1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26 openssl_imported = True
28 openssl_imported = False
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
92 with open(fname, "r") as f:
101 if "-----BEGIN" in l:
103 return base64.b64decode(cert)
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
153 raise Exception("EAP success timed out")
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e = "WPA2-EAP-SHA256"
172 e = "WPA2/IEEE 802.1X/EAP"
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
252 logger.info("SIM full auth with pseudonym")
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
258 logger.info("SIM full auth with permanent identity")
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
265 logger.info("SIM reauth with mismatching MK")
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
329 dev[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
341 raise Exception("Network connected timed out")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
566 logger.info("AKA full auth with pseudonym")
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
572 logger.info("AKA full auth with permanent identity")
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
579 logger.info("AKA reauth with mismatching MK")
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
620 dev[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
633 raise Exception("Network connected timed out")
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
653 dev[0].dump_monitor()
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
682 dev[0].dump_monitor()
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
709 dev[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
751 logger.info("AKA' full auth with pseudonym")
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
757 logger.info("AKA' full auth with permanent identity")
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
764 logger.info("AKA' reauth with mismatching k_aut")
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
888 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
889 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
890 skip_with_fips(dev[0])
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
893 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
894 anonymous_identity="ttls", password="wrong",
895 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
897 eap_connect(dev[1], apdev[0], "TTLS", "user",
898 anonymous_identity="ttls", password="password",
899 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
901 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
902 anonymous_identity="ttls", password="password",
903 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
906 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
908 check_domain_suffix_match(dev[0])
909 check_eap_capa(dev[0], "MSCHAPV2")
910 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
911 hostapd.add_ap(apdev[0]['ifname'], params)
912 hapd = hostapd.Hostapd(apdev[0]['ifname'])
913 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
914 anonymous_identity="ttls", password="password",
915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
916 domain_suffix_match="server.w1.fi")
917 hwsim_utils.test_connectivity(dev[0], hapd)
918 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
919 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
920 eap_reauth(dev[0], "TTLS")
921 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
922 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
923 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
924 raise Exception("dot1xAuthEapolFramesRx did not increase")
925 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
926 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
927 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
928 raise Exception("backendAuthSuccesses did not increase")
930 logger.info("Password as hash value")
931 dev[0].request("REMOVE_NETWORK all")
932 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
933 anonymous_identity="ttls",
934 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
937 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
938 """EAP-TTLS with invalid phase2 parameter values"""
939 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
940 hostapd.add_ap(apdev[0]['ifname'], params)
941 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
942 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP" ]
944 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
945 identity="DOMAIN\mschapv2 user",
946 anonymous_identity="ttls", password="password",
947 ca_cert="auth_serv/ca.pem", phase2=t,
948 wait_connect=False, scan_freq="2412")
949 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
950 if ev is None or "method=21" not in ev:
951 raise Exception("EAP-TTLS not started")
952 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
953 "CTRL-EVENT-CONNECTED"], timeout=5)
954 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
955 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
956 dev[0].request("REMOVE_NETWORK all")
957 dev[0].wait_disconnected()
958 dev[0].dump_monitor()
960 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
961 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
962 check_domain_match_full(dev[0])
963 skip_with_fips(dev[0])
964 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
965 hostapd.add_ap(apdev[0]['ifname'], params)
966 hapd = hostapd.Hostapd(apdev[0]['ifname'])
967 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
968 anonymous_identity="ttls", password="password",
969 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
970 domain_suffix_match="w1.fi")
971 hwsim_utils.test_connectivity(dev[0], hapd)
972 eap_reauth(dev[0], "TTLS")
974 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
975 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
976 check_domain_match(dev[0])
977 skip_with_fips(dev[0])
978 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
979 hostapd.add_ap(apdev[0]['ifname'], params)
980 hapd = hostapd.Hostapd(apdev[0]['ifname'])
981 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
982 anonymous_identity="ttls", password="password",
983 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
984 domain_match="Server.w1.fi")
985 hwsim_utils.test_connectivity(dev[0], hapd)
986 eap_reauth(dev[0], "TTLS")
988 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
989 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
990 skip_with_fips(dev[0])
991 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
992 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
993 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
994 anonymous_identity="ttls", password="password1",
995 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
997 eap_connect(dev[1], apdev[0], "TTLS", "user",
998 anonymous_identity="ttls", password="password",
999 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1000 expect_failure=True)
1002 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1003 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1004 skip_with_fips(dev[0])
1005 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1006 hostapd.add_ap(apdev[0]['ifname'], params)
1007 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1008 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1009 anonymous_identity="ttls", password="secret-åäö-€-password",
1010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1011 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1012 anonymous_identity="ttls",
1013 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1014 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1015 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1016 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1017 eap="TTLS", identity="utf8-user-hash",
1018 anonymous_identity="ttls", password_hex=p,
1019 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1020 wait_connect=False, scan_freq="2412")
1021 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1023 raise Exception("No failure reported")
1024 dev[2].request("REMOVE_NETWORK all")
1025 dev[2].wait_disconnected()
1027 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1028 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1029 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1030 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1031 eap_connect(dev[0], apdev[0], "TTLS", "user",
1032 anonymous_identity="ttls", password="password",
1033 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1034 hwsim_utils.test_connectivity(dev[0], hapd)
1035 eap_reauth(dev[0], "TTLS")
1037 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1038 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1039 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1040 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1041 eap_connect(dev[0], apdev[0], "TTLS", "user",
1042 anonymous_identity="ttls", password="wrong",
1043 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1044 expect_failure=True)
1046 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1047 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1048 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1049 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1050 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1051 anonymous_identity="ttls", password="password",
1052 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1053 expect_failure=True)
1055 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1057 params = int_eap_server_params()
1058 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1059 with alloc_fail(hapd, 1, "eap_gtc_init"):
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="password",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1063 expect_failure=True)
1064 dev[0].request("REMOVE_NETWORK all")
1066 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1067 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1068 eap="TTLS", identity="user",
1069 anonymous_identity="ttls", password="password",
1070 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1071 wait_connect=False, scan_freq="2412")
1072 # This would eventually time out, but we can stop after having reached
1073 # the allocation failure.
1076 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1079 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1080 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1081 check_eap_capa(dev[0], "MD5")
1082 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1083 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1084 eap_connect(dev[0], apdev[0], "TTLS", "user",
1085 anonymous_identity="ttls", password="password",
1086 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1087 hwsim_utils.test_connectivity(dev[0], hapd)
1088 eap_reauth(dev[0], "TTLS")
1090 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1091 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1092 check_eap_capa(dev[0], "MD5")
1093 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1094 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1095 eap_connect(dev[0], apdev[0], "TTLS", "user",
1096 anonymous_identity="ttls", password="wrong",
1097 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1098 expect_failure=True)
1100 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1101 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1102 check_eap_capa(dev[0], "MD5")
1103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1104 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1105 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1106 anonymous_identity="ttls", password="password",
1107 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1108 expect_failure=True)
1110 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1111 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1112 check_eap_capa(dev[0], "MD5")
1113 params = int_eap_server_params()
1114 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1115 with alloc_fail(hapd, 1, "eap_md5_init"):
1116 eap_connect(dev[0], apdev[0], "TTLS", "user",
1117 anonymous_identity="ttls", password="password",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1119 expect_failure=True)
1120 dev[0].request("REMOVE_NETWORK all")
1122 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1123 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1124 eap="TTLS", identity="user",
1125 anonymous_identity="ttls", password="password",
1126 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1127 wait_connect=False, scan_freq="2412")
1128 # This would eventually time out, but we can stop after having reached
1129 # the allocation failure.
