1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status:
180 logger.info("Status: " + str(status))
181 raise Exception("No selectedMethod in status")
182 if method not in status["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e = "WPA2-EAP-SHA256"
187 e = "WPA2/IEEE 802.1X/EAP"
189 e = "WPA/IEEE 802.1X/EAP"
190 if status["key_mgmt"] != e:
191 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
194 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
195 dev.request("REAUTHENTICATE")
196 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
197 expect_failure=expect_failure)
199 def test_ap_wpa2_eap_sim(dev, apdev):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
204 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
205 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils.test_connectivity(dev[0], hapd)
207 eap_reauth(dev[0], "SIM")
209 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger.info("Negative test with incorrect key")
216 dev[0].request("REMOVE_NETWORK all")
217 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
218 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger.info("Invalid GSM-Milenage key")
222 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger.info("Invalid GSM-Milenage key(2)")
228 dev[0].request("REMOVE_NETWORK all")
229 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
230 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger.info("Invalid GSM-Milenage key(3)")
234 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger.info("Invalid GSM-Milenage key(4)")
240 dev[0].request("REMOVE_NETWORK all")
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger.info("Missing key configuration")
246 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
259 params['auth_server_port'] = "1814"
260 hostapd.add_ap(apdev[0]['ifname'], params)
261 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger.info("SIM fast re-authentication")
265 eap_reauth(dev[0], "SIM")
267 logger.info("SIM full auth with pseudonym")
270 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev[0], "SIM")
273 logger.info("SIM full auth with permanent identity")
276 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev[0], "SIM")
280 logger.info("SIM reauth with mismatching MK")
283 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev[0], "SIM", expect_failure=True)
285 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev[0], "SIM")
295 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger.info("SIM reauth with mismatching counter")
297 eap_reauth(dev[0], "SIM")
298 dev[0].request("REMOVE_NETWORK all")
300 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev, apdev):
309 """EAP-SIM configuration options"""
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
313 identity="1232010000000000",
314 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1="sim_min_num_chal=1",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
319 raise Exception("No EAP error message seen")
320 dev[0].request("REMOVE_NETWORK all")
322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
323 identity="1232010000000000",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1="sim_min_num_chal=4",
326 wait_connect=False, scan_freq="2412")
327 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
329 raise Exception("No EAP error message seen (2)")
330 dev[0].request("REMOVE_NETWORK all")
332 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=2")
335 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity="345678")
339 def test_ap_wpa2_eap_sim_ext(dev, apdev):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev, apdev)
344 dev[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
347 check_hlr_auc_gw_support()
348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
349 hostapd.add_ap(apdev[0]['ifname'], params)
350 dev[0].request("SET external_sim 1")
351 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
352 identity="1232010000000000",
353 wait_connect=False, scan_freq="2412")
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
356 raise Exception("Network connected timed out")
358 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid = p[0].split('-')[3]
367 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 raise Exception("EAP failure not reported")
373 dev[0].request("DISCONNECT")
374 dev[0].wait_disconnected()
377 dev[0].select_network(id, freq="2412")
378 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid = p[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 raise Exception("EAP failure not reported")
391 dev[0].request("DISCONNECT")
392 dev[0].wait_disconnected()
395 dev[0].select_network(id, freq="2412")
396 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid = p[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 raise Exception("EAP failure not reported")
409 dev[0].request("DISCONNECT")
410 dev[0].wait_disconnected()
413 dev[0].select_network(id, freq="2412")
414 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid = p[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 raise Exception("EAP failure not reported")
427 dev[0].request("DISCONNECT")
428 dev[0].wait_disconnected()
431 dev[0].select_network(id, freq="2412")
432 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid = p[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 raise Exception("EAP failure not reported")
445 dev[0].request("DISCONNECT")
446 dev[0].wait_disconnected()
449 dev[0].select_network(id, freq="2412")
450 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid = p[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 raise Exception("EAP failure not reported")
463 dev[0].request("DISCONNECT")
464 dev[0].wait_disconnected()
467 dev[0].select_network(id, freq="2412")
468 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid = p[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
487 dev[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
490 check_hlr_auc_gw_support()
491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
492 hostapd.add_ap(apdev[0]['ifname'], params)
493 dev[0].request("SET external_sim 1")
494 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
495 identity="1232010000000000",
496 wait_connect=False, scan_freq="2412")
498 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid = p[0].split('-')[3]
505 rand = p[2].split(' ')[0]
507 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand])
511 if "GSM-AUTH-RESP" not in res:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp = res.split(' ')[2].rstrip()
515 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
516 dev[0].wait_connected(timeout=15)
517 dev[0].request("DISCONNECT")
518 dev[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev[0].select_network(id, freq="2412")
524 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid = p[0].split('-')[3]
531 rand = p[2].split(' ')[0]
533 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand])
537 if "GSM-AUTH-RESP" not in res:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp = res.split(' ')[2].rstrip()
541 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 raise Exception("EAP-Failure not reported")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
553 dev[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
556 check_hlr_auc_gw_support()
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 hostapd.add_ap(apdev[0]['ifname'], params)
559 dev[0].request("SET external_sim 1")
560 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
561 identity="1232010000000000",
562 wait_connect=False, scan_freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 rand = p[2].split(' ')[0]
573 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand])
577 if "GSM-AUTH-RESP" not in res:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp = res.split(' ')[2].rstrip()
581 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
582 dev[0].wait_connected(timeout=15)
583 dev[0].request("DISCONNECT")
584 dev[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev[0].set_network(id, "anonymous_identity", "NULL")
589 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 rand = p[2].split(' ')[0]
600 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand])
604 if "GSM-AUTH-RESP" not in res:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp = res.split(' ')[2].rstrip()
608 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
609 dev[0].wait_connected()
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
618 dev[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
621 check_hlr_auc_gw_support()
622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
623 hostapd.add_ap(apdev[0]['ifname'], params)
624 dev[0].request("SET external_sim 1")
625 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
626 wait_connect=False, scan_freq="2412")
628 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid = ev.split(':')[0].split('-')[-1]
632 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
634 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid = p[0].split('-')[3]
641 rand = p[2].split(' ')[0]
643 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand])
647 if "GSM-AUTH-RESP" not in res:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp = res.split(' ')[2].rstrip()
651 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
652 dev[0].wait_connected(timeout=15)
653 dev[0].request("DISCONNECT")
654 dev[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev[0].set_network(id, "identity", "NULL")
658 dev[0].set_network(id, "anonymous_identity", "NULL")
659 dev[0].select_network(id, freq="2412")
661 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid = ev.split(':')[0].split('-')[-1]
665 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
667 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid = p[0].split('-')[3]
674 rand = p[2].split(' ')[0]
676 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand])
680 if "GSM-AUTH-RESP" not in res:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp = res.split(' ')[2].rstrip()
684 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
685 dev[0].wait_connected()
686 dev[0].request("DISCONNECT")
687 dev[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
694 dev[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
697 check_hlr_auc_gw_support()
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hostapd.add_ap(apdev[0]['ifname'], params)
700 dev[0].request("SET external_sim 1")
701 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
702 identity="1232010000000000",
703 wait_connect=False, scan_freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid = p[0].split('-')[3]
710 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
713 raise Exception("EAP failure not reported")
714 dev[0].request("REMOVE_NETWORK all")
715 dev[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
718 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
720 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
722 dev[0].request("SET external_sim 0")
724 def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
725 check_hlr_auc_gw_support()
726 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
727 hostapd.add_ap(apdev[0]['ifname'], params)
728 dev[0].request("SET external_sim 1")
729 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
730 identity="1232010000000000",
731 wait_connect=False, scan_freq="2412")
733 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
735 raise Exception("Wait for external SIM processing request timed out")
737 if p[1] != "GSM-AUTH":
738 raise Exception("Unexpected CTRL-REQ-SIM type")
739 rid = p[0].split('-')[3]
740 rand = p[2].split(' ')[0]
742 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
744 "auth_serv/hlr_auc_gw.milenage_db",
745 "GSM-AUTH-REQ 232010000000000 " + rand])
746 if "GSM-AUTH-RESP" not in res:
747 raise Exception("Unexpected hlr_auc_gw response")
748 resp = res.split(' ')[2].rstrip()
750 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
751 dev[0].wait_connected(timeout=15)
753 # Verify that EAP-SIM Reauthentication can be used after a profile change
754 # that does not affect EAP parameters.
755 dev[0].set_network(id, "bssid", "any")
756 eap_reauth(dev[0], "SIM")
758 def test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
759 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
761 _test_ap_wpa2_eap_sim_no_change_set(dev, apdev)
763 dev[0].request("SET external_sim 0")
765 def _test_ap_wpa2_eap_sim_no_change_set(dev, apdev):
766 check_hlr_auc_gw_support()
767 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
768 hostapd.add_ap(apdev[0]['ifname'], params)
769 dev[0].request("SET external_sim 1")
770 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
771 identity="1232010000000000",
772 wait_connect=False, scan_freq="2412")
774 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
776 raise Exception("Wait for external SIM processing request timed out")
778 if p[1] != "GSM-AUTH":
779 raise Exception("Unexpected CTRL-REQ-SIM type")
780 rid = p[0].split('-')[3]
781 rand = p[2].split(' ')[0]
783 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
785 "auth_serv/hlr_auc_gw.milenage_db",
786 "GSM-AUTH-REQ 232010000000000 " + rand])
787 if "GSM-AUTH-RESP" not in res:
788 raise Exception("Unexpected hlr_auc_gw response")
789 resp = res.split(' ')[2].rstrip()
791 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
792 dev[0].wait_connected(timeout=15)
794 # Verify that EAP-SIM Reauthentication can be used after network profile
795 # SET_NETWORK commands that do not actually change previously set
797 dev[0].set_network(id, "key_mgmt", "WPA-EAP")
798 dev[0].set_network(id, "eap", "SIM")
799 dev[0].set_network_quoted(id, "identity", "1232010000000000")
800 dev[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
801 eap_reauth(dev[0], "SIM")
803 def test_ap_wpa2_eap_sim_oom(dev, apdev):
804 """EAP-SIM and OOM"""
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hostapd.add_ap(apdev[0]['ifname'], params)
807 tests = [ (1, "milenage_f2345"),
808 (2, "milenage_f2345"),
809 (3, "milenage_f2345"),
810 (4, "milenage_f2345"),
811 (5, "milenage_f2345"),
812 (6, "milenage_f2345"),
813 (7, "milenage_f2345"),
814 (8, "milenage_f2345"),
815 (9, "milenage_f2345"),
816 (10, "milenage_f2345"),
817 (11, "milenage_f2345"),
818 (12, "milenage_f2345") ]
819 for count, func in tests:
820 with fail_test(dev[0], count, func):
821 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
822 identity="1232010000000000",
823 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
824 wait_connect=False, scan_freq="2412")
825 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
827 raise Exception("EAP method not selected")
828 dev[0].wait_disconnected()
829 dev[0].request("REMOVE_NETWORK all")
831 def test_ap_wpa2_eap_aka(dev, apdev):
832 """WPA2-Enterprise connection using EAP-AKA"""
833 check_hlr_auc_gw_support()
834 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
835 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
836 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
837 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
838 hwsim_utils.test_connectivity(dev[0], hapd)
839 eap_reauth(dev[0], "AKA")
841 logger.info("Negative test with incorrect key")
842 dev[0].request("REMOVE_NETWORK all")
843 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
844 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
847 logger.info("Invalid Milenage key")
848 dev[0].request("REMOVE_NETWORK all")
849 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
850 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
853 logger.info("Invalid Milenage key(2)")
854 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
855 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
858 logger.info("Invalid Milenage key(3)")
859 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
860 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
863 logger.info("Invalid Milenage key(4)")
864 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
865 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
868 logger.info("Invalid Milenage key(5)")
869 dev[0].request("REMOVE_NETWORK all")
870 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
871 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
874 logger.info("Invalid Milenage key(6)")
875 dev[0].request("REMOVE_NETWORK all")
876 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
877 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
880 logger.info("Missing key configuration")
881 dev[0].request("REMOVE_NETWORK all")
882 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
885 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
886 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
887 check_hlr_auc_gw_support()
891 raise HwsimSkip("No sqlite3 module available")
892 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
893 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
894 params['auth_server_port'] = "1814"
895 hostapd.add_ap(apdev[0]['ifname'], params)
896 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
897 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
899 logger.info("AKA fast re-authentication")
900 eap_reauth(dev[0], "AKA")
902 logger.info("AKA full auth with pseudonym")
905 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
906 eap_reauth(dev[0], "AKA")
908 logger.info("AKA full auth with permanent identity")
911 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
912 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
913 eap_reauth(dev[0], "AKA")
915 logger.info("AKA reauth with mismatching MK")
918 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
919 eap_reauth(dev[0], "AKA", expect_failure=True)
920 dev[0].request("REMOVE_NETWORK all")
922 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
923 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
926 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
927 eap_reauth(dev[0], "AKA")
930 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
931 logger.info("AKA reauth with mismatching counter")
932 eap_reauth(dev[0], "AKA")
933 dev[0].request("REMOVE_NETWORK all")
935 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
936 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
939 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
940 logger.info("AKA reauth with max reauth count reached")
941 eap_reauth(dev[0], "AKA")
943 def test_ap_wpa2_eap_aka_config(dev, apdev):
944 """EAP-AKA configuration options"""
945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
946 hostapd.add_ap(apdev[0]['ifname'], params)
947 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
948 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
949 anonymous_identity="2345678")
951 def test_ap_wpa2_eap_aka_ext(dev, apdev):
952 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
954 _test_ap_wpa2_eap_aka_ext(dev, apdev)
956 dev[0].request("SET external_sim 0")
958 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
959 check_hlr_auc_gw_support()
960 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
961 hostapd.add_ap(apdev[0]['ifname'], params)
962 dev[0].request("SET external_sim 1")
963 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
964 identity="0232010000000000",
965 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
966 wait_connect=False, scan_freq="2412")
967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
969 raise Exception("Network connected timed out")
971 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
973 raise Exception("Wait for external SIM processing request timed out")
975 if p[1] != "UMTS-AUTH":
976 raise Exception("Unexpected CTRL-REQ-SIM type")
977 rid = p[0].split('-')[3]
980 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
981 # This will fail during processing, but the ctrl_iface command succeeds
982 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
983 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
985 raise Exception("EAP failure not reported")
986 dev[0].request("DISCONNECT")
987 dev[0].wait_disconnected()
989 dev[0].dump_monitor()
991 dev[0].select_network(id, freq="2412")
992 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
994 raise Exception("Wait for external SIM processing request timed out")
996 if p[1] != "UMTS-AUTH":
997 raise Exception("Unexpected CTRL-REQ-SIM type")
998 rid = p[0].split('-')[3]
999 # This will fail during UMTS auth validation
1000 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
1001 raise Exception("CTRL-RSP-SIM failed")
1002 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1004 raise Exception("Wait for external SIM processing request timed out")
1005 p = ev.split(':', 2)
1006 if p[1] != "UMTS-AUTH":
1007 raise Exception("Unexpected CTRL-REQ-SIM type")
1008 rid = p[0].split('-')[3]
1009 # This will fail during UMTS auth validation
1010 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
1011 raise Exception("CTRL-RSP-SIM failed")
1012 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1014 raise Exception("EAP failure not reported")
1015 dev[0].request("DISCONNECT")
1016 dev[0].wait_disconnected()
1018 dev[0].dump_monitor()
1020 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1022 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1023 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1024 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1025 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1026 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1028 dev[0].select_network(id, freq="2412")
1029 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1031 raise Exception("Wait for external SIM processing request timed out")
1032 p = ev.split(':', 2)
1033 if p[1] != "UMTS-AUTH":
1034 raise Exception("Unexpected CTRL-REQ-SIM type")
1035 rid = p[0].split('-')[3]
1036 # This will fail during UMTS auth validation
1037 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
1038 raise Exception("CTRL-RSP-SIM failed")
1039 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1041 raise Exception("EAP failure not reported")
1042 dev[0].request("DISCONNECT")
1043 dev[0].wait_disconnected()
1045 dev[0].dump_monitor()
1047 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1048 """EAP-AKA with external UMTS auth and auth failing"""
1050 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1052 dev[0].request("SET external_sim 0")
1054 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1055 check_hlr_auc_gw_support()
1056 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1057 hostapd.add_ap(apdev[0]['ifname'], params)
1058 dev[0].request("SET external_sim 1")
1059 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1060 identity="0232010000000000",
1061 wait_connect=False, scan_freq="2412")
1063 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1065 raise Exception("Wait for external SIM processing request timed out")
1066 p = ev.split(':', 2)
1067 rid = p[0].split('-')[3]
1068 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1069 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1071 raise Exception("EAP failure not reported")
1072 dev[0].request("REMOVE_NETWORK all")
1073 dev[0].wait_disconnected()
1075 def test_ap_wpa2_eap_aka_prime(dev, apdev):
1076 """WPA2-Enterprise connection using EAP-AKA'"""
1077 check_hlr_auc_gw_support()
1078 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1079 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1080 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1081 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1082 hwsim_utils.test_connectivity(dev[0], hapd)
1083 eap_reauth(dev[0], "AKA'")
1085 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1086 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1087 identity="6555444333222111@both",
1088 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1089 wait_connect=False, scan_freq="2412")
1090 dev[1].wait_connected(timeout=15)
1092 logger.info("Negative test with incorrect key")
1093 dev[0].request("REMOVE_NETWORK all")
1094 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1095 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1096 expect_failure=True)
1098 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1099 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1100 check_hlr_auc_gw_support()
1104 raise HwsimSkip("No sqlite3 module available")
1105 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1106 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1107 params['auth_server_port'] = "1814"
1108 hostapd.add_ap(apdev[0]['ifname'], params)
1109 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1110 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1112 logger.info("AKA' fast re-authentication")
1113 eap_reauth(dev[0], "AKA'")
1115 logger.info("AKA' full auth with pseudonym")
1118 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1119 eap_reauth(dev[0], "AKA'")
1121 logger.info("AKA' full auth with permanent identity")
1124 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1125 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1126 eap_reauth(dev[0], "AKA'")
1128 logger.info("AKA' reauth with mismatching k_aut")
1131 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1132 eap_reauth(dev[0], "AKA'", expect_failure=True)
1133 dev[0].request("REMOVE_NETWORK all")
1135 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1136 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1139 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1140 eap_reauth(dev[0], "AKA'")
1143 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1144 logger.info("AKA' reauth with mismatching counter")
1145 eap_reauth(dev[0], "AKA'")
1146 dev[0].request("REMOVE_NETWORK all")
1148 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1149 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1152 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1153 logger.info("AKA' reauth with max reauth count reached")
1154 eap_reauth(dev[0], "AKA'")
1156 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1157 """EAP-AKA' with external UMTS auth and auth failing"""
1159 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1161 dev[0].request("SET external_sim 0")
1163 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1164 check_hlr_auc_gw_support()
1165 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1166 hostapd.add_ap(apdev[0]['ifname'], params)
1167 dev[0].request("SET external_sim 1")
1168 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1169 identity="6555444333222111",
1170 wait_connect=False, scan_freq="2412")
1172 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1174 raise Exception("Wait for external SIM processing request timed out")
1175 p = ev.split(':', 2)
1176 rid = p[0].split('-')[3]
1177 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1180 raise Exception("EAP failure not reported")
1181 dev[0].request("REMOVE_NETWORK all")
1182 dev[0].wait_disconnected()
1184 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1185 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1187 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1188 key_mgmt = hapd.get_config()['key_mgmt']
1189 if key_mgmt.split(' ')[0] != "WPA-EAP":
1190 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1191 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1192 anonymous_identity="ttls", password="password",
1193 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1194 hwsim_utils.test_connectivity(dev[0], hapd)
1195 eap_reauth(dev[0], "TTLS")
1196 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1197 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1199 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1200 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1201 check_subject_match_support(dev[0])
1202 check_altsubject_match_support(dev[0])
1203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1204 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1205 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1206 anonymous_identity="ttls", password="password",
1207 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1208 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1209 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1210 eap_reauth(dev[0], "TTLS")
1212 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1213 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1214 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1215 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1216 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1217 anonymous_identity="ttls", password="wrong",
1218 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1219 expect_failure=True)
1220 eap_connect(dev[1], apdev[0], "TTLS", "user",
1221 anonymous_identity="ttls", password="password",
1222 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1223 expect_failure=True)
1225 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1226 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1227 skip_with_fips(dev[0])
1228 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1229 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1230 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1231 anonymous_identity="ttls", password="password",
1232 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1233 hwsim_utils.test_connectivity(dev[0], hapd)
1234 eap_reauth(dev[0], "TTLS")
1236 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1237 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1238 skip_with_fips(dev[0])
1239 check_altsubject_match_support(dev[0])
1240 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1241 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1242 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1243 anonymous_identity="ttls", password="password",
