 dev[0].wait_disconnected()
3362 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3363 """WPA2-Enterprise connection using MAC ACL"""
3364 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3365 params["macaddr_acl"] = "2"
3366 hostapd.add_ap(apdev[0]['ifname'], params)
3367 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3368 client_cert="auth_serv/user.pem",
3369 private_key="auth_serv/user.key")
3371 def test_ap_wpa2_eap_oom(dev, apdev):
3372 """EAP server and OOM"""
3373 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3374 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3375 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3377 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3378 # The first attempt fails, but STA will send EAPOL-Start to retry and
3380 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3381 identity="tls user", ca_cert="auth_serv/ca.pem",
3382 client_cert="auth_serv/user.pem",
3383 private_key="auth_serv/user.key",
3386 def check_tls_ver(dev, ap, phase1, expected):
3387 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3388 client_cert="auth_serv/user.pem",
3389 private_key="auth_serv/user.key",
3391 ver = dev.get_status_field("eap_tls_version")
3393 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3395 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3396 """EAP-TLS and TLS version configuration"""
3397 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3398 hostapd.add_ap(apdev[0]['ifname'], params)
3400 tls = dev[0].request("GET tls_library")
3401 if tls.startswith("OpenSSL"):
3402 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3403 check_tls_ver(dev[0], apdev[0],
3404 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3406 check_tls_ver(dev[1], apdev[0],
3407 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3408 check_tls_ver(dev[2], apdev[0],
3409 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")