1132 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1135 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1136 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1137 check_eap_capa(dev[0], "MSCHAPV2")
1138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1140 eap_connect(dev[0], apdev[0], "TTLS", "user",
1141 anonymous_identity="ttls", password="password",
1142 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1143 hwsim_utils.test_connectivity(dev[0], hapd)
1144 eap_reauth(dev[0], "TTLS")
1146 logger.info("Negative test with incorrect password")
1147 dev[0].request("REMOVE_NETWORK all")
1148 eap_connect(dev[0], apdev[0], "TTLS", "user",
1149 anonymous_identity="ttls", password="password1",
1150 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1151 expect_failure=True)
1153 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1154 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1155 check_eap_capa(dev[0], "MSCHAPV2")
1156 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1157 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1158 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1159 anonymous_identity="ttls", password="password",
1160 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1161 expect_failure=True)
1163 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1164 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1165 check_eap_capa(dev[0], "MSCHAPV2")
1166 params = int_eap_server_params()
1167 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1168 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1169 eap_connect(dev[0], apdev[0], "TTLS", "user",
1170 anonymous_identity="ttls", password="password",
1171 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1172 expect_failure=True)
1173 dev[0].request("REMOVE_NETWORK all")
1175 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1176 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1177 eap="TTLS", identity="user",
1178 anonymous_identity="ttls", password="password",
1179 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1180 wait_connect=False, scan_freq="2412")
1181 # This would eventually time out, but we can stop after having reached
1182 # the allocation failure.
1185 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1187 dev[0].request("REMOVE_NETWORK all")
1189 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1191 eap="TTLS", identity="user",
1192 anonymous_identity="ttls", password="password",
1193 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1194 wait_connect=False, scan_freq="2412")
1195 # This would eventually time out, but we can stop after having reached
1196 # the allocation failure.
1199 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1201 dev[0].request("REMOVE_NETWORK all")
1203 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1204 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1205 eap="TTLS", identity="user",
1206 anonymous_identity="ttls", password="wrong",
1207 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1208 wait_connect=False, scan_freq="2412")
1209 # This would eventually time out, but we can stop after having reached
1210 # the allocation failure.
1213 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1215 dev[0].request("REMOVE_NETWORK all")
1217 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1218 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1219 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1220 hostapd.add_ap(apdev[0]['ifname'], params)
1221 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1222 anonymous_identity="0232010000000000@ttls",
1223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1224 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1226 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1227 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1228 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1229 hostapd.add_ap(apdev[0]['ifname'], params)
1230 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1231 anonymous_identity="0232010000000000@peap",
1232 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1233 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1235 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1236 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1237 check_eap_capa(dev[0], "FAST")
1238 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1239 hostapd.add_ap(apdev[0]['ifname'], params)
1240 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1241 anonymous_identity="0232010000000000@fast",
1242 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1243 phase1="fast_provisioning=2",
1244 pac_file="blob://fast_pac_auth_aka",
1245 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1247 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1248 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1249 check_eap_capa(dev[0], "MSCHAPV2")
1250 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1251 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1252 eap_connect(dev[0], apdev[0], "PEAP", "user",
1253 anonymous_identity="peap", password="password",
1254 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1255 hwsim_utils.test_connectivity(dev[0], hapd)
1256 eap_reauth(dev[0], "PEAP")
1257 dev[0].request("REMOVE_NETWORK all")
1258 eap_connect(dev[0], apdev[0], "PEAP", "user",
1259 anonymous_identity="peap", password="password",
1260 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1261 fragment_size="200")
1263 logger.info("Password as hash value")
1264 dev[0].request("REMOVE_NETWORK all")
1265 eap_connect(dev[0], apdev[0], "PEAP", "user",
1266 anonymous_identity="peap",
1267 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1270 logger.info("Negative test with incorrect password")
1271 dev[0].request("REMOVE_NETWORK all")
1272 eap_connect(dev[0], apdev[0], "PEAP", "user",
1273 anonymous_identity="peap", password="password1",
1274 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1275 expect_failure=True)
1277 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1278 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1279 check_eap_capa(dev[0], "MSCHAPV2")
1280 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1281 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1282 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1283 anonymous_identity="peap", password="password",
1284 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1285 hwsim_utils.test_connectivity(dev[0], hapd)
1286 eap_reauth(dev[0], "PEAP")
1288 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1290 check_eap_capa(dev[0], "MSCHAPV2")
1291 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1292 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1293 eap_connect(dev[0], apdev[0], "PEAP", "user",
1294 anonymous_identity="peap", password="wrong",
1295 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1296 expect_failure=True)
1298 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1299 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1300 check_eap_capa(dev[0], "MSCHAPV2")
1301 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1302 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1303 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1304 ca_cert="auth_serv/ca.pem",
1305 phase1="peapver=0 crypto_binding=2",
1306 phase2="auth=MSCHAPV2")
1307 hwsim_utils.test_connectivity(dev[0], hapd)
1308 eap_reauth(dev[0], "PEAP")
1310 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1311 ca_cert="auth_serv/ca.pem",
1312 phase1="peapver=0 crypto_binding=1",
1313 phase2="auth=MSCHAPV2")
1314 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1315 ca_cert="auth_serv/ca.pem",
1316 phase1="peapver=0 crypto_binding=0",
1317 phase2="auth=MSCHAPV2")
1319 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1320 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1321 check_eap_capa(dev[0], "MSCHAPV2")
1322 params = int_eap_server_params()
1323 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1324 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1325 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1326 ca_cert="auth_serv/ca.pem",
1327 phase1="peapver=0 crypto_binding=2",
1328 phase2="auth=MSCHAPV2",
1329 expect_failure=True, local_error_report=True)
1331 def test_ap_wpa2_eap_peap_params(dev, apdev):
1332 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1333 check_eap_capa(dev[0], "MSCHAPV2")
1334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1335 hostapd.add_ap(apdev[0]['ifname'], params)
1336 eap_connect(dev[0], apdev[0], "PEAP", "user",
1337 anonymous_identity="peap", password="password",
1338 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1339 phase1="peapver=0 peaplabel=1",
1340 expect_failure=True)
1341 dev[0].request("REMOVE_NETWORK all")
1342 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1344 anonymous_identity="peap", password="password",
1345 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1346 phase1="peap_outer_success=0",
1347 wait_connect=False, scan_freq="2412")
1348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1350 raise Exception("No EAP success seen")
1351 # This won't succeed to connect with peap_outer_success=0, so stop here.