1244 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1245 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1246 eap_reauth(dev[0], "TTLS")
1248 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1249 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1250 skip_with_fips(dev[0])
1251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1252 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1253 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1254 anonymous_identity="ttls", password="wrong",
1255 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1256 expect_failure=True)
1257 eap_connect(dev[1], apdev[0], "TTLS", "user",
1258 anonymous_identity="ttls", password="password",
1259 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1260 expect_failure=True)
1262 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1264 skip_with_fips(dev[0])
1265 check_domain_suffix_match(dev[0])
1266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1267 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1268 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1269 anonymous_identity="ttls", password="password",
1270 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1271 domain_suffix_match="server.w1.fi")
1272 hwsim_utils.test_connectivity(dev[0], hapd)
1273 eap_reauth(dev[0], "TTLS")
1274 dev[0].request("REMOVE_NETWORK all")
1275 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1276 anonymous_identity="ttls", password="password",
1277 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1278 fragment_size="200")
1279 dev[0].request("REMOVE_NETWORK all")
1280 dev[0].wait_disconnected()
1281 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1282 anonymous_identity="ttls",
1283 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1284 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1286 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1287 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1288 skip_with_fips(dev[0])
1289 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1290 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1291 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1292 anonymous_identity="ttls", password="wrong",
1293 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1294 expect_failure=True)
1295 eap_connect(dev[1], apdev[0], "TTLS", "user",
1296 anonymous_identity="ttls", password="password",
1297 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1298 expect_failure=True)
1299 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
1300 anonymous_identity="ttls", password="password",
1301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1302 expect_failure=True)
1304 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1305 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1306 check_domain_suffix_match(dev[0])
1307 check_eap_capa(dev[0], "MSCHAPV2")
1308 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1309 hostapd.add_ap(apdev[0]['ifname'], params)
1310 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1311 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1312 anonymous_identity="ttls", password="password",
1313 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1314 domain_suffix_match="server.w1.fi")
1315 hwsim_utils.test_connectivity(dev[0], hapd)
1316 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1317 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1318 eap_reauth(dev[0], "TTLS")
1319 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1320 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1321 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1322 raise Exception("dot1xAuthEapolFramesRx did not increase")
1323 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1324 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1325 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1326 raise Exception("backendAuthSuccesses did not increase")
1328 logger.info("Password as hash value")
1329 dev[0].request("REMOVE_NETWORK all")
1330 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1331 anonymous_identity="ttls",
1332 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1333 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1335 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1336 """EAP-TTLS with invalid phase2 parameter values"""
1337 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1338 hostapd.add_ap(apdev[0]['ifname'], params)
1339 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1340 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1341 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1343 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1344 identity="DOMAIN\mschapv2 user",
1345 anonymous_identity="ttls", password="password",
1346 ca_cert="auth_serv/ca.pem", phase2=t,
1347 wait_connect=False, scan_freq="2412")
1348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1349 if ev is None or "method=21" not in ev:
1350 raise Exception("EAP-TTLS not started")
1351 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1352 "CTRL-EVENT-CONNECTED"], timeout=5)
1353 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1354 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1355 dev[0].request("REMOVE_NETWORK all")
1356 dev[0].wait_disconnected()
1357 dev[0].dump_monitor()
1359 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1360 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1361 check_domain_match_full(dev[0])
1362 skip_with_fips(dev[0])
1363 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1364 hostapd.add_ap(apdev[0]['ifname'], params)
1365 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1366 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1367 anonymous_identity="ttls", password="password",
1368 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1369 domain_suffix_match="w1.fi")
1370 hwsim_utils.test_connectivity(dev[0], hapd)
1371 eap_reauth(dev[0], "TTLS")
1373 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1374 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1375 check_domain_match(dev[0])
1376 skip_with_fips(dev[0])
1377 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1378 hostapd.add_ap(apdev[0]['ifname'], params)
1379 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1380 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1381 anonymous_identity="ttls", password="password",
1382 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1383 domain_match="Server.w1.fi")
1384 hwsim_utils.test_connectivity(dev[0], hapd)
1385 eap_reauth(dev[0], "TTLS")
1387 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1388 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1389 skip_with_fips(dev[0])
1390 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1391 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1392 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1393 anonymous_identity="ttls", password="password1",
1394 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1395 expect_failure=True)
1396 eap_connect(dev[1], apdev[0], "TTLS", "user",
1397 anonymous_identity="ttls", password="password",
1398 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1399 expect_failure=True)
1401 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1402 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1403 skip_with_fips(dev[0])
1404 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1405 hostapd.add_ap(apdev[0]['ifname'], params)
1406 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1407 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1408 anonymous_identity="ttls", password="secret-åäö-€-password",
1409 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1410 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1411 anonymous_identity="ttls",
1412 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1413 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1414 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1415 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1416 eap="TTLS", identity="utf8-user-hash",
1417 anonymous_identity="ttls", password_hex=p,
1418 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1419 wait_connect=False, scan_freq="2412")
1420 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1422 raise Exception("No failure reported")
1423 dev[2].request("REMOVE_NETWORK all")
1424 dev[2].wait_disconnected()
1426 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1427 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1428 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1429 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1430 eap_connect(dev[0], apdev[0], "TTLS", "user",
1431 anonymous_identity="ttls", password="password",
1432 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1433 hwsim_utils.test_connectivity(dev[0], hapd)
1434 eap_reauth(dev[0], "TTLS")
1436 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1437 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1438 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1439 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1440 eap_connect(dev[0], apdev[0], "TTLS", "user",
1441 anonymous_identity="ttls", password="wrong",
1442 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1443 expect_failure=True)
1445 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1446 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1447 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1448 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1449 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1450 anonymous_identity="ttls", password="password",
1451 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1452 expect_failure=True)
1454 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1455 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1456 params = int_eap_server_params()
1457 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1458 with alloc_fail(hapd, 1, "eap_gtc_init"):
1459 eap_connect(dev[0], apdev[0], "TTLS", "user",
1460 anonymous_identity="ttls", password="password",
1461 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1462 expect_failure=True)
1463 dev[0].request("REMOVE_NETWORK all")
1465 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1466 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1467 eap="TTLS", identity="user",
1468 anonymous_identity="ttls", password="password",
1469 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1470 wait_connect=False, scan_freq="2412")
1471 # This would eventually time out, but we can stop after having reached
1472 # the allocation failure.
1475 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1478 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1479 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1480 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1481 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1483 tests = [ "eap_gtc_init",
1484 "eap_msg_alloc;eap_gtc_process" ]
1486 with alloc_fail(dev[0], 1, func):
1487 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1489 eap="TTLS", identity="user",
1490 anonymous_identity="ttls", password="password",
1491 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1493 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1494 dev[0].request("REMOVE_NETWORK all")
1495 dev[0].wait_disconnected()
1497 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1498 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1499 check_eap_capa(dev[0], "MD5")
1500 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1501 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1502 eap_connect(dev[0], apdev[0], "TTLS", "user",
1503 anonymous_identity="ttls", password="password",
1504 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1505 hwsim_utils.test_connectivity(dev[0], hapd)
1506 eap_reauth(dev[0], "TTLS")
1508 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1509 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1510 check_eap_capa(dev[0], "MD5")
1511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1512 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1513 eap_connect(dev[0], apdev[0], "TTLS", "user",
1514 anonymous_identity="ttls", password="wrong",
1515 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1516 expect_failure=True)
1518 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1519 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1520 check_eap_capa(dev[0], "MD5")
1521 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1522 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1523 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1524 anonymous_identity="ttls", password="password",
1525 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1526 expect_failure=True)
1528 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1529 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1530 check_eap_capa(dev[0], "MD5")
1531 params = int_eap_server_params()
1532 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1533 with alloc_fail(hapd, 1, "eap_md5_init"):
1534 eap_connect(dev[0], apdev[0], "TTLS", "user",
1535 anonymous_identity="ttls", password="password",
1536 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1537 expect_failure=True)
1538 dev[0].request("REMOVE_NETWORK all")
1540 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1542 eap="TTLS", identity="user",
1543 anonymous_identity="ttls", password="password",
1544 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1545 wait_connect=False, scan_freq="2412")
1546 # This would eventually time out, but we can stop after having reached
1547 # the allocation failure.
1550 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1553 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1554 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1555 check_eap_capa(dev[0], "MSCHAPV2")
1556 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1557 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1558 eap_connect(dev[0], apdev[0], "TTLS", "user",
1559 anonymous_identity="ttls", password="password",
1560 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1561 hwsim_utils.test_connectivity(dev[0], hapd)
1562 eap_reauth(dev[0], "TTLS")
1564 logger.info("Negative test with incorrect password")
1565 dev[0].request("REMOVE_NETWORK all")
1566 eap_connect(dev[0], apdev[0], "TTLS", "user",
1567 anonymous_identity="ttls", password="password1",
1568 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1569 expect_failure=True)
1571 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1572 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1573 check_eap_capa(dev[0], "MSCHAPV2")
1574 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1575 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1576 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1577 anonymous_identity="ttls", password="password",
1578 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1579 expect_failure=True)
1581 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1582 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1583 check_eap_capa(dev[0], "MSCHAPV2")
1584 params = int_eap_server_params()
1585 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1586 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1587 eap_connect(dev[0], apdev[0], "TTLS", "user",
1588 anonymous_identity="ttls", password="password",
1589 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1590 expect_failure=True)
1591 dev[0].request("REMOVE_NETWORK all")
1593 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1594 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1595 eap="TTLS", identity="user",
1596 anonymous_identity="ttls", password="password",
1597 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1598 wait_connect=False, scan_freq="2412")
1599 # This would eventually time out, but we can stop after having reached
1600 # the allocation failure.
1603 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1605 dev[0].request("REMOVE_NETWORK all")
1607 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1608 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1609 eap="TTLS", identity="user",
1610 anonymous_identity="ttls", password="password",
1611 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1612 wait_connect=False, scan_freq="2412")
1613 # This would eventually time out, but we can stop after having reached
1614 # the allocation failure.
1617 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1619 dev[0].request("REMOVE_NETWORK all")
1621 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1622 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1623 eap="TTLS", identity="user",
1624 anonymous_identity="ttls", password="wrong",
1625 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1626 wait_connect=False, scan_freq="2412")
1627 # This would eventually time out, but we can stop after having reached
1628 # the allocation failure.
1631 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1633 dev[0].request("REMOVE_NETWORK all")
1635 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1636 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638 hostapd.add_ap(apdev[0]['ifname'], params)
1639 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1640 anonymous_identity="0232010000000000@ttls",
1641 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1642 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1644 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1645 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1646 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1647 hostapd.add_ap(apdev[0]['ifname'], params)
1648 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1649 anonymous_identity="0232010000000000@peap",
1650 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1651 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1653 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1654 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1655 check_eap_capa(dev[0], "FAST")
1656 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1657 hostapd.add_ap(apdev[0]['ifname'], params)
1658 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1659 anonymous_identity="0232010000000000@fast",
1660 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1661 phase1="fast_provisioning=2",
1662 pac_file="blob://fast_pac_auth_aka",
1663 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1665 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1666 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1667 check_eap_capa(dev[0], "MSCHAPV2")
1668 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1669 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1670 eap_connect(dev[0], apdev[0], "PEAP", "user",
1671 anonymous_identity="peap", password="password",
1672 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1673 hwsim_utils.test_connectivity(dev[0], hapd)
1674 eap_reauth(dev[0], "PEAP")
1675 dev[0].request("REMOVE_NETWORK all")
1676 eap_connect(dev[0], apdev[0], "PEAP", "user",
1677 anonymous_identity="peap", password="password",
1678 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1679 fragment_size="200")
1681 logger.info("Password as hash value")
1682 dev[0].request("REMOVE_NETWORK all")
1683 eap_connect(dev[0], apdev[0], "PEAP", "user",
1684 anonymous_identity="peap",
1685 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1686 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1688 logger.info("Negative test with incorrect password")
1689 dev[0].request("REMOVE_NETWORK all")
1690 eap_connect(dev[0], apdev[0], "PEAP", "user",
1691 anonymous_identity="peap", password="password1",
1692 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1693 expect_failure=True)
1695 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1696 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1697 check_eap_capa(dev[0], "MSCHAPV2")
1698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1699 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1700 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1701 anonymous_identity="peap", password="password",
1702 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1703 hwsim_utils.test_connectivity(dev[0], hapd)
1704 eap_reauth(dev[0], "PEAP")
1706 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1707 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1708 check_eap_capa(dev[0], "MSCHAPV2")
1709 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1710 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1711 eap_connect(dev[0], apdev[0], "PEAP", "user",
1712 anonymous_identity="peap", password="wrong",
1713 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1714 expect_failure=True)
1716 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1717 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1718 check_eap_capa(dev[0], "MSCHAPV2")
1719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1720 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1721 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1722 ca_cert="auth_serv/ca.pem",
1723 phase1="peapver=0 crypto_binding=2",
1724 phase2="auth=MSCHAPV2")
1725 hwsim_utils.test_connectivity(dev[0], hapd)
1726 eap_reauth(dev[0], "PEAP")
1728 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1729 ca_cert="auth_serv/ca.pem",
1730 phase1="peapver=0 crypto_binding=1",
1731 phase2="auth=MSCHAPV2")
1732 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1733 ca_cert="auth_serv/ca.pem",
1734 phase1="peapver=0 crypto_binding=0",
1735 phase2="auth=MSCHAPV2")
1737 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1738 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1739 check_eap_capa(dev[0], "MSCHAPV2")
1740 params = int_eap_server_params()
1741 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1742 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1743 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1744 ca_cert="auth_serv/ca.pem",
1745 phase1="peapver=0 crypto_binding=2",
1746 phase2="auth=MSCHAPV2",
1747 expect_failure=True, local_error_report=True)
1749 def test_ap_wpa2_eap_peap_params(dev, apdev):
1750 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1751 check_eap_capa(dev[0], "MSCHAPV2")
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 eap_connect(dev[0], apdev[0], "PEAP", "user",
1755 anonymous_identity="peap", password="password",
1756 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1757 phase1="peapver=0 peaplabel=1",
1758 expect_failure=True)
1759 dev[0].request("REMOVE_NETWORK all")
1760 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1762 anonymous_identity="peap", password="password",
1763 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1764 phase1="peap_outer_success=0",
1765 wait_connect=False, scan_freq="2412")
1766 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1768 raise Exception("No EAP success seen")
1769 # This won't succeed to connect with peap_outer_success=0, so stop here.
1770 dev[0].request("REMOVE_NETWORK all")
1771 dev[0].wait_disconnected()
1772 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1773 ca_cert="auth_serv/ca.pem",
1774 phase1="peap_outer_success=1",
1775 phase2="auth=MSCHAPV2")
1776 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1777 ca_cert="auth_serv/ca.pem",
1778 phase1="peap_outer_success=2",
1779 phase2="auth=MSCHAPV2")
1780 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1782 anonymous_identity="peap", password="password",
1783 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1784 phase1="peapver=1 peaplabel=1",
1785 wait_connect=False, scan_freq="2412")
1786 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1788 raise Exception("No EAP success seen")
1789 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1791 raise Exception("Unexpected connection")
1793 tests = [ ("peap-ver0", ""),
1795 ("peap-ver0", "peapver=0"),
1796 ("peap-ver1", "peapver=1") ]
1797 for anon,phase1 in tests:
1798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1799 identity="user", anonymous_identity=anon,
1800 password="password", phase1=phase1,
1801 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1803 dev[0].request("REMOVE_NETWORK all")
1804 dev[0].wait_disconnected()
1806 tests = [ ("peap-ver0", "peapver=1"),
1807 ("peap-ver1", "peapver=0") ]
1808 for anon,phase1 in tests:
1809 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1810 identity="user", anonymous_identity=anon,
1811 password="password", phase1=phase1,
1812 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1813 wait_connect=False, scan_freq="2412")
1814 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1816 raise Exception("No EAP-Failure seen")
1817 dev[0].request("REMOVE_NETWORK all")
1818 dev[0].wait_disconnected()
1820 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1821 ca_cert="auth_serv/ca.pem",
1822 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1823 phase2="auth=MSCHAPV2")
1825 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1826 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1827 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1828 hostapd.add_ap(apdev[0]['ifname'], params)
1829 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1830 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1831 ca_cert2="auth_serv/ca.pem",
1832 client_cert2="auth_serv/user.pem",
1833 private_key2="auth_serv/user.key")
1834 eap_reauth(dev[0], "PEAP")
1836 def test_ap_wpa2_eap_tls(dev, apdev):
1837 """WPA2-Enterprise connection using EAP-TLS"""
1838 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1839 hostapd.add_ap(apdev[0]['ifname'], params)
1840 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1841 client_cert="auth_serv/user.pem",
1842 private_key="auth_serv/user.key")
1843 eap_reauth(dev[0], "TLS")
1845 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1846 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1847 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1848 hostapd.add_ap(apdev[0]['ifname'], params)
1849 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1850 client_cert="auth_serv/user.pem",
1851 private_key="auth_serv/user.key.pkcs8",
1852 private_key_passwd="whatever")
1854 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1855 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1856 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1857 hostapd.add_ap(apdev[0]['ifname'], params)
1858 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1859 client_cert="auth_serv/user.pem",
1860 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1861 private_key_passwd="whatever")
1863 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1864 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1866 hostapd.add_ap(apdev[0]['ifname'], params)
1867 cert = read_pem("auth_serv/ca.pem")
1868 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1869 raise Exception("Could not set cacert blob")
1870 cert = read_pem("auth_serv/user.pem")
1871 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1872 raise Exception("Could not set usercert blob")
1873 key = read_pem("auth_serv/user.rsa-key")
1874 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1875 raise Exception("Could not set cacert blob")
1876 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1877 client_cert="blob://usercert",
1878 private_key="blob://userkey")
1880 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1881 """EAP-TLS and config blob missing"""
1882 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1883 hostapd.add_ap(apdev[0]['ifname'], params)
1884 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1885 identity="tls user",
1886 ca_cert="blob://testing-blob-does-not-exist",
1887 client_cert="blob://testing-blob-does-not-exist",
1888 private_key="blob://testing-blob-does-not-exist",
1889 wait_connect=False, scan_freq="2412")
1890 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1892 raise Exception("EAP failure not reported")
1893 dev[0].request("REMOVE_NETWORK all")
1894 dev[0].wait_disconnected()
1896 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1897 """EAP-TLS and TLS Message Length in unfragmented packets"""
1898 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1899 hostapd.add_ap(apdev[0]['ifname'], params)
1900 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1901 phase1="include_tls_length=1",
1902 client_cert="auth_serv/user.pem",
1903 private_key="auth_serv/user.key")
1905 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1906 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1907 check_pkcs12_support(dev[0])
1908 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1909 hostapd.add_ap(apdev[0]['ifname'], params)
1910 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1911 private_key="auth_serv/user.pkcs12",
1912 private_key_passwd="whatever")
1913 dev[0].request("REMOVE_NETWORK all")
1914 dev[0].wait_disconnected()
1916 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1917 identity="tls user",
1918 ca_cert="auth_serv/ca.pem",
1919 private_key="auth_serv/user.pkcs12",
1920 wait_connect=False, scan_freq="2412")
1921 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1923 raise Exception("Request for private key passphrase timed out")
1924 id = ev.split(':')[0].split('-')[-1]
1925 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1926 dev[0].wait_connected(timeout=10)
1927 dev[0].request("REMOVE_NETWORK all")
1928 dev[0].wait_disconnected()
1930 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1931 # different files to cover both cases of the extra certificate being the
1932 # one that signed the client certificate and it being unrelated to the
1933 # client certificate.