1352 dev[0].request("REMOVE_NETWORK all")
1353 dev[0].wait_disconnected()
1354 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1355 ca_cert="auth_serv/ca.pem",
1356 phase1="peap_outer_success=1",
1357 phase2="auth=MSCHAPV2")
1358 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1359 ca_cert="auth_serv/ca.pem",
1360 phase1="peap_outer_success=2",
1361 phase2="auth=MSCHAPV2")
1362 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1364 anonymous_identity="peap", password="password",
1365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1366 phase1="peapver=1 peaplabel=1",
1367 wait_connect=False, scan_freq="2412")
1368 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1370 raise Exception("No EAP success seen")
1371 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1373 raise Exception("Unexpected connection")
1375 tests = [ ("peap-ver0", ""),
1377 ("peap-ver0", "peapver=0"),
1378 ("peap-ver1", "peapver=1") ]
1379 for anon,phase1 in tests:
1380 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1381 identity="user", anonymous_identity=anon,
1382 password="password", phase1=phase1,
1383 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1385 dev[0].request("REMOVE_NETWORK all")
1386 dev[0].wait_disconnected()
1388 tests = [ ("peap-ver0", "peapver=1"),
1389 ("peap-ver1", "peapver=0") ]
1390 for anon,phase1 in tests:
1391 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1392 identity="user", anonymous_identity=anon,
1393 password="password", phase1=phase1,
1394 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1395 wait_connect=False, scan_freq="2412")
1396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1398 raise Exception("No EAP-Failure seen")
1399 dev[0].request("REMOVE_NETWORK all")
1400 dev[0].wait_disconnected()
1402 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1403 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1404 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1405 hostapd.add_ap(apdev[0]['ifname'], params)
1406 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1407 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1408 ca_cert2="auth_serv/ca.pem",
1409 client_cert2="auth_serv/user.pem",
1410 private_key2="auth_serv/user.key")
1411 eap_reauth(dev[0], "PEAP")
1413 def test_ap_wpa2_eap_tls(dev, apdev):
1414 """WPA2-Enterprise connection using EAP-TLS"""
1415 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1416 hostapd.add_ap(apdev[0]['ifname'], params)
1417 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1418 client_cert="auth_serv/user.pem",
1419 private_key="auth_serv/user.key")
1420 eap_reauth(dev[0], "TLS")
1422 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1423 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1424 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1425 hostapd.add_ap(apdev[0]['ifname'], params)
1426 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1427 client_cert="auth_serv/user.pem",
1428 private_key="auth_serv/user.key.pkcs8",
1429 private_key_passwd="whatever")
1431 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1432 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1434 hostapd.add_ap(apdev[0]['ifname'], params)
1435 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1436 client_cert="auth_serv/user.pem",
1437 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1438 private_key_passwd="whatever")
1440 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1441 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1442 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1443 hostapd.add_ap(apdev[0]['ifname'], params)
1444 cert = read_pem("auth_serv/ca.pem")
1445 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1446 raise Exception("Could not set cacert blob")
1447 cert = read_pem("auth_serv/user.pem")
1448 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1449 raise Exception("Could not set usercert blob")
1450 key = read_pem("auth_serv/user.rsa-key")
1451 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1452 raise Exception("Could not set cacert blob")
1453 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1454 client_cert="blob://usercert",
1455 private_key="blob://userkey")
1457 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1458 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1459 check_pkcs12_support(dev[0])
1460 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1461 hostapd.add_ap(apdev[0]['ifname'], params)
1462 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1463 private_key="auth_serv/user.pkcs12",
1464 private_key_passwd="whatever")
1465 dev[0].request("REMOVE_NETWORK all")
1466 dev[0].wait_disconnected()
1468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1469 identity="tls user",
1470 ca_cert="auth_serv/ca.pem",
1471 private_key="auth_serv/user.pkcs12",
1472 wait_connect=False, scan_freq="2412")
1473 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1475 raise Exception("Request for private key passphrase timed out")
1476 id = ev.split(':')[0].split('-')[-1]
1477 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1478 dev[0].wait_connected(timeout=10)
1479 dev[0].request("REMOVE_NETWORK all")
1480 dev[0].wait_disconnected()
1482 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1483 # different files to cover both cases of the extra certificate being the
1484 # one that signed the client certificate and it being unrelated to the
1485 # client certificate.
1486 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1488 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1489 ca_cert="auth_serv/ca.pem",
1491 private_key_passwd="whatever")
1492 dev[0].request("REMOVE_NETWORK all")
1493 dev[0].wait_disconnected()
1495 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1496 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1497 check_pkcs12_support(dev[0])
1498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1499 hostapd.add_ap(apdev[0]['ifname'], params)
1500 cert = read_pem("auth_serv/ca.pem")
1501 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1502 raise Exception("Could not set cacert blob")
1503 with open("auth_serv/user.pkcs12", "rb") as f:
1504 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1505 raise Exception("Could not set pkcs12 blob")
1506 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1507 private_key="blob://pkcs12",
1508 private_key_passwd="whatever")
1510 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1511 """WPA2-Enterprise negative test - incorrect trust root"""
1512 check_eap_capa(dev[0], "MSCHAPV2")
1513 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1514 hostapd.add_ap(apdev[0]['ifname'], params)
1515 cert = read_pem("auth_serv/ca-incorrect.pem")
1516 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1517 raise Exception("Could not set cacert blob")
1518 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1519 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1520 password="password", phase2="auth=MSCHAPV2",
1521 ca_cert="blob://cacert",
1522 wait_connect=False, scan_freq="2412")
1523 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1524 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1525 password="password", phase2="auth=MSCHAPV2",
1526 ca_cert="auth_serv/ca-incorrect.pem",
1527 wait_connect=False, scan_freq="2412")
1529 for dev in (dev[0], dev[1]):
1530 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1532 raise Exception("Association and EAP start timed out")
1534 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1536 raise Exception("EAP method selection timed out")
1537 if "TTLS" not in ev:
1538 raise Exception("Unexpected EAP method")
1540 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1541 "CTRL-EVENT-EAP-SUCCESS",
1542 "CTRL-EVENT-EAP-FAILURE",
1543 "CTRL-EVENT-CONNECTED",
1544 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1546 raise Exception("EAP result timed out")
1547 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1548 raise Exception("TLS certificate error not reported")
1550 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1551 "CTRL-EVENT-EAP-FAILURE",
1552 "CTRL-EVENT-CONNECTED",
1553 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1555 raise Exception("EAP result(2) timed out")
1556 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1557 raise Exception("EAP failure not reported")
1559 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1560 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1562 raise Exception("EAP result(3) timed out")
1563 if "CTRL-EVENT-DISCONNECTED" not in ev:
1564 raise Exception("Disconnection not reported")
1566 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1568 raise Exception("Network block disabling not reported")
1570 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1571 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1572 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1573 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1574 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1575 identity="pap user", anonymous_identity="ttls",
1576 password="password", phase2="auth=PAP",
1577 ca_cert="auth_serv/ca.pem",
1578 wait_connect=True, scan_freq="2412")
1579 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1580 identity="pap user", anonymous_identity="ttls",
1581 password="password", phase2="auth=PAP",
1582 ca_cert="auth_serv/ca-incorrect.pem",
1583 only_add_network=True, scan_freq="2412")
1585 dev[0].request("DISCONNECT")
1586 dev[0].wait_disconnected()
1587 dev[0].dump_monitor()
1588 dev[0].select_network(id, freq="2412")
1590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1592 raise Exception("EAP-TTLS not re-started")
1594 ev = dev[0].wait_disconnected(timeout=15)
1595 if "reason=23" not in ev:
1596 raise Exception("Proper reason code for disconnection not reported")
1598 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1599 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1600 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1601 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1602 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1603 identity="pap user", anonymous_identity="ttls",
1604 password="password", phase2="auth=PAP",
1605 wait_connect=True, scan_freq="2412")
1606 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1607 identity="pap user", anonymous_identity="ttls",
1608 password="password", phase2="auth=PAP",
1609 ca_cert="auth_serv/ca-incorrect.pem",
1610 only_add_network=True, scan_freq="2412")
1612 dev[0].request("DISCONNECT")
1613 dev[0].wait_disconnected()
1614 dev[0].dump_monitor()
1615 dev[0].select_network(id, freq="2412")
1617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1619 raise Exception("EAP-TTLS not re-started")
1621 ev = dev[0].wait_disconnected(timeout=15)
1622 if "reason=23" not in ev:
1623 raise Exception("Proper reason code for disconnection not reported")
1625 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1626 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1627 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1628 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1629 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1630 identity="pap user", anonymous_identity="ttls",
1631 password="password", phase2="auth=PAP",
1632 ca_cert="auth_serv/ca.pem",
1633 wait_connect=True, scan_freq="2412")
1634 dev[0].request("DISCONNECT")
1635 dev[0].wait_disconnected()
1636 dev[0].dump_monitor()
1637 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1638 dev[0].select_network(id, freq="2412")
1640 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1642 raise Exception("EAP-TTLS not re-started")
1644 ev = dev[0].wait_disconnected(timeout=15)
1645 if "reason=23" not in ev:
1646 raise Exception("Proper reason code for disconnection not reported")
1648 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1649 """WPA2-Enterprise negative test - domain suffix mismatch"""
1650 check_domain_suffix_match(dev[0])
1651 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1652 hostapd.add_ap(apdev[0]['ifname'], params)
1653 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1654 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1655 password="password", phase2="auth=MSCHAPV2",
1656 ca_cert="auth_serv/ca.pem",
1657 domain_suffix_match="incorrect.example.com",
1658 wait_connect=False, scan_freq="2412")
1660 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1662 raise Exception("Association and EAP start timed out")
1664 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1666 raise Exception("EAP method selection timed out")
1667 if "TTLS" not in ev:
1668 raise Exception("Unexpected EAP method")
1670 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1671 "CTRL-EVENT-EAP-SUCCESS",
1672 "CTRL-EVENT-EAP-FAILURE",
1673 "CTRL-EVENT-CONNECTED",
1674 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1676 raise Exception("EAP result timed out")
1677 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1678 raise Exception("TLS certificate error not reported")
1679 if "Domain suffix mismatch" not in ev:
1680 raise Exception("Domain suffix mismatch not reported")
1682 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1683 "CTRL-EVENT-EAP-FAILURE",
1684 "CTRL-EVENT-CONNECTED",
1685 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1687 raise Exception("EAP result(2) timed out")
1688 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1689 raise Exception("EAP failure not reported")
1691 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1692 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1694 raise Exception("EAP result(3) timed out")
1695 if "CTRL-EVENT-DISCONNECTED" not in ev:
1696 raise Exception("Disconnection not reported")
1698 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1700 raise Exception("Network block disabling not reported")
1702 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1703 """WPA2-Enterprise negative test - domain mismatch"""
1704 check_domain_match(dev[0])
1705 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1706 hostapd.add_ap(apdev[0]['ifname'], params)
1707 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1708 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1709 password="password", phase2="auth=MSCHAPV2",
1710 ca_cert="auth_serv/ca.pem",
1711 domain_match="w1.fi",
1712 wait_connect=False, scan_freq="2412")
1714 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1716 raise Exception("Association and EAP start timed out")
1718 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1720 raise Exception("EAP method selection timed out")
1721 if "TTLS" not in ev:
1722 raise Exception("Unexpected EAP method")
1724 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1725 "CTRL-EVENT-EAP-SUCCESS",
1726 "CTRL-EVENT-EAP-FAILURE",
1727 "CTRL-EVENT-CONNECTED",
1728 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1730 raise Exception("EAP result timed out")
1731 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1732 raise Exception("TLS certificate error not reported")
1733 if "Domain mismatch" not in ev:
1734 raise Exception("Domain mismatch not reported")
1736 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1737 "CTRL-EVENT-EAP-FAILURE",
1738 "CTRL-EVENT-CONNECTED",
1739 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1741 raise Exception("EAP result(2) timed out")
1742 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1743 raise Exception("EAP failure not reported")
1745 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1746 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1748 raise Exception("EAP result(3) timed out")
1749 if "CTRL-EVENT-DISCONNECTED" not in ev:
1750 raise Exception("Disconnection not reported")
1752 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1754 raise Exception("Network block disabling not reported")
1756 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1757 """WPA2-Enterprise negative test - subject mismatch"""
1758 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1759 hostapd.add_ap(apdev[0]['ifname'], params)
1760 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1761 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1762 password="password", phase2="auth=MSCHAPV2",
1763 ca_cert="auth_serv/ca.pem",
1764 subject_match="/C=FI/O=w1.fi/CN=example.com",
1765 wait_connect=False, scan_freq="2412")
1767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1769 raise Exception("Association and EAP start timed out")
1771 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1772 "EAP: Failed to initialize EAP method"], timeout=10)
1774 raise Exception("EAP method selection timed out")
1775 if "EAP: Failed to initialize EAP method" in ev:
1776 tls = dev[0].request("GET tls_library")
1777 if tls.startswith("OpenSSL"):
1778 raise Exception("Failed to select EAP method")
1779 logger.info("subject_match not supported - connection failed, so test succeeded")
1781 if "TTLS" not in ev:
1782 raise Exception("Unexpected EAP method")
1784 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1785 "CTRL-EVENT-EAP-SUCCESS",
1786 "CTRL-EVENT-EAP-FAILURE",
1787 "CTRL-EVENT-CONNECTED",
1788 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1790 raise Exception("EAP result timed out")
1791 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1792 raise Exception("TLS certificate error not reported")
1793 if "Subject mismatch" not in ev:
1794 raise Exception("Subject mismatch not reported")
1796 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1797 "CTRL-EVENT-EAP-FAILURE",
1798 "CTRL-EVENT-CONNECTED",
1799 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1801 raise Exception("EAP result(2) timed out")
1802 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1803 raise Exception("EAP failure not reported")
1805 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1806 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1808 raise Exception("EAP result(3) timed out")
1809 if "CTRL-EVENT-DISCONNECTED" not in ev:
1810 raise Exception("Disconnection not reported")
1812 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1814 raise Exception("Network block disabling not reported")
1816 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1817 """WPA2-Enterprise negative test - altsubject mismatch"""
1818 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1819 hostapd.add_ap(apdev[0]['ifname'], params)
1821 tests = [ "incorrect.example.com",
1822 "DNS:incorrect.example.com",
1826 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1828 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1829 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1830 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1831 password="password", phase2="auth=MSCHAPV2",
1832 ca_cert="auth_serv/ca.pem",
1833 altsubject_match=match,
1834 wait_connect=False, scan_freq="2412")
1836 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1838 raise Exception("Association and EAP start timed out")
1840 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1841 "EAP: Failed to initialize EAP method"], timeout=10)
1843 raise Exception("EAP method selection timed out")
1844 if "EAP: Failed to initialize EAP method" in ev:
1845 tls = dev[0].request("GET tls_library")
1846 if tls.startswith("OpenSSL"):
1847 raise Exception("Failed to select EAP method")
1848 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1850 if "TTLS" not in ev:
1851 raise Exception("Unexpected EAP method")
1853 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1854 "CTRL-EVENT-EAP-SUCCESS",
1855 "CTRL-EVENT-EAP-FAILURE",
1856 "CTRL-EVENT-CONNECTED",
1857 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1859 raise Exception("EAP result timed out")
1860 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1861 raise Exception("TLS certificate error not reported")
1862 if "AltSubject mismatch" not in ev:
1863 raise Exception("altsubject mismatch not reported")
1865 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1866 "CTRL-EVENT-EAP-FAILURE",
1867 "CTRL-EVENT-CONNECTED",
1868 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1870 raise Exception("EAP result(2) timed out")
1871 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1872 raise Exception("EAP failure not reported")
1874 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1875 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1877 raise Exception("EAP result(3) timed out")
1878 if "CTRL-EVENT-DISCONNECTED" not in ev:
1879 raise Exception("Disconnection not reported")
1881 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1883 raise Exception("Network block disabling not reported")
1885 dev[0].request("REMOVE_NETWORK all")
1887 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1888 """WPA2-Enterprise connection using UNAUTH-TLS"""
1889 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1890 hostapd.add_ap(apdev[0]['ifname'], params)
1891 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1892 ca_cert="auth_serv/ca.pem")
1893 eap_reauth(dev[0], "UNAUTH-TLS")
1895 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1896 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1897 check_cert_probe_support(dev[0])
1898 skip_with_fips(dev[0])
1899 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1900 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1901 hostapd.add_ap(apdev[0]['ifname'], params)
1902 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1903 identity="probe", ca_cert="probe://",
1904 wait_connect=False, scan_freq="2412")
1905 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1907 raise Exception("Association and EAP start timed out")
1908 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1910 raise Exception("No peer server certificate event seen")