1934 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1936 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1937 ca_cert="auth_serv/ca.pem",
1939 private_key_passwd="whatever")
1940 dev[0].request("REMOVE_NETWORK all")
1941 dev[0].wait_disconnected()
1943 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1944 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1945 check_pkcs12_support(dev[0])
1946 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1947 hostapd.add_ap(apdev[0]['ifname'], params)
1948 cert = read_pem("auth_serv/ca.pem")
1949 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1950 raise Exception("Could not set cacert blob")
1951 with open("auth_serv/user.pkcs12", "rb") as f:
1952 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1953 raise Exception("Could not set pkcs12 blob")
1954 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1955 private_key="blob://pkcs12",
1956 private_key_passwd="whatever")
1958 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1959 """WPA2-Enterprise negative test - incorrect trust root"""
1960 check_eap_capa(dev[0], "MSCHAPV2")
1961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1962 hostapd.add_ap(apdev[0]['ifname'], params)
1963 cert = read_pem("auth_serv/ca-incorrect.pem")
1964 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1965 raise Exception("Could not set cacert blob")
1966 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1967 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1968 password="password", phase2="auth=MSCHAPV2",
1969 ca_cert="blob://cacert",
1970 wait_connect=False, scan_freq="2412")
1971 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1972 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1973 password="password", phase2="auth=MSCHAPV2",
1974 ca_cert="auth_serv/ca-incorrect.pem",
1975 wait_connect=False, scan_freq="2412")
1977 for dev in (dev[0], dev[1]):
1978 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1980 raise Exception("Association and EAP start timed out")
1982 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1984 raise Exception("EAP method selection timed out")
1985 if "TTLS" not in ev:
1986 raise Exception("Unexpected EAP method")
1988 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1989 "CTRL-EVENT-EAP-SUCCESS",
1990 "CTRL-EVENT-EAP-FAILURE",
1991 "CTRL-EVENT-CONNECTED",
1992 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1994 raise Exception("EAP result timed out")
1995 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1996 raise Exception("TLS certificate error not reported")
1998 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1999 "CTRL-EVENT-EAP-FAILURE",
2000 "CTRL-EVENT-CONNECTED",
2001 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2003 raise Exception("EAP result(2) timed out")
2004 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2005 raise Exception("EAP failure not reported")
2007 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
2008 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2010 raise Exception("EAP result(3) timed out")
2011 if "CTRL-EVENT-DISCONNECTED" not in ev:
2012 raise Exception("Disconnection not reported")
2014 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2016 raise Exception("Network block disabling not reported")
2018 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
2019 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2021 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2022 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2023 identity="pap user", anonymous_identity="ttls",
2024 password="password", phase2="auth=PAP",
2025 ca_cert="auth_serv/ca.pem",
2026 wait_connect=True, scan_freq="2412")
2027 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2028 identity="pap user", anonymous_identity="ttls",
2029 password="password", phase2="auth=PAP",
2030 ca_cert="auth_serv/ca-incorrect.pem",
2031 only_add_network=True, scan_freq="2412")
2033 dev[0].request("DISCONNECT")
2034 dev[0].wait_disconnected()
2035 dev[0].dump_monitor()
2036 dev[0].select_network(id, freq="2412")
2038 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2040 raise Exception("EAP-TTLS not re-started")
2042 ev = dev[0].wait_disconnected(timeout=15)
2043 if "reason=23" not in ev:
2044 raise Exception("Proper reason code for disconnection not reported")
2046 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2047 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2048 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2049 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2050 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2051 identity="pap user", anonymous_identity="ttls",
2052 password="password", phase2="auth=PAP",
2053 wait_connect=True, scan_freq="2412")
2054 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2055 identity="pap user", anonymous_identity="ttls",
2056 password="password", phase2="auth=PAP",
2057 ca_cert="auth_serv/ca-incorrect.pem",
2058 only_add_network=True, scan_freq="2412")
2060 dev[0].request("DISCONNECT")
2061 dev[0].wait_disconnected()
2062 dev[0].dump_monitor()
2063 dev[0].select_network(id, freq="2412")
2065 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2067 raise Exception("EAP-TTLS not re-started")
2069 ev = dev[0].wait_disconnected(timeout=15)
2070 if "reason=23" not in ev:
2071 raise Exception("Proper reason code for disconnection not reported")
2073 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2074 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2075 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2076 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2077 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2078 identity="pap user", anonymous_identity="ttls",
2079 password="password", phase2="auth=PAP",
2080 ca_cert="auth_serv/ca.pem",
2081 wait_connect=True, scan_freq="2412")
2082 dev[0].request("DISCONNECT")
2083 dev[0].wait_disconnected()
2084 dev[0].dump_monitor()
2085 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2086 dev[0].select_network(id, freq="2412")
2088 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2090 raise Exception("EAP-TTLS not re-started")
2092 ev = dev[0].wait_disconnected(timeout=15)
2093 if "reason=23" not in ev:
2094 raise Exception("Proper reason code for disconnection not reported")
2096 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2097 """WPA2-Enterprise negative test - domain suffix mismatch"""
2098 check_domain_suffix_match(dev[0])
2099 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2100 hostapd.add_ap(apdev[0]['ifname'], params)
2101 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2102 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2103 password="password", phase2="auth=MSCHAPV2",
2104 ca_cert="auth_serv/ca.pem",
2105 domain_suffix_match="incorrect.example.com",
2106 wait_connect=False, scan_freq="2412")
2108 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2110 raise Exception("Association and EAP start timed out")
2112 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2114 raise Exception("EAP method selection timed out")
2115 if "TTLS" not in ev:
2116 raise Exception("Unexpected EAP method")
2118 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2119 "CTRL-EVENT-EAP-SUCCESS",
2120 "CTRL-EVENT-EAP-FAILURE",
2121 "CTRL-EVENT-CONNECTED",
2122 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2124 raise Exception("EAP result timed out")
2125 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2126 raise Exception("TLS certificate error not reported")
2127 if "Domain suffix mismatch" not in ev:
2128 raise Exception("Domain suffix mismatch not reported")
2130 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2131 "CTRL-EVENT-EAP-FAILURE",
2132 "CTRL-EVENT-CONNECTED",
2133 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2135 raise Exception("EAP result(2) timed out")
2136 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2137 raise Exception("EAP failure not reported")
2139 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2140 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2142 raise Exception("EAP result(3) timed out")
2143 if "CTRL-EVENT-DISCONNECTED" not in ev:
2144 raise Exception("Disconnection not reported")
2146 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2148 raise Exception("Network block disabling not reported")
2150 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2151 """WPA2-Enterprise negative test - domain mismatch"""
2152 check_domain_match(dev[0])
2153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2154 hostapd.add_ap(apdev[0]['ifname'], params)
2155 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2156 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2157 password="password", phase2="auth=MSCHAPV2",
2158 ca_cert="auth_serv/ca.pem",
2159 domain_match="w1.fi",
2160 wait_connect=False, scan_freq="2412")
2162 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2164 raise Exception("Association and EAP start timed out")
2166 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2168 raise Exception("EAP method selection timed out")
2169 if "TTLS" not in ev:
2170 raise Exception("Unexpected EAP method")
2172 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2173 "CTRL-EVENT-EAP-SUCCESS",
2174 "CTRL-EVENT-EAP-FAILURE",
2175 "CTRL-EVENT-CONNECTED",
2176 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2178 raise Exception("EAP result timed out")
2179 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2180 raise Exception("TLS certificate error not reported")
2181 if "Domain mismatch" not in ev:
2182 raise Exception("Domain mismatch not reported")
2184 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2185 "CTRL-EVENT-EAP-FAILURE",
2186 "CTRL-EVENT-CONNECTED",
2187 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2189 raise Exception("EAP result(2) timed out")
2190 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2191 raise Exception("EAP failure not reported")
2193 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2194 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2196 raise Exception("EAP result(3) timed out")
2197 if "CTRL-EVENT-DISCONNECTED" not in ev:
2198 raise Exception("Disconnection not reported")
2200 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2202 raise Exception("Network block disabling not reported")
2204 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2205 """WPA2-Enterprise negative test - subject mismatch"""
2206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2207 hostapd.add_ap(apdev[0]['ifname'], params)
2208 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2209 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2210 password="password", phase2="auth=MSCHAPV2",
2211 ca_cert="auth_serv/ca.pem",
2212 subject_match="/C=FI/O=w1.fi/CN=example.com",
2213 wait_connect=False, scan_freq="2412")
2215 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2217 raise Exception("Association and EAP start timed out")
2219 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2220 "EAP: Failed to initialize EAP method"], timeout=10)
2222 raise Exception("EAP method selection timed out")
2223 if "EAP: Failed to initialize EAP method" in ev:
2224 tls = dev[0].request("GET tls_library")
2225 if tls.startswith("OpenSSL"):
2226 raise Exception("Failed to select EAP method")
2227 logger.info("subject_match not supported - connection failed, so test succeeded")
2229 if "TTLS" not in ev:
2230 raise Exception("Unexpected EAP method")
2232 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2233 "CTRL-EVENT-EAP-SUCCESS",
2234 "CTRL-EVENT-EAP-FAILURE",
2235 "CTRL-EVENT-CONNECTED",
2236 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2238 raise Exception("EAP result timed out")
2239 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2240 raise Exception("TLS certificate error not reported")
2241 if "Subject mismatch" not in ev:
2242 raise Exception("Subject mismatch not reported")
2244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2245 "CTRL-EVENT-EAP-FAILURE",
2246 "CTRL-EVENT-CONNECTED",
2247 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2249 raise Exception("EAP result(2) timed out")
2250 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2251 raise Exception("EAP failure not reported")
2253 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2254 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2256 raise Exception("EAP result(3) timed out")
2257 if "CTRL-EVENT-DISCONNECTED" not in ev:
2258 raise Exception("Disconnection not reported")
2260 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2262 raise Exception("Network block disabling not reported")
2264 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2265 """WPA2-Enterprise negative test - altsubject mismatch"""
2266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2267 hostapd.add_ap(apdev[0]['ifname'], params)
2269 tests = [ "incorrect.example.com",
2270 "DNS:incorrect.example.com",
2274 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2276 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2278 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2279 password="password", phase2="auth=MSCHAPV2",
2280 ca_cert="auth_serv/ca.pem",
2281 altsubject_match=match,
2282 wait_connect=False, scan_freq="2412")
2284 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2286 raise Exception("Association and EAP start timed out")
2288 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2289 "EAP: Failed to initialize EAP method"], timeout=10)
2291 raise Exception("EAP method selection timed out")
2292 if "EAP: Failed to initialize EAP method" in ev:
2293 tls = dev[0].request("GET tls_library")
2294 if tls.startswith("OpenSSL"):
2295 raise Exception("Failed to select EAP method")
2296 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2298 if "TTLS" not in ev:
2299 raise Exception("Unexpected EAP method")
2301 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2302 "CTRL-EVENT-EAP-SUCCESS",
2303 "CTRL-EVENT-EAP-FAILURE",
2304 "CTRL-EVENT-CONNECTED",
2305 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2307 raise Exception("EAP result timed out")
2308 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2309 raise Exception("TLS certificate error not reported")
2310 if "AltSubject mismatch" not in ev:
2311 raise Exception("altsubject mismatch not reported")
2313 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2314 "CTRL-EVENT-EAP-FAILURE",
2315 "CTRL-EVENT-CONNECTED",
2316 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2318 raise Exception("EAP result(2) timed out")
2319 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2320 raise Exception("EAP failure not reported")
2322 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2323 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2325 raise Exception("EAP result(3) timed out")
2326 if "CTRL-EVENT-DISCONNECTED" not in ev:
2327 raise Exception("Disconnection not reported")
2329 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2331 raise Exception("Network block disabling not reported")
2333 dev[0].request("REMOVE_NETWORK all")
2335 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2336 """WPA2-Enterprise connection using UNAUTH-TLS"""
2337 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2338 hostapd.add_ap(apdev[0]['ifname'], params)
2339 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
2340 ca_cert="auth_serv/ca.pem")
2341 eap_reauth(dev[0], "UNAUTH-TLS")
2343 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2344 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2345 check_cert_probe_support(dev[0])
2346 skip_with_fips(dev[0])
2347 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2349 hostapd.add_ap(apdev[0]['ifname'], params)
2350 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2351 identity="probe", ca_cert="probe://",
2352 wait_connect=False, scan_freq="2412")
2353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2355 raise Exception("Association and EAP start timed out")
2356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2358 raise Exception("No peer server certificate event seen")
2359 if "hash=" + srv_cert_hash not in ev:
2360 raise Exception("Expected server certificate hash not reported")
2361 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2363 raise Exception("EAP result timed out")
2364 if "Server certificate chain probe" not in ev:
2365 raise Exception("Server certificate probe not reported")
2366 dev[0].wait_disconnected(timeout=10)
2367 dev[0].request("REMOVE_NETWORK all")
2369 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2370 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2371 password="password", phase2="auth=MSCHAPV2",
2372 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2373 wait_connect=False, scan_freq="2412")
2374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2376 raise Exception("Association and EAP start timed out")
2377 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2379 raise Exception("EAP result timed out")
2380 if "Server certificate mismatch" not in ev:
2381 raise Exception("Server certificate mismatch not reported")
2382 dev[0].wait_disconnected(timeout=10)
2383 dev[0].request("REMOVE_NETWORK all")
2385 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
2386 anonymous_identity="ttls", password="password",
2387 ca_cert="hash://server/sha256/" + srv_cert_hash,
2388 phase2="auth=MSCHAPV2")
2390 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2391 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2392 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2393 hostapd.add_ap(apdev[0]['ifname'], params)
2394 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2395 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2396 password="password", phase2="auth=MSCHAPV2",
2397 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2398 wait_connect=False, scan_freq="2412")
2399 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2400 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2401 password="password", phase2="auth=MSCHAPV2",
2402 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2403 wait_connect=False, scan_freq="2412")
2404 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2405 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2406 password="password", phase2="auth=MSCHAPV2",
2407 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2408 wait_connect=False, scan_freq="2412")
2409 for i in range(0, 3):
2410 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2412 raise Exception("Association and EAP start timed out")
2413 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2415 raise Exception("Did not report EAP method initialization failure")
2417 def test_ap_wpa2_eap_pwd(dev, apdev):
2418 """WPA2-Enterprise connection using EAP-pwd"""
2419 check_eap_capa(dev[0], "PWD")
2420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2421 hostapd.add_ap(apdev[0]['ifname'], params)
2422 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2423 eap_reauth(dev[0], "PWD")
2424 dev[0].request("REMOVE_NETWORK all")
2426 eap_connect(dev[1], apdev[0], "PWD",
2427 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2428 password="secret password",
2431 logger.info("Negative test with incorrect password")
2432 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2433 expect_failure=True, local_error_report=True)
2435 eap_connect(dev[0], apdev[0], "PWD",
2436 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2437 password="secret password",
2440 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2441 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2442 check_eap_capa(dev[0], "PWD")
2443 skip_with_fips(dev[0])
2444 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2445 hostapd.add_ap(apdev[0]['ifname'], params)
2446 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2447 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2448 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2449 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2450 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2451 expect_failure=True, local_error_report=True)
2453 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2454 """WPA2-Enterprise connection using various EAP-pwd groups"""
2455 check_eap_capa(dev[0], "PWD")
2456 tls = dev[0].request("GET tls_library")
2457 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2458 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2459 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2460 groups = [ 19, 20, 21, 25, 26 ]
2461 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2462 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2463 groups += [ 27, 28, 29, 30 ]
2465 logger.info("Group %d" % i)
2466 params['pwd_group'] = str(i)
2467 hostapd.add_ap(apdev[0]['ifname'], params)
2469 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2470 password="secret password")
2471 dev[0].request("REMOVE_NETWORK all")
2472 dev[0].wait_disconnected()
2473 dev[0].dump_monitor()
2475 if "BoringSSL" in tls and i in [ 25 ]:
2476 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2477 dev[0].request("DISCONNECT")
2479 dev[0].request("REMOVE_NETWORK all")
2480 dev[0].dump_monitor()
2484 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2485 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2486 check_eap_capa(dev[0], "PWD")
2487 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2488 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2489 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2490 params['pwd_group'] = "0"
2491 hostapd.add_ap(apdev[0]['ifname'], params)
2492 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2493 identity="pwd user", password="secret password",
2494 scan_freq="2412", wait_connect=False)
2495 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2497 raise Exception("Timeout on EAP failure report")
2499 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2500 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2501 check_eap_capa(dev[0], "PWD")
2502 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2503 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2504 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2505 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2506 "pwd_group": "19", "fragment_size": "40" }
2507 hostapd.add_ap(apdev[0]['ifname'], params)
2508 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2510 def test_ap_wpa2_eap_gpsk(dev, apdev):
2511 """WPA2-Enterprise connection using EAP-GPSK"""
2512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2513 hostapd.add_ap(apdev[0]['ifname'], params)
2514 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2515 password="abcdefghijklmnop0123456789abcdef")
2516 eap_reauth(dev[0], "GPSK")
2518 logger.info("Test forced algorithm selection")
2519 for phase1 in [ "cipher=1", "cipher=2" ]:
2520 dev[0].set_network_quoted(id, "phase1", phase1)
2521 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2523 raise Exception("EAP success timed out")
2524 dev[0].wait_connected(timeout=10)
2526 logger.info("Test failed algorithm negotiation")
2527 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2528 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2530 raise Exception("EAP failure timed out")
2532 logger.info("Negative test with incorrect password")
2533 dev[0].request("REMOVE_NETWORK all")
2534 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2535 password="ffcdefghijklmnop0123456789abcdef",
2536 expect_failure=True)
2538 def test_ap_wpa2_eap_sake(dev, apdev):
2539 """WPA2-Enterprise connection using EAP-SAKE"""
2540 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2541 hostapd.add_ap(apdev[0]['ifname'], params)
2542 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2543 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2544 eap_reauth(dev[0], "SAKE")
2546 logger.info("Negative test with incorrect password")
2547 dev[0].request("REMOVE_NETWORK all")
2548 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2549 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2550 expect_failure=True)
2552 def test_ap_wpa2_eap_eke(dev, apdev):
2553 """WPA2-Enterprise connection using EAP-EKE"""
2554 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2555 hostapd.add_ap(apdev[0]['ifname'], params)
2556 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2557 eap_reauth(dev[0], "EKE")
2559 logger.info("Test forced algorithm selection")
2560 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2561 "dhgroup=4 encr=1 prf=2 mac=2",
2562 "dhgroup=3 encr=1 prf=2 mac=2",
2563 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2564 dev[0].set_network_quoted(id, "phase1", phase1)
2565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2567 raise Exception("EAP success timed out")
2568 dev[0].wait_connected(timeout=10)
2570 logger.info("Test failed algorithm negotiation")
2571 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2572 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2574 raise Exception("EAP failure timed out")
2576 logger.info("Negative test with incorrect password")
2577 dev[0].request("REMOVE_NETWORK all")
2578 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2579 expect_failure=True)
2581 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2582 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2583 if not params['long']:
2584 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2585 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2586 hostapd.add_ap(apdev[0]['ifname'], params)
2589 for i in range(100):
2591 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2592 identity="eke user", password="hello",
2593 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2594 scan_freq="2412", wait_connect=False)
2596 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2597 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2599 raise Exception("No connected/disconnected event")
2600 if "CTRL-EVENT-DISCONNECTED" in ev:
2602 # The RADIUS server limits on active sessions can be hit when
2603 # going through this test case, so try to give some more time
2604 # for the server to remove sessions.