1911 if "hash=" + srv_cert_hash not in ev:
1912 raise Exception("Expected server certificate hash not reported")
1913 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1915 raise Exception("EAP result timed out")
1916 if "Server certificate chain probe" not in ev:
1917 raise Exception("Server certificate probe not reported")
1918 dev[0].wait_disconnected(timeout=10)
1919 dev[0].request("REMOVE_NETWORK all")
1921 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1922 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1923 password="password", phase2="auth=MSCHAPV2",
1924 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1925 wait_connect=False, scan_freq="2412")
1926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1928 raise Exception("Association and EAP start timed out")
1929 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1931 raise Exception("EAP result timed out")
1932 if "Server certificate mismatch" not in ev:
1933 raise Exception("Server certificate mismatch not reported")
1934 dev[0].wait_disconnected(timeout=10)
1935 dev[0].request("REMOVE_NETWORK all")
1937 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1938 anonymous_identity="ttls", password="password",
1939 ca_cert="hash://server/sha256/" + srv_cert_hash,
1940 phase2="auth=MSCHAPV2")
1942 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1943 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1945 hostapd.add_ap(apdev[0]['ifname'], params)
1946 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1947 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1948 password="password", phase2="auth=MSCHAPV2",
1949 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1950 wait_connect=False, scan_freq="2412")
1951 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1952 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1953 password="password", phase2="auth=MSCHAPV2",
1954 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1955 wait_connect=False, scan_freq="2412")
1956 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1957 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1958 password="password", phase2="auth=MSCHAPV2",
1959 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1960 wait_connect=False, scan_freq="2412")
1961 for i in range(0, 3):
1962 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1964 raise Exception("Association and EAP start timed out")
1965 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1967 raise Exception("Did not report EAP method initialization failure")
1969 def test_ap_wpa2_eap_pwd(dev, apdev):
1970 """WPA2-Enterprise connection using EAP-pwd"""
1971 check_eap_capa(dev[0], "PWD")
1972 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1973 hostapd.add_ap(apdev[0]['ifname'], params)
1974 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1975 eap_reauth(dev[0], "PWD")
1976 dev[0].request("REMOVE_NETWORK all")
1978 eap_connect(dev[1], apdev[0], "PWD",
1979 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1980 password="secret password",
1983 logger.info("Negative test with incorrect password")
1984 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1985 expect_failure=True, local_error_report=True)
1987 eap_connect(dev[0], apdev[0], "PWD",
1988 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1989 password="secret password",
1992 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1993 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1994 check_eap_capa(dev[0], "PWD")
1995 skip_with_fips(dev[0])
1996 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1997 hostapd.add_ap(apdev[0]['ifname'], params)
1998 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1999 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2000 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2001 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2002 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2003 expect_failure=True, local_error_report=True)
2005 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2006 """WPA2-Enterprise connection using various EAP-pwd groups"""
2007 check_eap_capa(dev[0], "PWD")
2008 tls = dev[0].request("GET tls_library")
2009 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2010 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2011 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2012 groups = [ 19, 20, 21, 25, 26 ]
2013 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2014 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2015 groups += [ 27, 28, 29, 30 ]
2017 logger.info("Group %d" % i)
2018 params['pwd_group'] = str(i)
2019 hostapd.add_ap(apdev[0]['ifname'], params)
2021 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2022 password="secret password")
2023 dev[0].request("REMOVE_NETWORK all")
2024 dev[0].wait_disconnected()
2025 dev[0].dump_monitor()
2027 if "BoringSSL" in tls and i in [ 25 ]:
2028 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2029 dev[0].request("DISCONNECT")
2031 dev[0].request("REMOVE_NETWORK all")
2032 dev[0].dump_monitor()
2036 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2037 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2038 check_eap_capa(dev[0], "PWD")
2039 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2040 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2041 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2042 params['pwd_group'] = "0"
2043 hostapd.add_ap(apdev[0]['ifname'], params)
2044 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2045 identity="pwd user", password="secret password",
2046 scan_freq="2412", wait_connect=False)
2047 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2049 raise Exception("Timeout on EAP failure report")
2051 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2052 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2053 check_eap_capa(dev[0], "PWD")
2054 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2055 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2056 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2057 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2058 "pwd_group": "19", "fragment_size": "40" }
2059 hostapd.add_ap(apdev[0]['ifname'], params)
2060 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2062 def test_ap_wpa2_eap_gpsk(dev, apdev):
2063 """WPA2-Enterprise connection using EAP-GPSK"""
2064 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2065 hostapd.add_ap(apdev[0]['ifname'], params)
2066 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2067 password="abcdefghijklmnop0123456789abcdef")
2068 eap_reauth(dev[0], "GPSK")
2070 logger.info("Test forced algorithm selection")
2071 for phase1 in [ "cipher=1", "cipher=2" ]:
2072 dev[0].set_network_quoted(id, "phase1", phase1)
2073 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2075 raise Exception("EAP success timed out")
2076 dev[0].wait_connected(timeout=10)
2078 logger.info("Test failed algorithm negotiation")
2079 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2080 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2082 raise Exception("EAP failure timed out")
2084 logger.info("Negative test with incorrect password")
2085 dev[0].request("REMOVE_NETWORK all")
2086 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2087 password="ffcdefghijklmnop0123456789abcdef",
2088 expect_failure=True)
2090 def test_ap_wpa2_eap_sake(dev, apdev):
2091 """WPA2-Enterprise connection using EAP-SAKE"""
2092 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2093 hostapd.add_ap(apdev[0]['ifname'], params)
2094 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2095 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2096 eap_reauth(dev[0], "SAKE")
2098 logger.info("Negative test with incorrect password")
2099 dev[0].request("REMOVE_NETWORK all")
2100 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2101 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2102 expect_failure=True)
2104 def test_ap_wpa2_eap_eke(dev, apdev):
2105 """WPA2-Enterprise connection using EAP-EKE"""
2106 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2107 hostapd.add_ap(apdev[0]['ifname'], params)
2108 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2109 eap_reauth(dev[0], "EKE")
2111 logger.info("Test forced algorithm selection")
2112 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2113 "dhgroup=4 encr=1 prf=2 mac=2",
2114 "dhgroup=3 encr=1 prf=2 mac=2",
2115 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2116 dev[0].set_network_quoted(id, "phase1", phase1)
2117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2119 raise Exception("EAP success timed out")
2120 dev[0].wait_connected(timeout=10)
2122 logger.info("Test failed algorithm negotiation")
2123 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2124 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2126 raise Exception("EAP failure timed out")
2128 logger.info("Negative test with incorrect password")
2129 dev[0].request("REMOVE_NETWORK all")
2130 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2131 expect_failure=True)
2133 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2134 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2135 params = int_eap_server_params()
2136 params['server_id'] = 'example.server@w1.fi'
2137 hostapd.add_ap(apdev[0]['ifname'], params)
2138 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2140 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2141 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2142 params = int_eap_server_params()
2143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2144 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2146 for count,func in [ (1, "eap_eke_build_commit"),
2147 (2, "eap_eke_build_commit"),
2148 (3, "eap_eke_build_commit"),
2149 (1, "eap_eke_build_confirm"),
2150 (2, "eap_eke_build_confirm"),
2151 (1, "eap_eke_process_commit"),
2152 (2, "eap_eke_process_commit"),
2153 (1, "eap_eke_process_confirm"),
2154 (1, "eap_eke_process_identity"),
2155 (2, "eap_eke_process_identity"),
2156 (3, "eap_eke_process_identity"),
2157 (4, "eap_eke_process_identity") ]:
2158 with alloc_fail(hapd, count, func):
2159 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2160 expect_failure=True)
2161 dev[0].request("REMOVE_NETWORK all")
2163 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2164 (1, "eap_eke_get_session_id", "hello"),
2165 (1, "eap_eke_getKey", "hello"),
2166 (1, "eap_eke_build_msg", "hello"),
2167 (1, "eap_eke_build_failure", "wrong"),
2168 (1, "eap_eke_build_identity", "hello"),
2169 (2, "eap_eke_build_identity", "hello") ]:
2170 with alloc_fail(hapd, count, func):
2171 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2172 eap="EKE", identity="eke user", password=pw,
2173 wait_connect=False, scan_freq="2412")
2174 # This would eventually time out, but we can stop after having
2175 # reached the allocation failure.
2178 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2180 dev[0].request("REMOVE_NETWORK all")
2182 for count in range(1, 1000):
2184 with alloc_fail(hapd, count, "eap_server_sm_step"):
2185 dev[0].connect("test-wpa2-eap",
2186 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2187 eap="EKE", identity="eke user", password=pw,
2188 wait_connect=False, scan_freq="2412")
2189 # This would eventually time out, but we can stop after having
2190 # reached the allocation failure.
2193 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2195 dev[0].request("REMOVE_NETWORK all")
2196 except Exception, e:
2197 if str(e) == "Allocation failure did not trigger":
2199 raise Exception("Too few allocation failures")
2200 logger.info("%d allocation failures tested" % (count - 1))
2204 def test_ap_wpa2_eap_ikev2(dev, apdev):
2205 """WPA2-Enterprise connection using EAP-IKEv2"""
2206 check_eap_capa(dev[0], "IKEV2")
2207 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2208 hostapd.add_ap(apdev[0]['ifname'], params)
2209 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2210 password="ike password")
2211 eap_reauth(dev[0], "IKEV2")
2212 dev[0].request("REMOVE_NETWORK all")
2213 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2214 password="ike password", fragment_size="50")
2216 logger.info("Negative test with incorrect password")
2217 dev[0].request("REMOVE_NETWORK all")
2218 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2219 password="ike-password", expect_failure=True)
2221 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2222 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2223 check_eap_capa(dev[0], "IKEV2")
2224 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2225 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2226 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2227 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2228 "fragment_size": "50" }
2229 hostapd.add_ap(apdev[0]['ifname'], params)
2230 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2231 password="ike password")
2232 eap_reauth(dev[0], "IKEV2")
2234 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2235 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2236 check_eap_capa(dev[0], "IKEV2")
2237 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2238 hostapd.add_ap(apdev[0]['ifname'], params)
2240 tests = [ (1, "dh_init"),
2242 (1, "dh_derive_shared") ]
2243 for count, func in tests:
2244 with alloc_fail(dev[0], count, func):
2245 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2246 identity="ikev2 user", password="ike password",
2247 wait_connect=False, scan_freq="2412")
2248 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2250 raise Exception("EAP method not selected")
2252 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2255 dev[0].request("REMOVE_NETWORK all")
2257 tests = [ (1, "os_get_random;dh_init") ]
2258 for count, func in tests:
2259 with fail_test(dev[0], count, func):
2260 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2261 identity="ikev2 user", password="ike password",
2262 wait_connect=False, scan_freq="2412")
2263 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2265 raise Exception("EAP method not selected")
2267 if "0:" in dev[0].request("GET_FAIL"):
2270 dev[0].request("REMOVE_NETWORK all")
2272 def test_ap_wpa2_eap_pax(dev, apdev):
2273 """WPA2-Enterprise connection using EAP-PAX"""
2274 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2275 hostapd.add_ap(apdev[0]['ifname'], params)
2276 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2277 password_hex="0123456789abcdef0123456789abcdef")
2278 eap_reauth(dev[0], "PAX")
2280 logger.info("Negative test with incorrect password")
2281 dev[0].request("REMOVE_NETWORK all")
2282 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2283 password_hex="ff23456789abcdef0123456789abcdef",
2284 expect_failure=True)
2286 def test_ap_wpa2_eap_psk(dev, apdev):
2287 """WPA2-Enterprise connection using EAP-PSK"""
2288 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2289 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2290 params["ieee80211w"] = "2"
2291 hostapd.add_ap(apdev[0]['ifname'], params)
2292 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2293 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2294 eap_reauth(dev[0], "PSK", sha256=True)
2295 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2296 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2298 bss = dev[0].get_bss(apdev[0]['bssid'])
2299 if 'flags' not in bss:
2300 raise Exception("Could not get BSS flags from BSS table")
2301 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2302 raise Exception("Unexpected BSS flags: " + bss['flags'])
2304 logger.info("Negative test with incorrect password")
2305 dev[0].request("REMOVE_NETWORK all")
2306 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2307 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2308 expect_failure=True)
2310 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2311 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2312 skip_with_fips(dev[0])
2313 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2314 hostapd.add_ap(apdev[0]['ifname'], params)
2315 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2316 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2317 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2318 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2319 (1, "=aes_128_eax_encrypt"),
2320 (1, "omac1_aes_vector"),
2321 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2322 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2323 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2324 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2325 (1, "=aes_128_eax_decrypt") ]
2326 for count, func in tests:
2327 with alloc_fail(dev[0], count, func):
2328 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2329 identity="psk.user@example.com",
2330 password_hex="0123456789abcdef0123456789abcdef",
2331 wait_connect=False, scan_freq="2412")
2332 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2334 raise Exception("EAP method not selected")
2336 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2339 dev[0].request("REMOVE_NETWORK all")
2341 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2342 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2343 identity="psk.user@example.com",
2344 password_hex="0123456789abcdef0123456789abcdef",
2345 wait_connect=False, scan_freq="2412")
2346 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2348 raise Exception("EAP method failure not reported")
2349 dev[0].request("REMOVE_NETWORK all")
2351 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2352 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2353 check_eap_capa(dev[0], "MSCHAPV2")
2354 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2355 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2356 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2357 identity="user", password="password", phase2="auth=MSCHAPV2",
2358 ca_cert="auth_serv/ca.pem", wait_connect=False,
2360 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2361 hwsim_utils.test_connectivity(dev[0], hapd)
2362 eap_reauth(dev[0], "PEAP", rsn=False)
2363 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2364 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2365 status = dev[0].get_status(extra="VERBOSE")
2366 if 'portControl' not in status:
2367 raise Exception("portControl missing from STATUS-VERBOSE")
2368 if status['portControl'] != 'Auto':
2369 raise Exception("Unexpected portControl value: " + status['portControl'])
2370 if 'eap_session_id' not in status:
2371 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2372 if not status['eap_session_id'].startswith("19"):
2373 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2375 def test_ap_wpa2_eap_interactive(dev, apdev):
2376 """WPA2-Enterprise connection using interactive identity/password entry"""
2377 check_eap_capa(dev[0], "MSCHAPV2")
2378 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2379 hostapd.add_ap(apdev[0]['ifname'], params)
2380 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2382 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2383 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2385 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2386 "TTLS", "ttls", None, "auth=MSCHAPV2",
2387 "DOMAIN\mschapv2 user", "password"),
2388 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2389 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2390 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2391 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2392 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2393 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2394 ("Connection with dynamic PEAP/EAP-GTC password entry",
2395 "PEAP", None, "user", "auth=GTC", None, "password") ]
2396 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2399 anonymous_identity=anon, identity=identity,
2400 ca_cert="auth_serv/ca.pem", phase2=phase2,
2401 wait_connect=False, scan_freq="2412")
2403 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2405 raise Exception("Request for identity timed out")
2406 id = ev.split(':')[0].split('-')[-1]
2407 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2408 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2410 raise Exception("Request for password timed out")
2411 id = ev.split(':')[0].split('-')[-1]
2412 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2413 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2414 dev[0].wait_connected(timeout=10)
2415 dev[0].request("REMOVE_NETWORK all")
2417 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2418 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2419 check_eap_capa(dev[0], "MSCHAPV2")
2420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2421 hostapd.add_ap(apdev[0]['ifname'], params)
2422 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2424 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2425 only_add_network=True)
2427 req_id = "DOMAIN\mschapv2 user"