2605 logger.info("Failed to connect i=%d j=%d" % (i, j))
2606 dev[j].request("REMOVE_NETWORK all")
2610 dev[j].request("REMOVE_NETWORK all")
2611 dev[j].wait_disconnected()
2612 dev[j].dump_monitor()
2613 logger.info("Total success=%d failure=%d" % (success, fail))
2615 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2616 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2617 params = int_eap_server_params()
2618 params['server_id'] = 'example.server@w1.fi'
2619 hostapd.add_ap(apdev[0]['ifname'], params)
2620 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2622 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2623 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2624 params = int_eap_server_params()
2625 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2626 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2628 for count,func in [ (1, "eap_eke_build_commit"),
2629 (2, "eap_eke_build_commit"),
2630 (3, "eap_eke_build_commit"),
2631 (1, "eap_eke_build_confirm"),
2632 (2, "eap_eke_build_confirm"),
2633 (1, "eap_eke_process_commit"),
2634 (2, "eap_eke_process_commit"),
2635 (1, "eap_eke_process_confirm"),
2636 (1, "eap_eke_process_identity"),
2637 (2, "eap_eke_process_identity"),
2638 (3, "eap_eke_process_identity"),
2639 (4, "eap_eke_process_identity") ]:
2640 with alloc_fail(hapd, count, func):
2641 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2642 expect_failure=True)
2643 dev[0].request("REMOVE_NETWORK all")
2645 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2646 (1, "eap_eke_get_session_id", "hello"),
2647 (1, "eap_eke_getKey", "hello"),
2648 (1, "eap_eke_build_msg", "hello"),
2649 (1, "eap_eke_build_failure", "wrong"),
2650 (1, "eap_eke_build_identity", "hello"),
2651 (2, "eap_eke_build_identity", "hello") ]:
2652 with alloc_fail(hapd, count, func):
2653 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2654 eap="EKE", identity="eke user", password=pw,
2655 wait_connect=False, scan_freq="2412")
2656 # This would eventually time out, but we can stop after having
2657 # reached the allocation failure.
2660 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2662 dev[0].request("REMOVE_NETWORK all")
2664 for count in range(1, 1000):
2666 with alloc_fail(hapd, count, "eap_server_sm_step"):
2667 dev[0].connect("test-wpa2-eap",
2668 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2669 eap="EKE", identity="eke user", password=pw,
2670 wait_connect=False, scan_freq="2412")
2671 # This would eventually time out, but we can stop after having
2672 # reached the allocation failure.
2675 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2677 dev[0].request("REMOVE_NETWORK all")
2678 except Exception, e:
2679 if str(e) == "Allocation failure did not trigger":
2681 raise Exception("Too few allocation failures")
2682 logger.info("%d allocation failures tested" % (count - 1))
2686 def test_ap_wpa2_eap_ikev2(dev, apdev):
2687 """WPA2-Enterprise connection using EAP-IKEv2"""
2688 check_eap_capa(dev[0], "IKEV2")
2689 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2690 hostapd.add_ap(apdev[0]['ifname'], params)
2691 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2692 password="ike password")
2693 eap_reauth(dev[0], "IKEV2")
2694 dev[0].request("REMOVE_NETWORK all")
2695 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2696 password="ike password", fragment_size="50")
2698 logger.info("Negative test with incorrect password")
2699 dev[0].request("REMOVE_NETWORK all")
2700 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2701 password="ike-password", expect_failure=True)
2702 dev[0].request("REMOVE_NETWORK all")
2704 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2705 password="ike password", fragment_size="0")
2706 dev[0].request("REMOVE_NETWORK all")
2707 dev[0].wait_disconnected()
2709 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2710 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2711 check_eap_capa(dev[0], "IKEV2")
2712 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2713 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2714 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2715 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2716 "fragment_size": "50" }
2717 hostapd.add_ap(apdev[0]['ifname'], params)
2718 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2719 password="ike password")
2720 eap_reauth(dev[0], "IKEV2")
2722 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2723 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2724 check_eap_capa(dev[0], "IKEV2")
2725 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2726 hostapd.add_ap(apdev[0]['ifname'], params)
2728 tests = [ (1, "dh_init"),
2730 (1, "dh_derive_shared") ]
2731 for count, func in tests:
2732 with alloc_fail(dev[0], count, func):
2733 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2734 identity="ikev2 user", password="ike password",
2735 wait_connect=False, scan_freq="2412")
2736 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2738 raise Exception("EAP method not selected")
2740 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2743 dev[0].request("REMOVE_NETWORK all")
2745 tests = [ (1, "os_get_random;dh_init") ]
2746 for count, func in tests:
2747 with fail_test(dev[0], count, func):
2748 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2749 identity="ikev2 user", password="ike password",
2750 wait_connect=False, scan_freq="2412")
2751 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2753 raise Exception("EAP method not selected")
2755 if "0:" in dev[0].request("GET_FAIL"):
2758 dev[0].request("REMOVE_NETWORK all")
2760 def test_ap_wpa2_eap_pax(dev, apdev):
2761 """WPA2-Enterprise connection using EAP-PAX"""
2762 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2763 hostapd.add_ap(apdev[0]['ifname'], params)
2764 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2765 password_hex="0123456789abcdef0123456789abcdef")
2766 eap_reauth(dev[0], "PAX")
2768 logger.info("Negative test with incorrect password")
2769 dev[0].request("REMOVE_NETWORK all")
2770 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2771 password_hex="ff23456789abcdef0123456789abcdef",
2772 expect_failure=True)
2774 def test_ap_wpa2_eap_psk(dev, apdev):
2775 """WPA2-Enterprise connection using EAP-PSK"""
2776 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2777 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2778 params["ieee80211w"] = "2"
2779 hostapd.add_ap(apdev[0]['ifname'], params)
2780 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2781 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2782 eap_reauth(dev[0], "PSK", sha256=True)
2783 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2784 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2786 bss = dev[0].get_bss(apdev[0]['bssid'])
2787 if 'flags' not in bss:
2788 raise Exception("Could not get BSS flags from BSS table")
2789 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2790 raise Exception("Unexpected BSS flags: " + bss['flags'])
2792 logger.info("Negative test with incorrect password")
2793 dev[0].request("REMOVE_NETWORK all")
2794 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2795 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2796 expect_failure=True)
2798 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2799 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2800 skip_with_fips(dev[0])
2801 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2802 hostapd.add_ap(apdev[0]['ifname'], params)
2803 tests = [ (1, "=aes_128_eax_encrypt"),
2804 (1, "=aes_128_eax_decrypt") ]
2805 for count, func in tests:
2806 with alloc_fail(dev[0], count, func):
2807 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2808 identity="psk.user@example.com",
2809 password_hex="0123456789abcdef0123456789abcdef",
2810 wait_connect=False, scan_freq="2412")
2811 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2813 raise Exception("EAP method not selected")
2814 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2815 note="Failure not triggered: %d:%s" % (count, func))
2816 dev[0].request("REMOVE_NETWORK all")
2817 dev[0].wait_disconnected()
2819 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2820 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2821 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2822 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2823 (1, "omac1_aes_vector"),
2824 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2825 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2826 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2827 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2828 for count, func in tests:
2829 with fail_test(dev[0], count, func):
2830 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2831 identity="psk.user@example.com",
2832 password_hex="0123456789abcdef0123456789abcdef",
2833 wait_connect=False, scan_freq="2412")
2834 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2836 raise Exception("EAP method not selected")
2837 wait_fail_trigger(dev[0], "GET_FAIL",
2838 note="Failure not triggered: %d:%s" % (count, func))
2839 dev[0].request("REMOVE_NETWORK all")
2840 dev[0].wait_disconnected()
2842 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2843 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2844 identity="psk.user@example.com",
2845 password_hex="0123456789abcdef0123456789abcdef",
2846 wait_connect=False, scan_freq="2412")
2847 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2849 raise Exception("EAP method failure not reported")
2850 dev[0].request("REMOVE_NETWORK all")
2851 dev[0].wait_disconnected()
2853 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2854 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2855 check_eap_capa(dev[0], "MSCHAPV2")
2856 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2857 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2858 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2859 identity="user", password="password", phase2="auth=MSCHAPV2",
2860 ca_cert="auth_serv/ca.pem", wait_connect=False,
2862 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2863 hwsim_utils.test_connectivity(dev[0], hapd)
2864 eap_reauth(dev[0], "PEAP", rsn=False)
2865 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2866 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2867 status = dev[0].get_status(extra="VERBOSE")
2868 if 'portControl' not in status:
2869 raise Exception("portControl missing from STATUS-VERBOSE")
2870 if status['portControl'] != 'Auto':
2871 raise Exception("Unexpected portControl value: " + status['portControl'])
2872 if 'eap_session_id' not in status:
2873 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2874 if not status['eap_session_id'].startswith("19"):
2875 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2877 def test_ap_wpa2_eap_interactive(dev, apdev):
2878 """WPA2-Enterprise connection using interactive identity/password entry"""
2879 check_eap_capa(dev[0], "MSCHAPV2")
2880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2881 hostapd.add_ap(apdev[0]['ifname'], params)
2882 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2884 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2885 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2887 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2888 "TTLS", "ttls", None, "auth=MSCHAPV2",
2889 "DOMAIN\mschapv2 user", "password"),
2890 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2891 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2892 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2893 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2894 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2895 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2896 ("Connection with dynamic PEAP/EAP-GTC password entry",
2897 "PEAP", None, "user", "auth=GTC", None, "password") ]
2898 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2900 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2901 anonymous_identity=anon, identity=identity,
2902 ca_cert="auth_serv/ca.pem", phase2=phase2,
2903 wait_connect=False, scan_freq="2412")
2905 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2907 raise Exception("Request for identity timed out")
2908 id = ev.split(':')[0].split('-')[-1]
2909 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2910 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2912 raise Exception("Request for password timed out")
2913 id = ev.split(':')[0].split('-')[-1]
2914 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2915 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2916 dev[0].wait_connected(timeout=10)
2917 dev[0].request("REMOVE_NETWORK all")
2919 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2920 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2921 check_eap_capa(dev[0], "MSCHAPV2")
2922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2923 hostapd.add_ap(apdev[0]['ifname'], params)
2924 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2926 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2927 only_add_network=True)
2929 req_id = "DOMAIN\mschapv2 user"
2930 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2931 anonymous_identity="ttls", identity=None,
2932 password="password",
2933 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2934 wait_connect=False, scan_freq="2412")
2935 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2937 raise Exception("Request for identity timed out")
2938 id = ev.split(':')[0].split('-')[-1]
2939 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2940 dev[0].wait_connected(timeout=10)
2942 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2943 raise Exception("Failed to enable network")
2944 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2946 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2947 dev[0].request("REMOVE_NETWORK all")
2949 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2950 """WPA2-Enterprise connection using EAP vendor test"""
2951 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2952 hostapd.add_ap(apdev[0]['ifname'], params)
2953 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2954 eap_reauth(dev[0], "VENDOR-TEST")
2955 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2958 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2959 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2960 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2961 hostapd.add_ap(apdev[0]['ifname'], params)
2963 tests = [ "eap_vendor_test_init",
2964 "eap_msg_alloc;eap_vendor_test_process",
2965 "eap_vendor_test_getKey" ]
2967 with alloc_fail(dev[0], 1, func):
2968 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2970 eap="VENDOR-TEST", identity="vendor-test",
2972 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2973 dev[0].request("REMOVE_NETWORK all")
2974 dev[0].wait_disconnected()
2976 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2977 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2978 check_eap_capa(dev[0], "FAST")
2979 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2980 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2981 eap_connect(dev[0], apdev[0], "FAST", "user",
2982 anonymous_identity="FAST", password="password",
2983 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2984 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2985 hwsim_utils.test_connectivity(dev[0], hapd)
2986 res = eap_reauth(dev[0], "FAST")
2987 if res['tls_session_reused'] != '1':
2988 raise Exception("EAP-FAST could not use PAC session ticket")
2990 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2991 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2992 check_eap_capa(dev[0], "FAST")
2993 pac_file = os.path.join(params['logdir'], "fast.pac")
2994 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2995 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2996 hostapd.add_ap(apdev[0]['ifname'], params)
2999 eap_connect(dev[0], apdev[0], "FAST", "user",
3000 anonymous_identity="FAST", password="password",
3001 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3002 phase1="fast_provisioning=1", pac_file=pac_file)
3003 with open(pac_file, "r") as f:
3005 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
3006 raise Exception("PAC file header missing")
3007 if "PAC-Key=" not in data:
3008 raise Exception("PAC-Key missing from PAC file")
3009 dev[0].request("REMOVE_NETWORK all")
3010 eap_connect(dev[0], apdev[0], "FAST", "user",
3011 anonymous_identity="FAST", password="password",
3012 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3015 eap_connect(dev[1], apdev[0], "FAST", "user",
3016 anonymous_identity="FAST", password="password",
3017 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3018 phase1="fast_provisioning=1 fast_pac_format=binary",
3020 dev[1].request("REMOVE_NETWORK all")
3021 eap_connect(dev[1], apdev[0], "FAST", "user",
3022 anonymous_identity="FAST", password="password",
3023 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3024 phase1="fast_pac_format=binary",
3032 os.remove(pac_file2)
3036 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
3037 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3038 check_eap_capa(dev[0], "FAST")
3039 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3040 hostapd.add_ap(apdev[0]['ifname'], params)
3041 eap_connect(dev[0], apdev[0], "FAST", "user",
3042 anonymous_identity="FAST", password="password",
3043 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3044 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3045 pac_file="blob://fast_pac_bin")
3046 res = eap_reauth(dev[0], "FAST")
3047 if res['tls_session_reused'] != '1':
3048 raise Exception("EAP-FAST could not use PAC session ticket")
3050 # Verify fast_max_pac_list_len=0 special case
3051 dev[0].request("REMOVE_NETWORK all")
3052 dev[0].wait_disconnected()
3053 eap_connect(dev[0], apdev[0], "FAST", "user",
3054 anonymous_identity="FAST", password="password",
3055 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3056 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3057 pac_file="blob://fast_pac_bin")
3059 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3060 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3061 check_eap_capa(dev[0], "FAST")
3062 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3063 hostapd.add_ap(apdev[0]['ifname'], params)
3065 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3066 identity="user", anonymous_identity="FAST",
3067 password="password",
3068 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3069 pac_file="blob://fast_pac_not_in_use",
3070 wait_connect=False, scan_freq="2412")
3071 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3073 raise Exception("Timeout on EAP failure report")
3074 dev[0].request("REMOVE_NETWORK all")
3076 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3077 identity="user", anonymous_identity="FAST",
3078 password="password",
3079 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3080 wait_connect=False, scan_freq="2412")
3081 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3083 raise Exception("Timeout on EAP failure report")
3085 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3086 """EAP-FAST and binary PAC errors"""
3087 check_eap_capa(dev[0], "FAST")
3088 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3089 hostapd.add_ap(apdev[0]['ifname'], params)
3091 tests = [ (1, "=eap_fast_save_pac_bin"),
3092 (1, "eap_fast_write_pac"),
3093 (2, "eap_fast_write_pac"), ]
3094 for count, func in tests:
3095 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3096 raise Exception("Could not set blob")
3098 with alloc_fail(dev[0], count, func):
3099 eap_connect(dev[0], apdev[0], "FAST", "user",
3100 anonymous_identity="FAST", password="password",
3101 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3102 phase1="fast_provisioning=1 fast_pac_format=binary",
3103 pac_file="blob://fast_pac_bin_errors")
3104 dev[0].request("REMOVE_NETWORK all")
3105 dev[0].wait_disconnected()
3107 tests = [ "00", "000000000000", "6ae4920c0001",
3109 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3110 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3111 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3112 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3114 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3115 raise Exception("Could not set blob")
3117 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3118 identity="user", anonymous_identity="FAST",
3119 password="password",
3120 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3121 phase1="fast_provisioning=1 fast_pac_format=binary",
3122 pac_file="blob://fast_pac_bin_errors",
3123 scan_freq="2412", wait_connect=False)
3124 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3127 raise Exception("Failure not reported")
3128 dev[0].request("REMOVE_NETWORK all")
3129 dev[0].wait_disconnected()
3131 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3132 tests = [ (1, "eap_fast_load_pac_bin"),
3133 (2, "eap_fast_load_pac_bin"),
3134 (3, "eap_fast_load_pac_bin") ]
3135 for count, func in tests:
3136 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3137 raise Exception("Could not set blob")
3139 with alloc_fail(dev[0], count, func):
3140 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3141 identity="user", anonymous_identity="FAST",
3142 password="password",
3143 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3144 phase1="fast_provisioning=1 fast_pac_format=binary",
3145 pac_file="blob://fast_pac_bin_errors",
3146 scan_freq="2412", wait_connect=False)
3147 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3150 raise Exception("Failure not reported")
3151 dev[0].request("REMOVE_NETWORK all")
3152 dev[0].wait_disconnected()
3154 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3155 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3156 raise Exception("Could not set blob")
3158 eap_connect(dev[0], apdev[0], "FAST", "user",
3159 anonymous_identity="FAST", password="password",
3160 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3161 phase1="fast_provisioning=1 fast_pac_format=binary",
3162 pac_file="blob://fast_pac_bin_errors")
3163 dev[0].request("REMOVE_NETWORK all")
3164 dev[0].wait_disconnected()
3166 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3167 tests = [ (1, "eap_fast_pac_get_a_id"),
3168 (2, "eap_fast_pac_get_a_id") ]
3169 for count, func in tests:
3170 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3171 raise Exception("Could not set blob")
3172 with alloc_fail(dev[0], count, func):
3173 eap_connect(dev[0], apdev[0], "FAST", "user",
3174 anonymous_identity="FAST", password="password",
3175 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3176 phase1="fast_provisioning=1 fast_pac_format=binary",
3177 pac_file="blob://fast_pac_bin_errors")
3178 dev[0].request("REMOVE_NETWORK all")
3179 dev[0].wait_disconnected()
3181 def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3182 """EAP-FAST and text PAC errors"""
3183 check_eap_capa(dev[0], "FAST")
3184 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3185 hostapd.add_ap(apdev[0]['ifname'], params)
3187 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3188 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3189 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3190 (1, "eap_fast_parse_start"),
3191 (1, "eap_fast_save_pac") ]
3192 for count, func in tests:
3193 dev[0].request("FLUSH")
3194 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3195 raise Exception("Could not set blob")
3197 with alloc_fail(dev[0], count, func):
3198 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3199 identity="user", anonymous_identity="FAST",
3200 password="password",
3201 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3202 phase1="fast_provisioning=1",
3203 pac_file="blob://fast_pac_text_errors",
3204 scan_freq="2412", wait_connect=False)
3205 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3206 dev[0].request("REMOVE_NETWORK all")
3207 dev[0].wait_disconnected()
3209 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3213 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3214 raise Exception("Could not set blob")
3216 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3217 identity="user", anonymous_identity="FAST",
3218 password="password",
3219 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3220 phase1="fast_provisioning=1",
3221 pac_file="blob://fast_pac_text_errors",
3222 scan_freq="2412", wait_connect=False)
3223 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3225 raise Exception("Failure not reported")
3226 dev[0].request("REMOVE_NETWORK all")
3227 dev[0].wait_disconnected()
3229 dev[0].request("FLUSH")
3230 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3231 raise Exception("Could not set blob")
3233 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3235 params = int_eap_server_params()
3236 params['ssid'] = "test-wpa2-eap-2"
3237 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3238 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3239 params['eap_fast_a_id_info'] = "test server %d" % i
3241 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
3243 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3244 identity="user", anonymous_identity="FAST",
3245 password="password",
3246 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3247 phase1="fast_provisioning=1",
3248 pac_file="blob://fast_pac_text_errors",
3249 scan_freq="2412", wait_connect=False)
3250 dev[0].wait_connected()
3251 dev[0].request("REMOVE_NETWORK all")
3252 dev[0].wait_disconnected()
3256 def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3257 """EAP-FAST and PAC list truncation"""
3258 check_eap_capa(dev[0], "FAST")
3259 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3260 raise Exception("Could not set blob")
3262 params = int_eap_server_params()
3263 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3264 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3265 params['eap_fast_a_id_info'] = "test server %d" % i
3266 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3269 identity="user", anonymous_identity="FAST",
3270 password="password",
3271 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3272 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3273 pac_file="blob://fast_pac_truncate",
3274 scan_freq="2412", wait_connect=False)
3275 dev[0].wait_connected()
3276 dev[0].request("REMOVE_NETWORK all")
3277 dev[0].wait_disconnected()
3281 def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3282 """EAP-FAST and PAC refresh"""
3283 check_eap_capa(dev[0], "FAST")
3284 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3285 raise Exception("Could not set blob")
3287 params = int_eap_server_params()
3288 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3289 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3290 params['eap_fast_a_id_info'] = "test server %d" % i
3291 params['pac_key_refresh_time'] = "1"
3292 params['pac_key_lifetime'] = "10"
3293 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3295 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3296 identity="user", anonymous_identity="FAST",
3297 password="password",
3298 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3299 phase1="fast_provisioning=1",
3300 pac_file="blob://fast_pac_refresh",
3301 scan_freq="2412", wait_connect=False)
3302 dev[0].wait_connected()
3303 dev[0].request("REMOVE_NETWORK all")
3304 dev[0].wait_disconnected()
3309 params = int_eap_server_params()
3310 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3311 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3312 params['eap_fast_a_id_info'] = "test server %d" % i
3313 params['pac_key_refresh_time'] = "10"
3314 params['pac_key_lifetime'] = "10"
3315 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3317 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3318 identity="user", anonymous_identity="FAST",
3319 password="password",
3320 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3321 phase1="fast_provisioning=1",
3322 pac_file="blob://fast_pac_refresh",
3323 scan_freq="2412", wait_connect=False)
3324 dev[0].wait_connected()
3325 dev[0].request("REMOVE_NETWORK all")
3326 dev[0].wait_disconnected()
3330 def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3331 """EAP-FAST and PAC lifetime"""
3332 check_eap_capa(dev[0], "FAST")
3333 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3334 raise Exception("Could not set blob")
3337 params = int_eap_server_params()
3338 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3339 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3340 params['eap_fast_a_id_info'] = "test server %d" % i
3341 params['pac_key_refresh_time'] = "0"
3342 params['pac_key_lifetime'] = "2"
3343 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3345 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3346 identity="user", anonymous_identity="FAST",
3347 password="password",
3348 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3349 phase1="fast_provisioning=2",
3350 pac_file="blob://fast_pac_refresh",
3351 scan_freq="2412", wait_connect=False)
3352 dev[0].wait_connected()
3353 dev[0].request("DISCONNECT")
3354 dev[0].wait_disconnected()
3357 dev[0].request("PMKSA_FLUSH")
3358 dev[0].request("RECONNECT")
3359 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3361 raise Exception("No EAP-Failure seen after expired PAC")
3362 dev[0].request("DISCONNECT")
3363 dev[0].wait_disconnected()
3365 dev[0].select_network(id)
3366 dev[0].wait_connected()
3367 dev[0].request("REMOVE_NETWORK all")
3368 dev[0].wait_disconnected()
3370 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3371 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3372 check_eap_capa(dev[0], "FAST")
3373 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3374 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3375 eap_connect(dev[0], apdev[0], "FAST", "user",
3376 anonymous_identity="FAST", password="password",
3377 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3378 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3379 hwsim_utils.test_connectivity(dev[0], hapd)
3380 res = eap_reauth(dev[0], "FAST")
3381 if res['tls_session_reused'] != '1':
3382 raise Exception("EAP-FAST could not use PAC session ticket")
3384 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3385 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3386 check_eap_capa(dev[0], "FAST")
3387 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3388 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3389 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3390 anonymous_identity="FAST", password="password",
3391 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3392 phase1="fast_provisioning=2",
3393 pac_file="blob://fast_pac_auth")
3394 dev[0].set_network_quoted(id, "identity", "user2")
3395 dev[0].wait_disconnected()
3396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3398 raise Exception("EAP-FAST not started")
3399 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3401 raise Exception("EAP failure not reported")
3402 dev[0].wait_disconnected()
3404 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3405 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3406 check_eap_capa(dev[0], "FAST")
3407 tls = dev[0].request("GET tls_library")
3408 if tls.startswith("OpenSSL"):
3409 func = "openssl_tls_prf"
3411 elif tls.startswith("internal"):
3412 func = "tls_connection_prf"
3415 raise HwsimSkip("Unsupported TLS library")
3416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3417 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3418 with alloc_fail(dev[0], count, func):
3419 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3420 identity="user", anonymous_identity="FAST",
3421 password="password", ca_cert="auth_serv/ca.pem",
3423 phase1="fast_provisioning=2",
3424 pac_file="blob://fast_pac_auth",
3425 wait_connect=False, scan_freq="2412")
3426 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3428 raise Exception("EAP failure not reported")
3429 dev[0].request("DISCONNECT")
3431 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3432 """EAP-FAST/MSCHAPv2 and server OOM"""
3433 check_eap_capa(dev[0], "FAST")
3435 params = int_eap_server_params()
3436 params['dh_file'] = 'auth_serv/dh.conf'
3437 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3438 params['eap_fast_a_id'] = '1011'
3439 params['eap_fast_a_id_info'] = 'another test server'
3440 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3442 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3443 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3444 anonymous_identity="FAST", password="password",
3445 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3446 phase1="fast_provisioning=1",
3447 pac_file="blob://fast_pac",
3448 expect_failure=True)
3449 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3451 raise Exception("No EAP failure reported")
3452 dev[0].wait_disconnected()
3453 dev[0].request("DISCONNECT")
3455 dev[0].select_network(id, freq="2412")
3457 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3458 """EAP-FAST and different TLS cipher suites"""
3459 check_eap_capa(dev[0], "FAST")
3460 tls = dev[0].request("GET tls_library")
3461 if not tls.startswith("OpenSSL"):
3462 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3464 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3465 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3467 dev[0].request("SET blob fast_pac_ciphers ")
3468 eap_connect(dev[0], apdev[0], "FAST", "user",
3469 anonymous_identity="FAST", password="password",
3470 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3471 phase1="fast_provisioning=2",
3472 pac_file="blob://fast_pac_ciphers")
3473 res = dev[0].get_status_field('EAP TLS cipher')
3474 dev[0].request("REMOVE_NETWORK all")
3475 dev[0].wait_disconnected()
3476 if res != "DHE-RSA-AES256-SHA":
3477 raise Exception("Unexpected cipher suite for provisioning: " + res)
3479 tests = [ "DHE-RSA-AES128-SHA",
3483 "DHE-RSA-AES256-SHA" ]
3484 for cipher in tests:
3485 dev[0].dump_monitor()
3486 logger.info("Testing " + cipher)
3488 eap_connect(dev[0], apdev[0], "FAST", "user",
3489 openssl_ciphers=cipher,
3490 anonymous_identity="FAST", password="password",
3491 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3492 pac_file="blob://fast_pac_ciphers")
3493 except Exception, e:
3494 if "Could not select EAP method" in str(e) and cipher == "RC4-SHA":
3495 tls = dev[0].request("GET tls_library")
3496 if "run=OpenSSL 1.1" in tls:
3497 logger.info("Allow failure due to missing TLS library support")
3498 dev[0].request("REMOVE_NETWORK all")
3499 dev[0].wait_disconnected()
3502 res = dev[0].get_status_field('EAP TLS cipher')
3503 dev[0].request("REMOVE_NETWORK all")
3504 dev[0].wait_disconnected()
3506 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3508 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3509 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3510 check_ocsp_support(dev[0])
3511 check_pkcs12_support(dev[0])
3512 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3513 hostapd.add_ap(apdev[0]['ifname'], params)
3514 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3515 private_key="auth_serv/user.pkcs12",
3516 private_key_passwd="whatever", ocsp=2)
3518 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3519 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3520 check_ocsp_multi_support(dev[0])
3521 check_pkcs12_support(dev[0])
3523 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3524 hostapd.add_ap(apdev[0]['ifname'], params)
3525 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3526 private_key="auth_serv/user.pkcs12",
3527 private_key_passwd="whatever", ocsp=2)
3529 def int_eap_server_params():
3530 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3531 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3532 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3533 "ca_cert": "auth_serv/ca.pem",
3534 "server_cert": "auth_serv/server.pem",
3535 "private_key": "auth_serv/server.key",
3536 "dh_file": "auth_serv/dh.conf" }
3539 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3540 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3541 check_ocsp_support(dev[0])
3542 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3543 if not os.path.exists(ocsp):
3544 raise HwsimSkip("No OCSP response available")
3545 params = int_eap_server_params()
3546 params["ocsp_stapling_response"] = ocsp
3547 hostapd.add_ap(apdev[0]['ifname'], params)
3548 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3549 identity="tls user", ca_cert="auth_serv/ca.pem",
3550 private_key="auth_serv/user.pkcs12",
3551 private_key_passwd="whatever", ocsp=2,
3554 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3555 """EAP-TLS and CA signed OCSP response (good)"""
3556 check_ocsp_support(dev[0])
3557 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3558 if not os.path.exists(ocsp):
3559 raise HwsimSkip("No OCSP response available")
3560 params = int_eap_server_params()
3561 params["ocsp_stapling_response"] = ocsp
3562 hostapd.add_ap(apdev[0]['ifname'], params)
3563 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3564 identity="tls user", ca_cert="auth_serv/ca.pem",
3565 private_key="auth_serv/user.pkcs12",
3566 private_key_passwd="whatever", ocsp=2,
3569 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3570 """EAP-TLS and CA signed OCSP response (revoked)"""
3571 check_ocsp_support(dev[0])
3572 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3573 if not os.path.exists(ocsp):
3574 raise HwsimSkip("No OCSP response available")
3575 params = int_eap_server_params()
3576 params["ocsp_stapling_response"] = ocsp
3577 hostapd.add_ap(apdev[0]['ifname'], params)
3578 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3579 identity="tls user", ca_cert="auth_serv/ca.pem",
3580 private_key="auth_serv/user.pkcs12",
3581 private_key_passwd="whatever", ocsp=2,
3582 wait_connect=False, scan_freq="2412")
3585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3587 raise Exception("Timeout on EAP status")
3588 if 'bad certificate status response' in ev:
3590 if 'certificate revoked' in ev:
3594 raise Exception("Unexpected number of EAP status messages")
3596 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3598 raise Exception("Timeout on EAP failure report")
3600 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3601 """EAP-TLS and CA signed OCSP response (unknown)"""
3602 check_ocsp_support(dev[0])
3603 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3604 if not os.path.exists(ocsp):
3605 raise HwsimSkip("No OCSP response available")
3606 params = int_eap_server_params()
3607 params["ocsp_stapling_response"] = ocsp
3608 hostapd.add_ap(apdev[0]['ifname'], params)
3609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3610 identity="tls user", ca_cert="auth_serv/ca.pem",
3611 private_key="auth_serv/user.pkcs12",
3612 private_key_passwd="whatever", ocsp=2,
3613 wait_connect=False, scan_freq="2412")
3616 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3618 raise Exception("Timeout on EAP status")
3619 if 'bad certificate status response' in ev:
3623 raise Exception("Unexpected number of EAP status messages")
3625 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3627 raise Exception("Timeout on EAP failure report")
3629 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3630 """EAP-TLS and server signed OCSP response"""
3631 check_ocsp_support(dev[0])
3632 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3633 if not os.path.exists(ocsp):
3634 raise HwsimSkip("No OCSP response available")
3635 params = int_eap_server_params()
3636 params["ocsp_stapling_response"] = ocsp
3637 hostapd.add_ap(apdev[0]['ifname'], params)
3638 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3639 identity="tls user", ca_cert="auth_serv/ca.pem",
3640 private_key="auth_serv/user.pkcs12",
3641 private_key_passwd="whatever", ocsp=2,
3642 wait_connect=False, scan_freq="2412")
3645 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3647 raise Exception("Timeout on EAP status")
3648 if 'bad certificate status response' in ev:
3652 raise Exception("Unexpected number of EAP status messages")
3654 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3656 raise Exception("Timeout on EAP failure report")
3658 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3659 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3660 check_ocsp_support(dev[0])
3661 params = int_eap_server_params()
3662 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3663 hostapd.add_ap(apdev[0]['ifname'], params)
3664 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3665 identity="tls user", ca_cert="auth_serv/ca.pem",
3666 private_key="auth_serv/user.pkcs12",
3667 private_key_passwd="whatever", ocsp=2,
3668 wait_connect=False, scan_freq="2412")
3671 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3673 raise Exception("Timeout on EAP status")
3674 if 'bad certificate status response' in ev:
3678 raise Exception("Unexpected number of EAP status messages")
3680 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3682 raise Exception("Timeout on EAP failure report")
3684 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3685 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3686 check_ocsp_support(dev[0])
3687 params = int_eap_server_params()
3688 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3689 hostapd.add_ap(apdev[0]['ifname'], params)
3690 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3691 identity="tls user", ca_cert="auth_serv/ca.pem",
3692 private_key="auth_serv/user.pkcs12",
3693 private_key_passwd="whatever", ocsp=2,
3694 wait_connect=False, scan_freq="2412")
3697 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3699 raise Exception("Timeout on EAP status")
3700 if 'bad certificate status response' in ev:
3704 raise Exception("Unexpected number of EAP status messages")
3706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3708 raise Exception("Timeout on EAP failure report")
3710 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3711 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3712 check_ocsp_support(dev[0])
3713 params = int_eap_server_params()
3714 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3715 hostapd.add_ap(apdev[0]['ifname'], params)
3716 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3717 identity="tls user", ca_cert="auth_serv/ca.pem",
3718 private_key="auth_serv/user.pkcs12",
3719 private_key_passwd="whatever", ocsp=2,
3720 wait_connect=False, scan_freq="2412")
3723 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3725 raise Exception("Timeout on EAP status")
3726 if 'bad certificate status response' in ev:
3730 raise Exception("Unexpected number of EAP status messages")
3732 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3734 raise Exception("Timeout on EAP failure report")
3736 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3737 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3738 check_ocsp_support(dev[0])
3739 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3740 if not os.path.exists(ocsp):
3741 raise HwsimSkip("No OCSP response available")
3742 params = int_eap_server_params()
3743 params["ocsp_stapling_response"] = ocsp
3744 hostapd.add_ap(apdev[0]['ifname'], params)
3745 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3746 identity="pap user", ca_cert="auth_serv/ca.pem",
3747 anonymous_identity="ttls", password="password",
3748 phase2="auth=PAP", ocsp=2,
3749 wait_connect=False, scan_freq="2412")
3752 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3754 raise Exception("Timeout on EAP status")
3755 if 'bad certificate status response' in ev:
3757 if 'certificate revoked' in ev:
3761 raise Exception("Unexpected number of EAP status messages")
3763 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3765 raise Exception("Timeout on EAP failure report")
3767 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3768 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3769 check_ocsp_support(dev[0])
3770 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3771 if not os.path.exists(ocsp):
3772 raise HwsimSkip("No OCSP response available")
3773 params = int_eap_server_params()
3774 params["ocsp_stapling_response"] = ocsp
3775 hostapd.add_ap(apdev[0]['ifname'], params)
3776 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3777 identity="pap user", ca_cert="auth_serv/ca.pem",
3778 anonymous_identity="ttls", password="password",
3779 phase2="auth=PAP", ocsp=2,
3780 wait_connect=False, scan_freq="2412")
3783 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3785 raise Exception("Timeout on EAP status")
3786 if 'bad certificate status response' in ev:
3790 raise Exception("Unexpected number of EAP status messages")
3792 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3794 raise Exception("Timeout on EAP failure report")
3796 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3797 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3798 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3799 if not os.path.exists(ocsp):
3800 raise HwsimSkip("No OCSP response available")
3801 params = int_eap_server_params()
3802 params["ocsp_stapling_response"] = ocsp
3803 hostapd.add_ap(apdev[0]['ifname'], params)
3804 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3805 identity="pap user", ca_cert="auth_serv/ca.pem",
3806 anonymous_identity="ttls", password="password",
3807 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3809 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3810 """EAP-TLS with intermediate server/user CA"""
3811 params = int_eap_server_params()
3812 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3813 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3814 params["private_key"] = "auth_serv/iCA-server/server.key"
3815 hostapd.add_ap(apdev[0]['ifname'], params)
3816 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3817 identity="tls user",
3818 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3819 client_cert="auth_serv/iCA-user/user.pem",
3820 private_key="auth_serv/iCA-user/user.key",
3823 def root_ocsp(cert):
3824 ca = "auth_serv/ca.pem"
3826 fd2, fn2 = tempfile.mkstemp()
3829 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3830 "-no_nonce", "-sha256", "-text" ]
3831 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3832 stderr=subprocess.PIPE)
3833 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3836 logger.info("OCSP request:\n" + res)
3838 fd, fn = tempfile.mkstemp()
3840 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
3841 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
3842 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3843 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3845 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3846 stderr=subprocess.PIPE)
3847 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3850 logger.info("OCSP response:\n" + res)
3855 prefix = "auth_serv/iCA-server/"
3856 ca = prefix + "cacert.pem"
3857 cert = prefix + cert
3859 fd2, fn2 = tempfile.mkstemp()
3862 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3863 "-no_nonce", "-sha256", "-text" ]
3864 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3865 stderr=subprocess.PIPE)
3866 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3869 logger.info("OCSP request:\n" + res)
3871 fd, fn = tempfile.mkstemp()
3873 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3874 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3875 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3876 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3878 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3879 stderr=subprocess.PIPE)
3880 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3883 logger.info("OCSP response:\n" + res)
3887 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3888 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3889 params = int_eap_server_params()
3890 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3891 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3892 params["private_key"] = "auth_serv/iCA-server/server.key"
3893 fn = ica_ocsp("server.pem")
3894 params["ocsp_stapling_response"] = fn
3896 hostapd.add_ap(apdev[0]['ifname'], params)
3897 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3898 identity="tls user",
3899 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3900 client_cert="auth_serv/iCA-user/user.pem",
3901 private_key="auth_serv/iCA-user/user.key",
3902 scan_freq="2412", ocsp=2)
3906 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3907 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3908 params = int_eap_server_params()
3909 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3910 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3911 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3912 fn = ica_ocsp("server-revoked.pem")
3913 params["ocsp_stapling_response"] = fn
3915 hostapd.add_ap(apdev[0]['ifname'], params)
3916 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3917 identity="tls user",
3918 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3919 client_cert="auth_serv/iCA-user/user.pem",
3920 private_key="auth_serv/iCA-user/user.key",
3921 scan_freq="2412", ocsp=1, wait_connect=False)
3924 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3925 "CTRL-EVENT-EAP-SUCCESS"])
3927 raise Exception("Timeout on EAP status")
3928 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3929 raise Exception("Unexpected EAP-Success")
3930 if 'bad certificate status response' in ev:
3932 if 'certificate revoked' in ev:
3936 raise Exception("Unexpected number of EAP status messages")
3938 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3940 raise Exception("Timeout on EAP failure report")
3941 dev[0].request("REMOVE_NETWORK all")
3942 dev[0].wait_disconnected()
3946 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3947 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3948 check_ocsp_support(dev[0])
3949 check_ocsp_multi_support(dev[0])
3951 params = int_eap_server_params()
3952 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3953 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3954 params["private_key"] = "auth_serv/iCA-server/server.key"
3955 fn = ica_ocsp("server.pem")
3956 params["ocsp_stapling_response"] = fn
3958 hostapd.add_ap(apdev[0]['ifname'], params)
3959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3960 identity="tls user",
3961 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3962 client_cert="auth_serv/iCA-user/user.pem",
3963 private_key="auth_serv/iCA-user/user.key",
3964 scan_freq="2412", ocsp=3, wait_connect=False)
3967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3968 "CTRL-EVENT-EAP-SUCCESS"])
3970 raise Exception("Timeout on EAP status")
3971 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3972 raise Exception("Unexpected EAP-Success")
3973 if 'bad certificate status response' in ev:
3975 if 'certificate revoked' in ev:
3979 raise Exception("Unexpected number of EAP status messages")
3981 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3983 raise Exception("Timeout on EAP failure report")
3984 dev[0].request("REMOVE_NETWORK all")
3985 dev[0].wait_disconnected()
3989 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3990 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3991 check_ocsp_support(dev[0])
3992 check_ocsp_multi_support(dev[0])
3994 params = int_eap_server_params()
3995 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3996 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3997 params["private_key"] = "auth_serv/iCA-server/server.key"
3998 fn = ica_ocsp("server.pem")
3999 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
4000 params["ocsp_stapling_response"] = fn
4002 with open(fn, "r") as f:
4003 resp_server = f.read()
4004 with open(fn2, "r") as f:
4007 fd3, fn3 = tempfile.mkstemp()
4009 f = os.fdopen(fd3, 'w')
4010 f.write(struct.pack(">L", len(resp_server))[1:4])
4011 f.write(resp_server)
4012 f.write(struct.pack(">L", len(resp_ica))[1:4])
4016 params["ocsp_stapling_response_multi"] = fn3
4018 hostapd.add_ap(apdev[0]['ifname'], params)
4019 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4020 identity="tls user",
4021 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
4022 client_cert="auth_serv/iCA-user/user.pem",
4023 private_key="auth_serv/iCA-user/user.key",
4024 scan_freq="2412", ocsp=3)
4025 dev[0].request("REMOVE_NETWORK all")
4026 dev[0].wait_disconnected()
4032 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
4033 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4034 check_ocsp_support(dev[0])
4035 check_ocsp_multi_support(dev[0])
4037 ocsp_revoked = os.path.join(params['logdir'],
4038 "ocsp-resp-ca-signed-revoked.der")
4039 if not os.path.exists(ocsp_revoked):
4040 raise HwsimSkip("No OCSP response (revoked) available")
4041 ocsp_unknown = os.path.join(params['logdir'],
4042 "ocsp-resp-ca-signed-unknown.der")
4043 if not os.path.exists(ocsp_unknown):
4044 raise HwsimSkip("No OCSP response(unknown) available")
4046 with open(ocsp_revoked, "r") as f:
4047 resp_revoked = f.read()
4048 with open(ocsp_unknown, "r") as f:
4049 resp_unknown = f.read()
4051 fd, fn = tempfile.mkstemp()
4053 # This is not really a valid order of the OCSPResponse items in the
4054 # list, but this works for now to verify parsing and processing of
4055 # multiple responses.