2428 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2429 anonymous_identity="ttls", identity=None,
2430 password="password",
2431 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2432 wait_connect=False, scan_freq="2412")
2433 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2435 raise Exception("Request for identity timed out")
2436 id = ev.split(':')[0].split('-')[-1]
2437 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2438 dev[0].wait_connected(timeout=10)
2440 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2441 raise Exception("Failed to enable network")
2442 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2444 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2445 dev[0].request("REMOVE_NETWORK all")
2447 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2448 """WPA2-Enterprise connection using EAP vendor test"""
2449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2450 hostapd.add_ap(apdev[0]['ifname'], params)
2451 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2452 eap_reauth(dev[0], "VENDOR-TEST")
2453 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2456 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2457 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2458 check_eap_capa(dev[0], "FAST")
2459 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2460 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2461 eap_connect(dev[0], apdev[0], "FAST", "user",
2462 anonymous_identity="FAST", password="password",
2463 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2464 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2465 hwsim_utils.test_connectivity(dev[0], hapd)
2466 res = eap_reauth(dev[0], "FAST")
2467 if res['tls_session_reused'] != '1':
2468 raise Exception("EAP-FAST could not use PAC session ticket")
2470 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2471 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2472 check_eap_capa(dev[0], "FAST")
2473 pac_file = os.path.join(params['logdir'], "fast.pac")
2474 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2475 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2476 hostapd.add_ap(apdev[0]['ifname'], params)
2479 eap_connect(dev[0], apdev[0], "FAST", "user",
2480 anonymous_identity="FAST", password="password",
2481 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2482 phase1="fast_provisioning=1", pac_file=pac_file)
2483 with open(pac_file, "r") as f:
2485 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2486 raise Exception("PAC file header missing")
2487 if "PAC-Key=" not in data:
2488 raise Exception("PAC-Key missing from PAC file")
2489 dev[0].request("REMOVE_NETWORK all")
2490 eap_connect(dev[0], apdev[0], "FAST", "user",
2491 anonymous_identity="FAST", password="password",
2492 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2495 eap_connect(dev[1], apdev[0], "FAST", "user",
2496 anonymous_identity="FAST", password="password",
2497 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2498 phase1="fast_provisioning=1 fast_pac_format=binary",
2500 dev[1].request("REMOVE_NETWORK all")
2501 eap_connect(dev[1], apdev[0], "FAST", "user",
2502 anonymous_identity="FAST", password="password",
2503 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2504 phase1="fast_pac_format=binary",
2512 os.remove(pac_file2)
2516 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2517 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2518 check_eap_capa(dev[0], "FAST")
2519 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2520 hostapd.add_ap(apdev[0]['ifname'], params)
2521 eap_connect(dev[0], apdev[0], "FAST", "user",
2522 anonymous_identity="FAST", password="password",
2523 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2524 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2525 pac_file="blob://fast_pac_bin")
2526 res = eap_reauth(dev[0], "FAST")
2527 if res['tls_session_reused'] != '1':
2528 raise Exception("EAP-FAST could not use PAC session ticket")
2530 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2531 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2532 check_eap_capa(dev[0], "FAST")
2533 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2534 hostapd.add_ap(apdev[0]['ifname'], params)
2536 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2537 identity="user", anonymous_identity="FAST",
2538 password="password",
2539 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2540 pac_file="blob://fast_pac_not_in_use",
2541 wait_connect=False, scan_freq="2412")
2542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2544 raise Exception("Timeout on EAP failure report")
2545 dev[0].request("REMOVE_NETWORK all")
2547 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2548 identity="user", anonymous_identity="FAST",
2549 password="password",
2550 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2551 wait_connect=False, scan_freq="2412")
2552 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2554 raise Exception("Timeout on EAP failure report")
2556 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2557 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2558 check_eap_capa(dev[0], "FAST")
2559 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2560 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2561 eap_connect(dev[0], apdev[0], "FAST", "user",
2562 anonymous_identity="FAST", password="password",
2563 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2564 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2565 hwsim_utils.test_connectivity(dev[0], hapd)
2566 res = eap_reauth(dev[0], "FAST")
2567 if res['tls_session_reused'] != '1':
2568 raise Exception("EAP-FAST could not use PAC session ticket")
2570 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2571 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2572 check_eap_capa(dev[0], "FAST")
2573 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2574 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2575 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2576 anonymous_identity="FAST", password="password",
2577 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2578 phase1="fast_provisioning=2",
2579 pac_file="blob://fast_pac_auth")
2580 dev[0].set_network_quoted(id, "identity", "user2")
2581 dev[0].wait_disconnected()
2582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2584 raise Exception("EAP-FAST not started")
2585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2587 raise Exception("EAP failure not reported")
2588 dev[0].wait_disconnected()
2590 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2591 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2592 check_eap_capa(dev[0], "FAST")
2593 tls = dev[0].request("GET tls_library")
2594 if tls.startswith("OpenSSL"):
2595 func = "openssl_tls_prf"
2597 elif tls.startswith("internal"):
2598 func = "tls_connection_prf"
2601 raise HwsimSkip("Unsupported TLS library")
2602 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2603 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2604 with alloc_fail(dev[0], count, func):
2605 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2606 identity="user", anonymous_identity="FAST",
2607 password="password", ca_cert="auth_serv/ca.pem",
2609 phase1="fast_provisioning=2",
2610 pac_file="blob://fast_pac_auth",
2611 wait_connect=False, scan_freq="2412")
2612 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2614 raise Exception("EAP failure not reported")
2615 dev[0].request("DISCONNECT")
2617 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2618 """EAP-FAST/MSCHAPv2 and server OOM"""
2619 check_eap_capa(dev[0], "FAST")
2621 params = int_eap_server_params()
2622 params['dh_file'] = 'auth_serv/dh.conf'
2623 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2624 params['eap_fast_a_id'] = '1011'
2625 params['eap_fast_a_id_info'] = 'another test server'
2626 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2628 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2629 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2630 anonymous_identity="FAST", password="password",
2631 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2632 phase1="fast_provisioning=1",
2633 pac_file="blob://fast_pac",
2634 expect_failure=True)
2635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2637 raise Exception("No EAP failure reported")
2638 dev[0].wait_disconnected()
2639 dev[0].request("DISCONNECT")
2641 dev[0].select_network(id, freq="2412")
2643 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2644 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2645 check_ocsp_support(dev[0])
2646 check_pkcs12_support(dev[0])
2647 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2648 hostapd.add_ap(apdev[0]['ifname'], params)
2649 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2650 private_key="auth_serv/user.pkcs12",
2651 private_key_passwd="whatever", ocsp=2)
2653 def int_eap_server_params():
2654 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2655 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2656 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2657 "ca_cert": "auth_serv/ca.pem",
2658 "server_cert": "auth_serv/server.pem",
2659 "private_key": "auth_serv/server.key" }
2662 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2663 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2664 check_ocsp_support(dev[0])
2665 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2666 if not os.path.exists(ocsp):
2667 raise HwsimSkip("No OCSP response available")
2668 params = int_eap_server_params()
2669 params["ocsp_stapling_response"] = ocsp
2670 hostapd.add_ap(apdev[0]['ifname'], params)
2671 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2672 identity="tls user", ca_cert="auth_serv/ca.pem",
2673 private_key="auth_serv/user.pkcs12",
2674 private_key_passwd="whatever", ocsp=2,
2677 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2678 """EAP-TLS and CA signed OCSP response (good)"""
2679 check_ocsp_support(dev[0])
2680 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2681 if not os.path.exists(ocsp):
2682 raise HwsimSkip("No OCSP response available")
2683 params = int_eap_server_params()
2684 params["ocsp_stapling_response"] = ocsp