4056 f = os.fdopen(fd, 'w')
4057 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4058 f.write(resp_unknown)
4059 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4060 f.write(resp_revoked)
4061 f.write(struct.pack(">L", 0)[1:4])
4062 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4063 f.write(resp_unknown)
4066 params = int_eap_server_params()
4067 params["ocsp_stapling_response_multi"] = fn
4068 hostapd.add_ap(apdev[0]['ifname'], params)
4069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4070 identity="tls user", ca_cert="auth_serv/ca.pem",
4071 private_key="auth_serv/user.pkcs12",
4072 private_key_passwd="whatever", ocsp=1,
4073 wait_connect=False, scan_freq="2412")
4076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4077 "CTRL-EVENT-EAP-SUCCESS"])
4079 raise Exception("Timeout on EAP status")
4080 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4081 raise Exception("Unexpected EAP-Success")
4082 if 'bad certificate status response' in ev:
4084 if 'certificate revoked' in ev:
4088 raise Exception("Unexpected number of EAP status messages")
4092 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
4093 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4094 check_domain_match_full(dev[0])
4095 params = int_eap_server_params()
4096 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4097 params["private_key"] = "auth_serv/server-no-dnsname.key"
4098 hostapd.add_ap(apdev[0]['ifname'], params)
4099 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4100 identity="tls user", ca_cert="auth_serv/ca.pem",
4101 private_key="auth_serv/user.pkcs12",
4102 private_key_passwd="whatever",
4103 domain_suffix_match="server3.w1.fi",
4106 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4107 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4108 check_domain_match(dev[0])
4109 params = int_eap_server_params()
4110 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4111 params["private_key"] = "auth_serv/server-no-dnsname.key"
4112 hostapd.add_ap(apdev[0]['ifname'], params)
4113 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4114 identity="tls user", ca_cert="auth_serv/ca.pem",
4115 private_key="auth_serv/user.pkcs12",
4116 private_key_passwd="whatever",
4117 domain_match="server3.w1.fi",
4120 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4121 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4122 check_domain_match_full(dev[0])
4123 params = int_eap_server_params()
4124 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4125 params["private_key"] = "auth_serv/server-no-dnsname.key"
4126 hostapd.add_ap(apdev[0]['ifname'], params)
4127 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4128 identity="tls user", ca_cert="auth_serv/ca.pem",
4129 private_key="auth_serv/user.pkcs12",
4130 private_key_passwd="whatever",
4131 domain_suffix_match="w1.fi",
4134 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4135 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4136 check_domain_suffix_match(dev[0])
4137 params = int_eap_server_params()
4138 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4139 params["private_key"] = "auth_serv/server-no-dnsname.key"
4140 hostapd.add_ap(apdev[0]['ifname'], params)
4141 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4142 identity="tls user", ca_cert="auth_serv/ca.pem",
4143 private_key="auth_serv/user.pkcs12",
4144 private_key_passwd="whatever",
4145 domain_suffix_match="example.com",
4148 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4149 identity="tls user", ca_cert="auth_serv/ca.pem",
4150 private_key="auth_serv/user.pkcs12",
4151 private_key_passwd="whatever",
4152 domain_suffix_match="erver3.w1.fi",
4155 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4157 raise Exception("Timeout on EAP failure report")
4158 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4160 raise Exception("Timeout on EAP failure report (2)")
4162 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4163 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4164 check_domain_match(dev[0])
4165 params = int_eap_server_params()
4166 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4167 params["private_key"] = "auth_serv/server-no-dnsname.key"
4168 hostapd.add_ap(apdev[0]['ifname'], params)
4169 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4170 identity="tls user", ca_cert="auth_serv/ca.pem",
4171 private_key="auth_serv/user.pkcs12",
4172 private_key_passwd="whatever",
4173 domain_match="example.com",
4176 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4177 identity="tls user", ca_cert="auth_serv/ca.pem",
4178 private_key="auth_serv/user.pkcs12",
4179 private_key_passwd="whatever",
4180 domain_match="w1.fi",
4183 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4185 raise Exception("Timeout on EAP failure report")
4186 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4188 raise Exception("Timeout on EAP failure report (2)")
4190 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4191 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4192 skip_with_fips(dev[0])
4193 params = int_eap_server_params()
4194 params["server_cert"] = "auth_serv/server-expired.pem"
4195 params["private_key"] = "auth_serv/server-expired.key"
4196 hostapd.add_ap(apdev[0]['ifname'], params)
4197 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4198 identity="mschap user", password="password",
4199 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4204 raise Exception("Timeout on EAP certificate error report")
4205 if "reason=4" not in ev or "certificate has expired" not in ev:
4206 raise Exception("Unexpected failure reason: " + ev)
4207 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4209 raise Exception("Timeout on EAP failure report")
4211 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4212 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4213 skip_with_fips(dev[0])
4214 params = int_eap_server_params()
4215 params["server_cert"] = "auth_serv/server-expired.pem"
4216 params["private_key"] = "auth_serv/server-expired.key"
4217 hostapd.add_ap(apdev[0]['ifname'], params)
4218 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4219 identity="mschap user", password="password",
4220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4221 phase1="tls_disable_time_checks=1",
4224 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4225 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4226 skip_with_fips(dev[0])
4227 params = int_eap_server_params()
4228 params["server_cert"] = "auth_serv/server-long-duration.pem"
4229 params["private_key"] = "auth_serv/server-long-duration.key"
4230 hostapd.add_ap(apdev[0]['ifname'], params)
4231 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4232 identity="mschap user", password="password",
4233 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4236 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4237 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4238 skip_with_fips(dev[0])
4239 params = int_eap_server_params()
4240 params["server_cert"] = "auth_serv/server-eku-client.pem"
4241 params["private_key"] = "auth_serv/server-eku-client.key"
4242 hostapd.add_ap(apdev[0]['ifname'], params)
4243 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4244 identity="mschap user", password="password",
4245 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4248 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4250 raise Exception("Timeout on EAP failure report")
4252 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4253 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4254 skip_with_fips(dev[0])
4255 params = int_eap_server_params()
4256 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4257 params["private_key"] = "auth_serv/server-eku-client-server.key"
4258 hostapd.add_ap(apdev[0]['ifname'], params)
4259 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4260 identity="mschap user", password="password",
4261 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4264 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4265 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4266 skip_with_fips(dev[0])
4267 params = int_eap_server_params()
4268 del params["server_cert"]
4269 params["private_key"] = "auth_serv/server.pkcs12"
4270 hostapd.add_ap(apdev[0]['ifname'], params)
4271 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4272 identity="mschap user", password="password",
4273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4276 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4277 """EAP-TTLS and server PKCS#12 file with extra certs"""
4278 skip_with_fips(dev[0])
4279 params = int_eap_server_params()
4280 del params["server_cert"]
4281 params["private_key"] = "auth_serv/server-extra.pkcs12"
4282 params["private_key_passwd"] = "whatever"
4283 hostapd.add_ap(apdev[0]['ifname'], params)
4284 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4285 identity="mschap user", password="password",
4286 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4289 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4290 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4292 hostapd.add_ap(apdev[0]['ifname'], params)
4293 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4294 anonymous_identity="ttls", password="password",
4295 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4296 dh_file="auth_serv/dh.conf")
4298 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4299 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4300 check_dh_dsa_support(dev[0])
4301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4302 hostapd.add_ap(apdev[0]['ifname'], params)
4303 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4304 anonymous_identity="ttls", password="password",
4305 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4306 dh_file="auth_serv/dsaparam.pem")
4308 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4309 """EAP-TTLS and DH params file not found"""
4310 skip_with_fips(dev[0])
4311 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4312 hostapd.add_ap(apdev[0]['ifname'], params)
4313 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4314 identity="mschap user", password="password",
4315 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4316 dh_file="auth_serv/dh-no-such-file.conf",
4317 scan_freq="2412", wait_connect=False)
4318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4320 raise Exception("EAP failure timed out")
4321 dev[0].request("REMOVE_NETWORK all")
4322 dev[0].wait_disconnected()
4324 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4325 """EAP-TTLS and invalid DH params file"""
4326 skip_with_fips(dev[0])
4327 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4328 hostapd.add_ap(apdev[0]['ifname'], params)
4329 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4330 identity="mschap user", password="password",
4331 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4332 dh_file="auth_serv/ca.pem",
4333 scan_freq="2412", wait_connect=False)
4334 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4336 raise Exception("EAP failure timed out")
4337 dev[0].request("REMOVE_NETWORK all")
4338 dev[0].wait_disconnected()
4340 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4341 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4343 hostapd.add_ap(apdev[0]['ifname'], params)
4344 dh = read_pem("auth_serv/dh2.conf")
4345 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4346 raise Exception("Could not set dhparams blob")
4347 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4348 anonymous_identity="ttls", password="password",
4349 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4350 dh_file="blob://dhparams")
4352 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4353 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4354 params = int_eap_server_params()
4355 params["dh_file"] = "auth_serv/dh2.conf"
4356 hostapd.add_ap(apdev[0]['ifname'], params)
4357 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4358 anonymous_identity="ttls", password="password",
4359 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4361 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4362 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4363 params = int_eap_server_params()
4364 params["dh_file"] = "auth_serv/dsaparam.pem"
4365 hostapd.add_ap(apdev[0]['ifname'], params)
4366 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4367 anonymous_identity="ttls", password="password",
4368 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4370 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4371 """EAP-TLS server and dhparams file not found"""
4372 params = int_eap_server_params()
4373 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4374 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4375 if "FAIL" not in hapd.request("ENABLE"):
4376 raise Exception("Invalid configuration accepted")
4378 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4379 """EAP-TLS server and invalid dhparams file"""
4380 params = int_eap_server_params()
4381 params["dh_file"] = "auth_serv/ca.pem"
4382 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4383 if "FAIL" not in hapd.request("ENABLE"):
4384 raise Exception("Invalid configuration accepted")
4386 def test_ap_wpa2_eap_reauth(dev, apdev):
4387 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4388 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4389 params['eap_reauth_period'] = '2'
4390 hostapd.add_ap(apdev[0]['ifname'], params)
4391 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4392 password_hex="0123456789abcdef0123456789abcdef")
4393 logger.info("Wait for reauthentication")
4394 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4396 raise Exception("Timeout on reauthentication")
4397 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4399 raise Exception("Timeout on reauthentication")
4400 for i in range(0, 20):
4401 state = dev[0].get_status_field("wpa_state")
4402 if state == "COMPLETED":
4405 if state != "COMPLETED":
4406 raise Exception("Reauthentication did not complete")
4408 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4409 """Optional displayable message in EAP Request-Identity"""
4410 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4411 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4412 hostapd.add_ap(apdev[0]['ifname'], params)
4413 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4414 password_hex="0123456789abcdef0123456789abcdef")
4416 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4417 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4418 check_hlr_auc_gw_support()
4419 params = int_eap_server_params()
4420 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4421 params['eap_sim_aka_result_ind'] = "1"
4422 hostapd.add_ap(apdev[0]['ifname'], params)
4424 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
4425 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4426 phase1="result_ind=1")
4427 eap_reauth(dev[0], "SIM")
4428 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
4429 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4431 dev[0].request("REMOVE_NETWORK all")
4432 dev[1].request("REMOVE_NETWORK all")
4434 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
4435 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4436 phase1="result_ind=1")
4437 eap_reauth(dev[0], "AKA")
4438 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
4439 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4441 dev[0].request("REMOVE_NETWORK all")
4442 dev[1].request("REMOVE_NETWORK all")
4444 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
4445 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4446 phase1="result_ind=1")
4447 eap_reauth(dev[0], "AKA'")
4448 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
4449 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4451 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4452 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4453 skip_with_fips(dev[0])
4454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4455 hostapd.add_ap(apdev[0]['ifname'], params)
4456 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4457 eap="TTLS", identity="mschap user",
4458 wait_connect=False, scan_freq="2412", ieee80211w="1",
4459 anonymous_identity="ttls", password="password",
4460 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4462 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4464 raise Exception("EAP roundtrip limit not reached")
4466 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4467 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4468 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4469 hostapd.add_ap(apdev[0]['ifname'], params)
4470 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4471 eap="PSK", identity="vendor-test",
4472 password_hex="ff23456789abcdef0123456789abcdef",
4476 for i in range(0, 5):
4477 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4479 raise Exception("Association and EAP start timed out")
4480 if "refuse proposed method" in ev:
4484 raise Exception("Unexpected EAP status: " + ev)
4486 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4488 raise Exception("EAP failure timed out")
4490 def test_ap_wpa2_eap_sql(dev, apdev, params):
4491 """WPA2-Enterprise connection using SQLite for user DB"""
4492 skip_with_fips(dev[0])
4496 raise HwsimSkip("No sqlite3 module available")
4497 dbfile = os.path.join(params['logdir'], "eap-user.db")
4502 con = sqlite3.connect(dbfile)
4505 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4506 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4507 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4508 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4509 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4510 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4511 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4512 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4515 params = int_eap_server_params()
4516 params["eap_user_file"] = "sqlite:" + dbfile
4517 hostapd.add_ap(apdev[0]['ifname'], params)
4518 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
4519 anonymous_identity="ttls", password="password",
4520 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4521 dev[0].request("REMOVE_NETWORK all")
4522 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
4523 anonymous_identity="ttls", password="password",
4524 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4525 dev[1].request("REMOVE_NETWORK all")
4526 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
4527 anonymous_identity="ttls", password="password",
4528 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4529 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
4530 anonymous_identity="ttls", password="password",
4531 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4535 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4536 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4537 params = int_eap_server_params()
4538 hostapd.add_ap(apdev[0]['ifname'], params)
4539 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4540 identity="\x80", password="password", wait_connect=False)
4541 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4542 identity="a\x80", password="password", wait_connect=False)
4543 for i in range(0, 2):
4544 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4546 raise Exception("Association and EAP start timed out")
4547 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4549 raise Exception("EAP method selection timed out")
4551 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4552 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4553 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4554 hostapd.add_ap(apdev[0]['ifname'], params)
4555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4556 identity="\x80", password="password", wait_connect=False)
4557 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4558 identity="a\x80", password="password", wait_connect=False)
4559 for i in range(0, 2):
4560 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4562 raise Exception("Association and EAP start timed out")
4563 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4565 raise Exception("EAP method selection timed out")
4567 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4568 """OpenSSL cipher suite configuration on wpa_supplicant"""
4569 tls = dev[0].request("GET tls_library")
4570 if not tls.startswith("OpenSSL"):
4571 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4572 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4573 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4574 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4575 anonymous_identity="ttls", password="password",
4576 openssl_ciphers="AES128",
4577 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4578 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4579 anonymous_identity="ttls", password="password",
4580 openssl_ciphers="EXPORT",
4581 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4582 expect_failure=True, maybe_local_error=True)
4583 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4584 identity="pap user", anonymous_identity="ttls",
4585 password="password",
4586 openssl_ciphers="FOO",
4587 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4589 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4591 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4592 dev[2].request("DISCONNECT")
4594 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4595 """OpenSSL cipher suite configuration on hostapd"""
4596 tls = dev[0].request("GET tls_library")
4597 if not tls.startswith("OpenSSL"):
4598 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4599 params = int_eap_server_params()
4600 params['openssl_ciphers'] = "AES256"
4601 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4602 tls = hapd.request("GET tls_library")
4603 if not tls.startswith("OpenSSL"):
4604 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4605 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4606 anonymous_identity="ttls", password="password",
4607 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4608 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4609 anonymous_identity="ttls", password="password",
4610 openssl_ciphers="AES128",
4611 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4612 expect_failure=True)
4613 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
4614 anonymous_identity="ttls", password="password",
4615 openssl_ciphers="HIGH:!ADH",
4616 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4618 params['openssl_ciphers'] = "FOO"
4619 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
4620 if "FAIL" not in hapd2.request("ENABLE"):
4621 raise Exception("Invalid openssl_ciphers value accepted")
4623 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4624 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4625 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4626 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
4627 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4628 pid = find_wpas_process(dev[0])
4629 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
4630 anonymous_identity="ttls", password=password,
4631 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4632 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4633 # event has been delivered, so verify that wpa_supplicant has returned to
4634 # eloop before reading process memory.
4637 buf = read_process_memory(pid, password)
4639 dev[0].request("DISCONNECT")
4640 dev[0].wait_disconnected()
4648 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4649 for l in f.readlines():
4650 if "EAP-TTLS: Derived key - hexdump" in l:
4651 val = l.strip().split(':')[3].replace(' ', '')
4652 msk = binascii.unhexlify(val)
4653 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4654 val = l.strip().split(':')[3].replace(' ', '')
4655 emsk = binascii.unhexlify(val)
4656 if "WPA: PMK - hexdump" in l:
4657 val = l.strip().split(':')[3].replace(' ', '')
4658 pmk = binascii.unhexlify(val)
4659 if "WPA: PTK - hexdump" in l:
4660 val = l.strip().split(':')[3].replace(' ', '')
4661 ptk = binascii.unhexlify(val)
4662 if "WPA: Group Key - hexdump" in l:
4663 val = l.strip().split(':')[3].replace(' ', '')
4664 gtk = binascii.unhexlify(val)
4665 if not msk or not emsk or not pmk or not ptk or not gtk:
4666 raise Exception("Could not find keys from debug log")
4668 raise Exception("Unexpected GTK length")
4674 fname = os.path.join(params['logdir'],
4675 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4677 logger.info("Checking keys in memory while associated")
4678 get_key_locations(buf, password, "Password")
4679 get_key_locations(buf, pmk, "PMK")
4680 get_key_locations(buf, msk, "MSK")
4681 get_key_locations(buf, emsk, "EMSK")
4682 if password not in buf:
4683 raise HwsimSkip("Password not found while associated")
4685 raise HwsimSkip("PMK not found while associated")
4687 raise Exception("KCK not found while associated")
4689 raise Exception("KEK not found while associated")
4691 raise Exception("TK found from memory")
4693 get_key_locations(buf, gtk, "GTK")
4694 raise Exception("GTK found from memory")
4696 logger.info("Checking keys in memory after disassociation")
4697 buf = read_process_memory(pid, password)
4699 # Note: Password is still present in network configuration
4700 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4702 get_key_locations(buf, password, "Password")
4703 get_key_locations(buf, pmk, "PMK")
4704 get_key_locations(buf, msk, "MSK")
4705 get_key_locations(buf, emsk, "EMSK")
4706 verify_not_present(buf, kck, fname, "KCK")
4707 verify_not_present(buf, kek, fname, "KEK")
4708 verify_not_present(buf, tk, fname, "TK")
4709 verify_not_present(buf, gtk, fname, "GTK")
4711 dev[0].request("PMKSA_FLUSH")
4712 dev[0].set_network_quoted(id, "identity", "foo")
4713 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4714 buf = read_process_memory(pid, password)
4715 get_key_locations(buf, password, "Password")
4716 get_key_locations(buf, pmk, "PMK")
4717 get_key_locations(buf, msk, "MSK")
4718 get_key_locations(buf, emsk, "EMSK")
4719 verify_not_present(buf, pmk, fname, "PMK")
4721 dev[0].request("REMOVE_NETWORK all")
4723 logger.info("Checking keys in memory after network profile removal")
4724 buf = read_process_memory(pid, password)
4726 get_key_locations(buf, password, "Password")
4727 get_key_locations(buf, pmk, "PMK")
4728 get_key_locations(buf, msk, "MSK")
4729 get_key_locations(buf, emsk, "EMSK")
4730 verify_not_present(buf, password, fname, "password")
4731 verify_not_present(buf, pmk, fname, "PMK")
4732 verify_not_present(buf, kck, fname, "KCK")
4733 verify_not_present(buf, kek, fname, "KEK")
4734 verify_not_present(buf, tk, fname, "TK")
4735 verify_not_present(buf, gtk, fname, "GTK")
4736 verify_not_present(buf, msk, fname, "MSK")
4737 verify_not_present(buf, emsk, fname, "EMSK")
4739 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4740 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4742 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4743 bssid = apdev[0]['bssid']
4744 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4745 anonymous_identity="ttls", password="password",
4746 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4748 # Send unexpected WEP EAPOL-Key; this gets dropped
4749 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4751 raise Exception("EAPOL_RX to wpa_supplicant failed")
4753 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4754 """WPA2-EAP and wpas interface in a bridge"""
4758 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4760 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4761 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4762 subprocess.call(['brctl', 'delbr', br_ifname])
4763 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4765 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4766 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4767 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4771 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4772 subprocess.call(['brctl', 'addbr', br_ifname])
4773 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4774 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4775 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4776 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4777 wpas.interface_add(ifname, br_ifname=br_ifname)
4780 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
4781 password_hex="0123456789abcdef0123456789abcdef")
4783 eap_reauth(wpas, "PAX")
4785 # Try again as a regression test for packet socket workaround
4786 eap_reauth(wpas, "PAX")
4788 wpas.request("DISCONNECT")
4789 wpas.wait_disconnected()
4791 wpas.request("RECONNECT")
4792 wpas.wait_connected()
4795 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4796 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4797 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4798 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4799 key_mgmt = hapd.get_config()['key_mgmt']
4800 if key_mgmt.split(' ')[0] != "WPA-EAP":
4801 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4802 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4803 anonymous_identity="ttls", password="password",
4804 ca_cert="auth_serv/ca.pem",
4805 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4806 eap_reauth(dev[0], "TTLS")
4808 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4809 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4810 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4811 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4812 key_mgmt = hapd.get_config()['key_mgmt']
4813 if key_mgmt.split(' ')[0] != "WPA-EAP":
4814 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4815 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4816 anonymous_identity="ttls", password="password",
4817 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4819 eap_reauth(dev[0], "TTLS")
4821 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4822 """EAP-TLS and server checking CRL"""
4823 params = int_eap_server_params()
4824 params['check_crl'] = '1'
4825 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4827 # check_crl=1 and no CRL available --> reject connection
4828 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4829 client_cert="auth_serv/user.pem",
4830 private_key="auth_serv/user.key", expect_failure=True)
4831 dev[0].request("REMOVE_NETWORK all")
4834 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4837 # check_crl=1 and valid CRL --> accept
4838 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4839 client_cert="auth_serv/user.pem",
4840 private_key="auth_serv/user.key")
4841 dev[0].request("REMOVE_NETWORK all")
4844 hapd.set("check_crl", "2")
4847 # check_crl=2 and valid CRL --> accept
4848 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4849 client_cert="auth_serv/user.pem",
4850 private_key="auth_serv/user.key")
4851 dev[0].request("REMOVE_NETWORK all")
4853 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4854 """EAP-TLS and OOM"""
4855 check_subject_match_support(dev[0])
4856 check_altsubject_match_support(dev[0])
4857 check_domain_match(dev[0])
4858 check_domain_match_full(dev[0])
4860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4861 hostapd.add_ap(apdev[0]['ifname'], params)
4863 tests = [ (1, "tls_connection_set_subject_match"),
4864 (2, "tls_connection_set_subject_match"),
4865 (3, "tls_connection_set_subject_match"),
4866 (4, "tls_connection_set_subject_match") ]
4867 for count, func in tests:
4868 with alloc_fail(dev[0], count, func):
4869 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4870 identity="tls user", ca_cert="auth_serv/ca.pem",
4871 client_cert="auth_serv/user.pem",
4872 private_key="auth_serv/user.key",
4873 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4874 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4875 domain_suffix_match="server.w1.fi",
4876 domain_match="server.w1.fi",
4877 wait_connect=False, scan_freq="2412")
4878 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4879 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4881 raise Exception("No passphrase request")
4882 dev[0].request("REMOVE_NETWORK all")
4883 dev[0].wait_disconnected()
4885 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4886 """WPA2-Enterprise connection using MAC ACL"""
4887 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4888 params["macaddr_acl"] = "2"
4889 hostapd.add_ap(apdev[0]['ifname'], params)
4890 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4891 client_cert="auth_serv/user.pem",
4892 private_key="auth_serv/user.key")
4894 def test_ap_wpa2_eap_oom(dev, apdev):
4895 """EAP server and OOM"""
4896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4897 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4898 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4900 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4901 # The first attempt fails, but STA will send EAPOL-Start to retry and
4903 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4904 identity="tls user", ca_cert="auth_serv/ca.pem",
4905 client_cert="auth_serv/user.pem",
4906 private_key="auth_serv/user.key",
4909 def check_tls_ver(dev, ap, phase1, expected):
4910 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4911 client_cert="auth_serv/user.pem",
4912 private_key="auth_serv/user.key",
4914 ver = dev.get_status_field("eap_tls_version")
4916 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4918 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4919 """EAP-TLS and TLS version configuration"""
4920 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4921 hostapd.add_ap(apdev[0]['ifname'], params)
4923 tls = dev[0].request("GET tls_library")
4924 if tls.startswith("OpenSSL"):
4925 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4926 check_tls_ver(dev[0], apdev[0],
4927 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4929 elif tls.startswith("internal"):
4930 check_tls_ver(dev[0], apdev[0],
4931 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4932 check_tls_ver(dev[1], apdev[0],
4933 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4934 check_tls_ver(dev[2], apdev[0],
4935 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4937 def test_rsn_ie_proto_eap_sta(dev, apdev):
4938 """RSN element protocol testing for EAP cases on STA side"""
4939 bssid = apdev[0]['bssid']
4940 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4941 # This is the RSN element used normally by hostapd
4942 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4943 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4944 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4945 identity="gpsk user",
4946 password="abcdefghijklmnop0123456789abcdef",
4949 tests = [ ('No RSN Capabilities field',
4950 '30120100000fac040100000fac040100000fac01'),
4951 ('No AKM Suite fields',
4952 '300c0100000fac040100000fac04'),
4953 ('No Pairwise Cipher Suite fields',
4954 '30060100000fac04'),
4955 ('No Group Data Cipher Suite field',
4957 for txt,ie in tests:
4958 dev[0].request("DISCONNECT")
4959 dev[0].wait_disconnected()
4962 hapd.set('own_ie_override', ie)
4964 dev[0].request("BSS_FLUSH 0")
4965 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4966 dev[0].select_network(id, freq=2412)
4967 dev[0].wait_connected()
4969 dev[0].request("DISCONNECT")
4970 dev[0].wait_disconnected()
4971 dev[0].flush_scan_cache()
4973 def check_tls_session_resumption_capa(dev, hapd):
4974 tls = hapd.request("GET tls_library")
4975 if not tls.startswith("OpenSSL"):
4976 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4978 tls = dev.request("GET tls_library")
4979 if not tls.startswith("OpenSSL"):
4980 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4982 def test_eap_ttls_pap_session_resumption(dev, apdev):
4983 """EAP-TTLS/PAP session resumption"""
4984 params = int_eap_server_params()
4985 params['tls_session_lifetime'] = '60'
4986 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4987 check_tls_session_resumption_capa(dev[0], hapd)
4988 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4989 anonymous_identity="ttls", password="password",
4990 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4992 if dev[0].get_status_field("tls_session_reused") != '0':
4993 raise Exception("Unexpected session resumption on the first connection")
4995 dev[0].request("REAUTHENTICATE")
4996 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4998 raise Exception("EAP success timed out")
4999 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5001 raise Exception("Key handshake with the AP timed out")
5002 if dev[0].get_status_field("tls_session_reused") != '1':
5003 raise Exception("Session resumption not used on the second connection")
5005 def test_eap_ttls_chap_session_resumption(dev, apdev):
5006 """EAP-TTLS/CHAP session resumption"""
5007 params = int_eap_server_params()
5008 params['tls_session_lifetime'] = '60'
5009 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5010 check_tls_session_resumption_capa(dev[0], hapd)
5011 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
5012 anonymous_identity="ttls", password="password",
5013 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
5014 if dev[0].get_status_field("tls_session_reused") != '0':
5015 raise Exception("Unexpected session resumption on the first connection")
5017 dev[0].request("REAUTHENTICATE")
5018 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5020 raise Exception("EAP success timed out")
5021 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5023 raise Exception("Key handshake with the AP timed out")
5024 if dev[0].get_status_field("tls_session_reused") != '1':
5025 raise Exception("Session resumption not used on the second connection")
5027 def test_eap_ttls_mschap_session_resumption(dev, apdev):
5028 """EAP-TTLS/MSCHAP session resumption"""
5029 check_domain_suffix_match(dev[0])
5030 params = int_eap_server_params()
5031 params['tls_session_lifetime'] = '60'
5032 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5033 check_tls_session_resumption_capa(dev[0], hapd)
5034 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
5035 anonymous_identity="ttls", password="password",
5036 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
5037 domain_suffix_match="server.w1.fi")
5038 if dev[0].get_status_field("tls_session_reused") != '0':
5039 raise Exception("Unexpected session resumption on the first connection")
5041 dev[0].request("REAUTHENTICATE")
5042 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5044 raise Exception("EAP success timed out")
5045 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5047 raise Exception("Key handshake with the AP timed out")
5048 if dev[0].get_status_field("tls_session_reused") != '1':
5049 raise Exception("Session resumption not used on the second connection")
5051 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5052 """EAP-TTLS/MSCHAPv2 session resumption"""
5053 check_domain_suffix_match(dev[0])
5054 check_eap_capa(dev[0], "MSCHAPV2")
5055 params = int_eap_server_params()
5056 params['tls_session_lifetime'] = '60'
5057 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5058 check_tls_session_resumption_capa(dev[0], hapd)
5059 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
5060 anonymous_identity="ttls", password="password",
5061 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5062 domain_suffix_match="server.w1.fi")
5063 if dev[0].get_status_field("tls_session_reused") != '0':
5064 raise Exception("Unexpected session resumption on the first connection")
5066 dev[0].request("REAUTHENTICATE")
5067 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5069 raise Exception("EAP success timed out")
5070 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5072 raise Exception("Key handshake with the AP timed out")
5073 if dev[0].get_status_field("tls_session_reused") != '1':
5074 raise Exception("Session resumption not used on the second connection")
5076 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5077 """EAP-TTLS/EAP-GTC session resumption"""
5078 params = int_eap_server_params()
5079 params['tls_session_lifetime'] = '60'
5080 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5081 check_tls_session_resumption_capa(dev[0], hapd)
5082 eap_connect(dev[0], apdev[0], "TTLS", "user",
5083 anonymous_identity="ttls", password="password",
5084 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5085 if dev[0].get_status_field("tls_session_reused") != '0':
5086 raise Exception("Unexpected session resumption on the first connection")
5088 dev[0].request("REAUTHENTICATE")
5089 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5091 raise Exception("EAP success timed out")
5092 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5094 raise Exception("Key handshake with the AP timed out")
5095 if dev[0].get_status_field("tls_session_reused") != '1':
5096 raise Exception("Session resumption not used on the second connection")
5098 def test_eap_ttls_no_session_resumption(dev, apdev):
5099 """EAP-TTLS session resumption disabled on server"""
5100 params = int_eap_server_params()
5101 params['tls_session_lifetime'] = '0'
5102 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5103 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
5104 anonymous_identity="ttls", password="password",
5105 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5107 if dev[0].get_status_field("tls_session_reused") != '0':
5108 raise Exception("Unexpected session resumption on the first connection")
5110 dev[0].request("REAUTHENTICATE")
5111 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5113 raise Exception("EAP success timed out")
5114 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5116 raise Exception("Key handshake with the AP timed out")
5117 if dev[0].get_status_field("tls_session_reused") != '0':
5118 raise Exception("Unexpected session resumption on the second connection")
5120 def test_eap_peap_session_resumption(dev, apdev):
5121 """EAP-PEAP session resumption"""
5122 params = int_eap_server_params()
5123 params['tls_session_lifetime'] = '60'
5124 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5125 check_tls_session_resumption_capa(dev[0], hapd)
5126 eap_connect(dev[0], apdev[0], "PEAP", "user",
5127 anonymous_identity="peap", password="password",
5128 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5129 if dev[0].get_status_field("tls_session_reused") != '0':
5130 raise Exception("Unexpected session resumption on the first connection")
5132 dev[0].request("REAUTHENTICATE")
5133 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5135 raise Exception("EAP success timed out")
5136 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5138 raise Exception("Key handshake with the AP timed out")
5139 if dev[0].get_status_field("tls_session_reused") != '1':
5140 raise Exception("Session resumption not used on the second connection")
5142 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5143 """EAP-PEAP session resumption with crypto binding"""
5144 params = int_eap_server_params()
5145 params['tls_session_lifetime'] = '60'
5146 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5147 check_tls_session_resumption_capa(dev[0], hapd)
5148 eap_connect(dev[0], apdev[0], "PEAP", "user",
5149 anonymous_identity="peap", password="password",
5150 phase1="peapver=0 crypto_binding=2",
5151 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5152 if dev[0].get_status_field("tls_session_reused") != '0':
5153 raise Exception("Unexpected session resumption on the first connection")
5155 dev[0].request("REAUTHENTICATE")
5156 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5158 raise Exception("EAP success timed out")
5159 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5161 raise Exception("Key handshake with the AP timed out")
5162 if dev[0].get_status_field("tls_session_reused") != '1':
5163 raise Exception("Session resumption not used on the second connection")
5165 def test_eap_peap_no_session_resumption(dev, apdev):
5166 """EAP-PEAP session resumption disabled on server"""
5167 params = int_eap_server_params()
5168 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5169 eap_connect(dev[0], apdev[0], "PEAP", "user",
5170 anonymous_identity="peap", password="password",
5171 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5172 if dev[0].get_status_field("tls_session_reused") != '0':
5173 raise Exception("Unexpected session resumption on the first connection")
5175 dev[0].request("REAUTHENTICATE")
5176 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5178 raise Exception("EAP success timed out")
5179 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5181 raise Exception("Key handshake with the AP timed out")
5182 if dev[0].get_status_field("tls_session_reused") != '0':
5183 raise Exception("Unexpected session resumption on the second connection")
5185 def test_eap_tls_session_resumption(dev, apdev):
5186 """EAP-TLS session resumption"""
5187 params = int_eap_server_params()
5188 params['tls_session_lifetime'] = '60'
5189 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5190 check_tls_session_resumption_capa(dev[0], hapd)
5191 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5192 client_cert="auth_serv/user.pem",
5193 private_key="auth_serv/user.key")
5194 if dev[0].get_status_field("tls_session_reused") != '0':
5195 raise Exception("Unexpected session resumption on the first connection")
5197 dev[0].request("REAUTHENTICATE")
5198 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5200 raise Exception("EAP success timed out")
5201 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5203 raise Exception("Key handshake with the AP timed out")
5204 if dev[0].get_status_field("tls_session_reused") != '1':
5205 raise Exception("Session resumption not used on the second connection")
5207 dev[0].request("REAUTHENTICATE")
5208 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5210 raise Exception("EAP success timed out")
5211 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5213 raise Exception("Key handshake with the AP timed out")
5214 if dev[0].get_status_field("tls_session_reused") != '1':
5215 raise Exception("Session resumption not used on the third connection")
5217 def test_eap_tls_session_resumption_expiration(dev, apdev):
5218 """EAP-TLS session resumption"""
5219 params = int_eap_server_params()
5220 params['tls_session_lifetime'] = '1'
5221 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5222 check_tls_session_resumption_capa(dev[0], hapd)
5223 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5224 client_cert="auth_serv/user.pem",
5225 private_key="auth_serv/user.key")
5226 if dev[0].get_status_field("tls_session_reused") != '0':
5227 raise Exception("Unexpected session resumption on the first connection")
5229 # Allow multiple attempts since OpenSSL may not expire the cached entry
5234 dev[0].request("REAUTHENTICATE")
5235 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5237 raise Exception("EAP success timed out")
5238 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5240 raise Exception("Key handshake with the AP timed out")
5241 if dev[0].get_status_field("tls_session_reused") == '0':
5243 if dev[0].get_status_field("tls_session_reused") != '0':
5244 raise Exception("Session resumption used after lifetime expiration")
5246 def test_eap_tls_no_session_resumption(dev, apdev):
5247 """EAP-TLS session resumption disabled on server"""
5248 params = int_eap_server_params()
5249 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5250 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5251 client_cert="auth_serv/user.pem",
5252 private_key="auth_serv/user.key")
5253 if dev[0].get_status_field("tls_session_reused") != '0':
5254 raise Exception("Unexpected session resumption on the first connection")
5256 dev[0].request("REAUTHENTICATE")
5257 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5259 raise Exception("EAP success timed out")
5260 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5262 raise Exception("Key handshake with the AP timed out")
5263 if dev[0].get_status_field("tls_session_reused") != '0':
5264 raise Exception("Unexpected session resumption on the second connection")
5266 def test_eap_tls_session_resumption_radius(dev, apdev):
5267 """EAP-TLS session resumption (RADIUS)"""
5268 params = { "ssid": "as", "beacon_int": "2000",
5269 "radius_server_clients": "auth_serv/radius_clients.conf",
5270 "radius_server_auth_port": '18128',
5272 "eap_user_file": "auth_serv/eap_user.conf",
5273 "ca_cert": "auth_serv/ca.pem",
5274 "server_cert": "auth_serv/server.pem",
5275 "private_key": "auth_serv/server.key",
5276 "tls_session_lifetime": "60" }
5277 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
5278 check_tls_session_resumption_capa(dev[0], authsrv)
5280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5281 params['auth_server_port'] = "18128"
5282 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5283 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5284 client_cert="auth_serv/user.pem",
5285 private_key="auth_serv/user.key")
5286 if dev[0].get_status_field("tls_session_reused") != '0':
5287 raise Exception("Unexpected session resumption on the first connection")
5289 dev[0].request("REAUTHENTICATE")
5290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5292 raise Exception("EAP success timed out")
5293 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5295 raise Exception("Key handshake with the AP timed out")
5296 if dev[0].get_status_field("tls_session_reused") != '1':
5297 raise Exception("Session resumption not used on the second connection")
5299 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5300 """EAP-TLS session resumption disabled (RADIUS)"""
5301 params = { "ssid": "as", "beacon_int": "2000",
5302 "radius_server_clients": "auth_serv/radius_clients.conf",
5303 "radius_server_auth_port": '18128',
5305 "eap_user_file": "auth_serv/eap_user.conf",
5306 "ca_cert": "auth_serv/ca.pem",
5307 "server_cert": "auth_serv/server.pem",
5308 "private_key": "auth_serv/server.key",
5309 "tls_session_lifetime": "0" }
5310 hostapd.add_ap(apdev[1]['ifname'], params)
5312 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5313 params['auth_server_port'] = "18128"
5314 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5315 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5316 client_cert="auth_serv/user.pem",
5317 private_key="auth_serv/user.key")
5318 if dev[0].get_status_field("tls_session_reused") != '0':
5319 raise Exception("Unexpected session resumption on the first connection")
5321 dev[0].request("REAUTHENTICATE")
5322 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5324 raise Exception("EAP success timed out")
5325 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5327 raise Exception("Key handshake with the AP timed out")
5328 if dev[0].get_status_field("tls_session_reused") != '0':
5329 raise Exception("Unexpected session resumption on the second connection")
5331 def test_eap_mschapv2_errors(dev, apdev):
5332 """EAP-MSCHAPv2 error cases"""
5333 check_eap_capa(dev[0], "MSCHAPV2")
5334 check_eap_capa(dev[0], "FAST")
5336 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5337 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5338 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5339 identity="phase1-user", password="password",
5341 dev[0].request("REMOVE_NETWORK all")
5342 dev[0].wait_disconnected()
5344 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5345 (1, "nt_password_hash;mschapv2_derive_response"),
5346 (1, "nt_password_hash;=mschapv2_derive_response"),
5347 (1, "generate_nt_response;mschapv2_derive_response"),
5348 (1, "generate_authenticator_response;mschapv2_derive_response"),
5349 (1, "nt_password_hash;=mschapv2_derive_response"),
5350 (1, "get_master_key;mschapv2_derive_response"),
5351 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5352 for count, func in tests:
5353 with fail_test(dev[0], count, func):
5354 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5355 identity="phase1-user", password="password",
5356 wait_connect=False, scan_freq="2412")
5357 wait_fail_trigger(dev[0], "GET_FAIL")
5358 dev[0].request("REMOVE_NETWORK all")
5359 dev[0].wait_disconnected()
5361 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5362 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5363 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5364 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5365 for count, func in tests:
5366 with fail_test(dev[0], count, func):
5367 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5368 identity="phase1-user",
5369 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5370 wait_connect=False, scan_freq="2412")
5371 wait_fail_trigger(dev[0], "GET_FAIL")
5372 dev[0].request("REMOVE_NETWORK all")
5373 dev[0].wait_disconnected()
5375 tests = [ (1, "eap_mschapv2_init"),
5376 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5377 (1, "eap_msg_alloc;eap_mschapv2_success"),
5378 (1, "eap_mschapv2_getKey") ]
5379 for count, func in tests:
5380 with alloc_fail(dev[0], count, func):
5381 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5382 identity="phase1-user", password="password",
5383 wait_connect=False, scan_freq="2412")
5384 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5385 dev[0].request("REMOVE_NETWORK all")
5386 dev[0].wait_disconnected()
5388 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5389 for count, func in tests:
5390 with alloc_fail(dev[0], count, func):
5391 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5392 identity="phase1-user", password="wrong password",
5393 wait_connect=False, scan_freq="2412")
5394 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5395 dev[0].request("REMOVE_NETWORK all")
5396 dev[0].wait_disconnected()
5398 tests = [ (2, "eap_mschapv2_init"),
5399 (3, "eap_mschapv2_init") ]
5400 for count, func in tests:
5401 with alloc_fail(dev[0], count, func):
5402 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5403 anonymous_identity="FAST", identity="user",
5404 password="password",
5405 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5406 phase1="fast_provisioning=1",
5407 pac_file="blob://fast_pac",
5408 wait_connect=False, scan_freq="2412")
5409 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5410 dev[0].request("REMOVE_NETWORK all")
5411 dev[0].wait_disconnected()
5413 def test_eap_gpsk_errors(dev, apdev):
5414 """EAP-GPSK error cases"""
5415 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5416 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5417 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5418 identity="gpsk user",
5419 password="abcdefghijklmnop0123456789abcdef",
5421 dev[0].request("REMOVE_NETWORK all")
5422 dev[0].wait_disconnected()
5424 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5425 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5427 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5429 (1, "eap_gpsk_derive_keys_helper", None),
5430 (2, "eap_gpsk_derive_keys_helper", None),
5431 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5433 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5435 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5436 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5437 (1, "eap_gpsk_derive_mid_helper", None) ]
5438 for count, func, phase1 in tests:
5439 with fail_test(dev[0], count, func):
5440 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5441 identity="gpsk user",
5442 password="abcdefghijklmnop0123456789abcdef",
5444 wait_connect=False, scan_freq="2412")
5445 wait_fail_trigger(dev[0], "GET_FAIL")
5446 dev[0].request("REMOVE_NETWORK all")
5447 dev[0].wait_disconnected()
5449 tests = [ (1, "eap_gpsk_init"),
5450 (2, "eap_gpsk_init"),
5451 (3, "eap_gpsk_init"),
5452 (1, "eap_gpsk_process_id_server"),
5453 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5454 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5455 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5456 (1, "eap_gpsk_derive_keys"),
5457 (1, "eap_gpsk_derive_keys_helper"),
5458 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5459 (1, "eap_gpsk_getKey"),
5460 (1, "eap_gpsk_get_emsk"),
5461 (1, "eap_gpsk_get_session_id") ]
5462 for count, func in tests:
5463 with alloc_fail(dev[0], count, func):
5464 dev[0].request("ERP_FLUSH")
5465 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5466 identity="gpsk user", erp="1",
5467 password="abcdefghijklmnop0123456789abcdef",
5468 wait_connect=False, scan_freq="2412")
5469 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5470 dev[0].request("REMOVE_NETWORK all")
5471 dev[0].wait_disconnected()
5473 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5474 """EAP-SIM DB error cases"""
5475 sockpath = '/tmp/hlr_auc_gw.sock-test'
5480 hparams = int_eap_server_params()
5481 hparams['eap_sim_db'] = 'unix:' + sockpath
5482 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
5484 # Initial test with hlr_auc_gw socket not available
5485 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5486 eap="SIM", identity="1232010000000000",
5487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5488 scan_freq="2412", wait_connect=False)
5489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5491 raise Exception("EAP-Failure not reported")
5492 dev[0].wait_disconnected()
5493 dev[0].request("DISCONNECT")
5495 # Test with invalid responses and response timeout
5497 class test_handler(SocketServer.DatagramRequestHandler):
5499 data = self.request[0].strip()
5500 socket = self.request[1]
5501 logger.debug("Received hlr_auc_gw request: " + data)
5502 # EAP-SIM DB: Failed to parse response string
5503 socket.sendto("FOO", self.client_address)
5504 # EAP-SIM DB: Failed to parse response string
5505 socket.sendto("FOO 1", self.client_address)
5506 # EAP-SIM DB: Unknown external response
5507 socket.sendto("FOO 1 2", self.client_address)
5508 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5510 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5513 dev[0].select_network(id)
5514 server.handle_request()
5515 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5517 raise Exception("EAP-Failure not reported")
5518 dev[0].wait_disconnected()
5519 dev[0].request("DISCONNECT")
5521 # Test with a valid response
5523 class test_handler2(SocketServer.DatagramRequestHandler):
5525 data = self.request[0].strip()
5526 socket = self.request[1]
5527 logger.debug("Received hlr_auc_gw request: " + data)
5528 fname = os.path.join(params['logdir'],
5529 'hlr_auc_gw.milenage_db')
5530 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5532 stdout=subprocess.PIPE)
5533 res = cmd.stdout.read().strip()
5535 logger.debug("hlr_auc_gw response: " + res)
5536 socket.sendto(res, self.client_address)
5538 server.RequestHandlerClass = test_handler2
5540 dev[0].select_network(id)
5541 server.handle_request()
5542 dev[0].wait_connected()
5543 dev[0].request("DISCONNECT")
5544 dev[0].wait_disconnected()
5546 def test_eap_tls_sha512(dev, apdev, params):
5547 """EAP-TLS with SHA512 signature"""
5548 params = int_eap_server_params()
5549 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5550 params["server_cert"] = "auth_serv/sha512-server.pem"
5551 params["private_key"] = "auth_serv/sha512-server.key"
5552 hostapd.add_ap(apdev[0]['ifname'], params)
5554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5555 identity="tls user sha512",
5556 ca_cert="auth_serv/sha512-ca.pem",
5557 client_cert="auth_serv/sha512-user.pem",
5558 private_key="auth_serv/sha512-user.key",
5560 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5561 identity="tls user sha512",
5562 ca_cert="auth_serv/sha512-ca.pem",
5563 client_cert="auth_serv/sha384-user.pem",
5564 private_key="auth_serv/sha384-user.key",
5567 def test_eap_tls_sha384(dev, apdev, params):
5568 """EAP-TLS with SHA384 signature"""
5569 params = int_eap_server_params()
5570 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5571 params["server_cert"] = "auth_serv/sha384-server.pem"
5572 params["private_key"] = "auth_serv/sha384-server.key"
5573 hostapd.add_ap(apdev[0]['ifname'], params)
5575 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5576 identity="tls user sha512",
5577 ca_cert="auth_serv/sha512-ca.pem",
5578 client_cert="auth_serv/sha512-user.pem",
5579 private_key="auth_serv/sha512-user.key",
5581 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5582 identity="tls user sha512",
5583 ca_cert="auth_serv/sha512-ca.pem",
5584 client_cert="auth_serv/sha384-user.pem",
5585 private_key="auth_serv/sha384-user.key",
5588 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5589 """WPA2-Enterprise AP and association request RSN IE differences"""
5590 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5591 hostapd.add_ap(apdev[0]['ifname'], params)
5593 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5594 params["ieee80211w"] = "2"
5595 hostapd.add_ap(apdev[1]['ifname'], params)
5597 # Success cases with optional RSN IE fields removed one by one
5598 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5599 "30140100000fac040100000fac040100000fac010000"),
5600 ("Extra PMKIDCount field in RSN IE",
5601 "30160100000fac040100000fac040100000fac0100000000"),
5602 ("Extra Group Management Cipher Suite in RSN IE",
5603 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5604 ("Extra undefined extension field in RSN IE",
5605 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5606 ("RSN IE without RSN Capabilities",
5607 "30120100000fac040100000fac040100000fac01"),
5608 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5609 ("RSN IE without pairwise", "30060100000fac04"),
5610 ("RSN IE without group", "30020100") ]
5611 for title, ie in tests:
5613 set_test_assoc_ie(dev[0], ie)
5614 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5615 identity="gpsk user",
5616 password="abcdefghijklmnop0123456789abcdef",
5618 dev[0].request("REMOVE_NETWORK all")
5619 dev[0].wait_disconnected()
5621 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5622 "30140100000fac040100000fac040100000fac01cc00"),
5623 ("Group management cipher included in assoc req RSN IE",
5624 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5625 for title, ie in tests:
5627 set_test_assoc_ie(dev[0], ie)
5628 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5629 eap="GPSK", identity="gpsk user",
5630 password="abcdefghijklmnop0123456789abcdef",
5632 dev[0].request("REMOVE_NETWORK all")
5633 dev[0].wait_disconnected()
5635 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5636 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5637 for title, ie, status in tests:
5639 set_test_assoc_ie(dev[0], ie)
5640 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5641 identity="gpsk user",
5642 password="abcdefghijklmnop0123456789abcdef",
5643 scan_freq="2412", wait_connect=False)
5644 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5646 raise Exception("Association rejection not reported")
5647 if "status_code=" + str(status) not in ev:
5648 raise Exception("Unexpected status code: " + ev)
5649 dev[0].request("REMOVE_NETWORK all")
5650 dev[0].dump_monitor()
5652 tests = [ ("Management frame protection not enabled",
5653 "30140100000fac040100000fac040100000fac010000", 31),
5654 ("Unsupported management group cipher",
5655 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5656 for title, ie, status in tests:
5658 set_test_assoc_ie(dev[0], ie)
5659 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5660 eap="GPSK", identity="gpsk user",
5661 password="abcdefghijklmnop0123456789abcdef",
5662 scan_freq="2412", wait_connect=False)
5663 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5665 raise Exception("Association rejection not reported")
5666 if "status_code=" + str(status) not in ev:
5667 raise Exception("Unexpected status code: " + ev)
5668 dev[0].request("REMOVE_NETWORK all")
5669 dev[0].dump_monitor()
5671 def test_eap_tls_ext_cert_check(dev, apdev):
5672 """EAP-TLS and external server certification validation"""
5673 # With internal server certificate chain validation
5674 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5675 identity="tls user",
5676 ca_cert="auth_serv/ca.pem",
5677 client_cert="auth_serv/user.pem",
5678 private_key="auth_serv/user.key",
5679 phase1="tls_ext_cert_check=1", scan_freq="2412",
5680 only_add_network=True)
5681 run_ext_cert_check(dev, apdev, id)
5683 def test_eap_ttls_ext_cert_check(dev, apdev):
5684 """EAP-TTLS and external server certification validation"""
5685 # Without internal server certificate chain validation
5686 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5687 identity="pap user", anonymous_identity="ttls",
5688 password="password", phase2="auth=PAP",
5689 phase1="tls_ext_cert_check=1", scan_freq="2412",
5690 only_add_network=True)
5691 run_ext_cert_check(dev, apdev, id)
5693 def test_eap_peap_ext_cert_check(dev, apdev):
5694 """EAP-PEAP and external server certification validation"""
5695 # With internal server certificate chain validation
5696 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5697 identity="user", anonymous_identity="peap",
5698 ca_cert="auth_serv/ca.pem",
5699 password="password", phase2="auth=MSCHAPV2",
5700 phase1="tls_ext_cert_check=1", scan_freq="2412",
5701 only_add_network=True)
5702 run_ext_cert_check(dev, apdev, id)
5704 def test_eap_fast_ext_cert_check(dev, apdev):
5705 """EAP-FAST and external server certification validation"""
5706 check_eap_capa(dev[0], "FAST")
5707 # With internal server certificate chain validation
5708 dev[0].request("SET blob fast_pac_auth_ext ")
5709 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5710 identity="user", anonymous_identity="FAST",
5711 ca_cert="auth_serv/ca.pem",
5712 password="password", phase2="auth=GTC",
5713 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5714 pac_file="blob://fast_pac_auth_ext",
5716 only_add_network=True)
5717 run_ext_cert_check(dev, apdev, id)
5719 def run_ext_cert_check(dev, apdev, net_id):
5720 check_ext_cert_check_support(dev[0])
5721 if not openssl_imported:
5722 raise HwsimSkip("OpenSSL python method not available")
5724 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5725 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5727 dev[0].select_network(net_id)
5730 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5731 "CTRL-REQ-EXT_CERT_CHECK",
5732 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5734 raise Exception("No peer server certificate event seen")
5735 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5738 vals = ev.split(' ')
5740 if v.startswith("depth="):
5741 depth = int(v.split('=')[1])
5742 elif v.startswith("cert="):
5743 cert = v.split('=')[1]
5744 if depth is not None and cert:
5745 certs[depth] = binascii.unhexlify(cert)
5746 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5747 raise Exception("Unexpected EAP-Success")
5748 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5749 id = ev.split(':')[0].split('-')[-1]
5752 raise Exception("Server certificate not received")
5754 raise Exception("Server certificate issuer not received")
5756 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5758 cn = cert.get_subject().commonName
5759 logger.info("Server certificate CN=" + cn)
5761 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5763 icn = issuer.get_subject().commonName
5764 logger.info("Issuer certificate CN=" + icn)
5766 if cn != "server.w1.fi":
5767 raise Exception("Unexpected server certificate CN: " + cn)
5768 if icn != "Root CA":
5769 raise Exception("Unexpected server certificate issuer CN: " + icn)
5771 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5773 raise Exception("Unexpected EAP-Success before external check result indication")
5775 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5776 dev[0].wait_connected()
5778 dev[0].request("DISCONNECT")
5779 dev[0].wait_disconnected()
5780 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5781 raise Exception("PMKSA_FLUSH failed")
5782 dev[0].request("SET blob fast_pac_auth_ext ")
5783 dev[0].request("RECONNECT")
5785 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5787 raise Exception("No peer server certificate event seen (2)")
5788 id = ev.split(':')[0].split('-')[-1]
5789 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5790 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5792 raise Exception("EAP-Failure not reported")
5793 dev[0].request("REMOVE_NETWORK all")
5794 dev[0].wait_disconnected()
5796 def test_eap_tls_errors(dev, apdev):
5797 """EAP-TLS error cases"""
5798 params = int_eap_server_params()
5799 params['fragment_size'] = '100'
5800 hostapd.add_ap(apdev[0]['ifname'], params)
5801 with alloc_fail(dev[0], 1,
5802 "eap_peer_tls_reassemble_fragment"):
5803 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5804 identity="tls user", ca_cert="auth_serv/ca.pem",
5805 client_cert="auth_serv/user.pem",
5806 private_key="auth_serv/user.key",
5807 wait_connect=False, scan_freq="2412")
5808 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5809 dev[0].request("REMOVE_NETWORK all")
5810 dev[0].wait_disconnected()
5812 with alloc_fail(dev[0], 1, "eap_tls_init"):
5813 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5814 identity="tls user", ca_cert="auth_serv/ca.pem",
5815 client_cert="auth_serv/user.pem",
5816 private_key="auth_serv/user.key",
5817 wait_connect=False, scan_freq="2412")
5818 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5819 dev[0].request("REMOVE_NETWORK all")
5820 dev[0].wait_disconnected()
5822 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5823 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5824 identity="tls user", ca_cert="auth_serv/ca.pem",
5825 client_cert="auth_serv/user.pem",
5826 private_key="auth_serv/user.key",
5828 wait_connect=False, scan_freq="2412")
5829 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5830 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5832 raise Exception("No CTRL-REQ-PIN seen")
5833 dev[0].request("REMOVE_NETWORK all")
5834 dev[0].wait_disconnected()
5836 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5837 "eap_peer_tls_derive_session_id;eap_tls_success",
5840 "eap_tls_get_session_id" ]
5842 with alloc_fail(dev[0], 1, func):
5843 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5844 identity="tls user", ca_cert="auth_serv/ca.pem",
5845 client_cert="auth_serv/user.pem",
5846 private_key="auth_serv/user.key",
5848 wait_connect=False, scan_freq="2412")
5849 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5850 dev[0].request("REMOVE_NETWORK all")
5851 dev[0].wait_disconnected()
5853 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5854 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5855 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5856 wait_connect=False, scan_freq="2412")
5857 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5858 dev[0].request("REMOVE_NETWORK all")
5859 dev[0].wait_disconnected()
5861 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5862 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5863 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5864 wait_connect=False, scan_freq="2412")
5865 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5866 dev[0].request("REMOVE_NETWORK all")
5867 dev[0].wait_disconnected()
5869 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5870 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5871 eap="WFA-UNAUTH-TLS",
5872 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5873 wait_connect=False, scan_freq="2412")
5874 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5875 dev[0].request("REMOVE_NETWORK all")
5876 dev[0].wait_disconnected()
5878 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5879 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5880 eap="WFA-UNAUTH-TLS",
5881 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5882 wait_connect=False, scan_freq="2412")
5883 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5884 dev[0].request("REMOVE_NETWORK all")
5885 dev[0].wait_disconnected()
5887 def test_ap_wpa2_eap_status(dev, apdev):
5888 """EAP state machine status information"""
5889 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5890 hostapd.add_ap(apdev[0]['ifname'], params)
5891 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5892 identity="cert user",
5893 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
5894 ca_cert2="auth_serv/ca.pem",
5895 client_cert2="auth_serv/user.pem",
5896 private_key2="auth_serv/user.key",
5897 scan_freq="2412", wait_connect=False)
5903 selected_methods = []
5904 for i in range(100000):
5905 s = dev[0].get_status(extra="VERBOSE")
5906 if 'EAP state' in s:
5907 state = s['EAP state']
5909 if state not in states:
5910 states.append(state)
5911 if state == "SUCCESS":
5914 if 'methodState' in s:
5915 val = s['methodState']
5916 if val not in method_states:
5917 method_states.append(val)
5920 if val not in decisions:
5921 decisions.append(val)
5922 if 'reqMethod' in s:
5923 val = s['reqMethod']
5924 if val not in req_methods:
5925 req_methods.append(val)
5926 if 'selectedMethod' in s:
5927 val = s['selectedMethod']
5928 if val not in selected_methods:
5929 selected_methods.append(val)
5930 logger.info("Iterations: %d" % i)
5931 logger.info("EAP states: " + str(states))
5932 logger.info("methodStates: " + str(method_states))
5933 logger.info("decisions: " + str(decisions))
5934 logger.info("reqMethods: " + str(req_methods))
5935 logger.info("selectedMethods: " + str(selected_methods))
5937 raise Exception("EAP did not succeed")
5938 dev[0].wait_connected()
5939 dev[0].request("REMOVE_NETWORK all")
5940 dev[0].wait_disconnected()
5942 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
5943 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
5944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5945 params['wpa_ptk_rekey'] = '2'
5946 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5947 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
5948 password="abcdefghijklmnop0123456789abcdef")
5949 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
5951 raise Exception("PTK rekey timed out")
5952 hwsim_utils.test_connectivity(dev[0], hapd)