2685 hostapd.add_ap(apdev[0]['ifname'], params)
2686 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2687 identity="tls user", ca_cert="auth_serv/ca.pem",
2688 private_key="auth_serv/user.pkcs12",
2689 private_key_passwd="whatever", ocsp=2,
2692 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2693 """EAP-TLS and CA signed OCSP response (revoked)"""
2694 check_ocsp_support(dev[0])
2695 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2696 if not os.path.exists(ocsp):
2697 raise HwsimSkip("No OCSP response available")
2698 params = int_eap_server_params()
2699 params["ocsp_stapling_response"] = ocsp
2700 hostapd.add_ap(apdev[0]['ifname'], params)
2701 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2702 identity="tls user", ca_cert="auth_serv/ca.pem",
2703 private_key="auth_serv/user.pkcs12",
2704 private_key_passwd="whatever", ocsp=2,
2705 wait_connect=False, scan_freq="2412")
2708 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2710 raise Exception("Timeout on EAP status")
2711 if 'bad certificate status response' in ev:
2713 if 'certificate revoked' in ev:
2717 raise Exception("Unexpected number of EAP status messages")
2719 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2721 raise Exception("Timeout on EAP failure report")
2723 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2724 """EAP-TLS and CA signed OCSP response (unknown)"""
2725 check_ocsp_support(dev[0])
2726 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2727 if not os.path.exists(ocsp):
2728 raise HwsimSkip("No OCSP response available")
2729 params = int_eap_server_params()
2730 params["ocsp_stapling_response"] = ocsp
2731 hostapd.add_ap(apdev[0]['ifname'], params)
2732 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2733 identity="tls user", ca_cert="auth_serv/ca.pem",
2734 private_key="auth_serv/user.pkcs12",
2735 private_key_passwd="whatever", ocsp=2,
2736 wait_connect=False, scan_freq="2412")
2739 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2741 raise Exception("Timeout on EAP status")
2742 if 'bad certificate status response' in ev:
2746 raise Exception("Unexpected number of EAP status messages")
2748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2750 raise Exception("Timeout on EAP failure report")
2752 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2753 """EAP-TLS and server signed OCSP response"""
2754 check_ocsp_support(dev[0])
2755 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2756 if not os.path.exists(ocsp):
2757 raise HwsimSkip("No OCSP response available")
2758 params = int_eap_server_params()
2759 params["ocsp_stapling_response"] = ocsp
2760 hostapd.add_ap(apdev[0]['ifname'], params)
2761 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2762 identity="tls user", ca_cert="auth_serv/ca.pem",
2763 private_key="auth_serv/user.pkcs12",
2764 private_key_passwd="whatever", ocsp=2,
2765 wait_connect=False, scan_freq="2412")
2768 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2770 raise Exception("Timeout on EAP status")
2771 if 'bad certificate status response' in ev:
2775 raise Exception("Unexpected number of EAP status messages")
2777 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2779 raise Exception("Timeout on EAP failure report")
2781 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2782 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2783 check_ocsp_support(dev[0])
2784 params = int_eap_server_params()
2785 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2786 hostapd.add_ap(apdev[0]['ifname'], params)
2787 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2788 identity="tls user", ca_cert="auth_serv/ca.pem",
2789 private_key="auth_serv/user.pkcs12",
2790 private_key_passwd="whatever", ocsp=2,
2791 wait_connect=False, scan_freq="2412")
2794 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2796 raise Exception("Timeout on EAP status")
2797 if 'bad certificate status response' in ev:
2801 raise Exception("Unexpected number of EAP status messages")
2803 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2805 raise Exception("Timeout on EAP failure report")
2807 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2808 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2809 check_ocsp_support(dev[0])
2810 params = int_eap_server_params()
2811 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2812 hostapd.add_ap(apdev[0]['ifname'], params)
2813 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2814 identity="tls user", ca_cert="auth_serv/ca.pem",
2815 private_key="auth_serv/user.pkcs12",
2816 private_key_passwd="whatever", ocsp=2,
2817 wait_connect=False, scan_freq="2412")
2820 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2822 raise Exception("Timeout on EAP status")
2823 if 'bad certificate status response' in ev:
2827 raise Exception("Unexpected number of EAP status messages")
2829 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2831 raise Exception("Timeout on EAP failure report")
2833 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2834 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2835 check_ocsp_support(dev[0])
2836 params = int_eap_server_params()
2837 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2838 hostapd.add_ap(apdev[0]['ifname'], params)
2839 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2840 identity="tls user", ca_cert="auth_serv/ca.pem",
2841 private_key="auth_serv/user.pkcs12",
2842 private_key_passwd="whatever", ocsp=2,
2843 wait_connect=False, scan_freq="2412")
2846 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2848 raise Exception("Timeout on EAP status")
2849 if 'bad certificate status response' in ev:
2853 raise Exception("Unexpected number of EAP status messages")
2855 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2857 raise Exception("Timeout on EAP failure report")
2859 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2860 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2861 check_ocsp_support(dev[0])
2862 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2863 if not os.path.exists(ocsp):
2864 raise HwsimSkip("No OCSP response available")
2865 params = int_eap_server_params()
2866 params["ocsp_stapling_response"] = ocsp
2867 hostapd.add_ap(apdev[0]['ifname'], params)
2868 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2869 identity="pap user", ca_cert="auth_serv/ca.pem",
2870 anonymous_identity="ttls", password="password",
2871 phase2="auth=PAP", ocsp=2,
2872 wait_connect=False, scan_freq="2412")
2875 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2877 raise Exception("Timeout on EAP status")
2878 if 'bad certificate status response' in ev:
2880 if 'certificate revoked' in ev:
2884 raise Exception("Unexpected number of EAP status messages")
2886 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2888 raise Exception("Timeout on EAP failure report")
2890 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2891 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2892 check_ocsp_support(dev[0])
2893 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2894 if not os.path.exists(ocsp):
2895 raise HwsimSkip("No OCSP response available")
2896 params = int_eap_server_params()
2897 params["ocsp_stapling_response"] = ocsp
2898 hostapd.add_ap(apdev[0]['ifname'], params)
2899 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2900 identity="pap user", ca_cert="auth_serv/ca.pem",
2901 anonymous_identity="ttls", password="password",
2902 phase2="auth=PAP", ocsp=2,
2903 wait_connect=False, scan_freq="2412")
2906 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2908 raise Exception("Timeout on EAP status")
2909 if 'bad certificate status response' in ev:
2913 raise Exception("Unexpected number of EAP status messages")
2915 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2917 raise Exception("Timeout on EAP failure report")
2919 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2920 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2921 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2922 if not os.path.exists(ocsp):
2923 raise HwsimSkip("No OCSP response available")
2924 params = int_eap_server_params()
2925 params["ocsp_stapling_response"] = ocsp
2926 hostapd.add_ap(apdev[0]['ifname'], params)
2927 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2928 identity="pap user", ca_cert="auth_serv/ca.pem",
2929 anonymous_identity="ttls", password="password",
2930 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2932 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2933 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2934 check_domain_match_full(dev[0])
2935 params = int_eap_server_params()
2936 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2937 params["private_key"] = "auth_serv/server-no-dnsname.key"
2938 hostapd.add_ap(apdev[0]['ifname'], params)
2939 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2940 identity="tls user", ca_cert="auth_serv/ca.pem",
2941 private_key="auth_serv/user.pkcs12",
2942 private_key_passwd="whatever",
2943 domain_suffix_match="server3.w1.fi",
2946 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2947 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2948 check_domain_match(dev[0])
2949 params = int_eap_server_params()
2950 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2951 params["private_key"] = "auth_serv/server-no-dnsname.key"
2952 hostapd.add_ap(apdev[0]['ifname'], params)
2953 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2954 identity="tls user", ca_cert="auth_serv/ca.pem",
2955 private_key="auth_serv/user.pkcs12",
2956 private_key_passwd="whatever",
2957 domain_match="server3.w1.fi",
2960 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2961 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2962 check_domain_match_full(dev[0])
2963 params = int_eap_server_params()
2964 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2965 params["private_key"] = "auth_serv/server-no-dnsname.key"
2966 hostapd.add_ap(apdev[0]['ifname'], params)
2967 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2968 identity="tls user", ca_cert="auth_serv/ca.pem",
2969 private_key="auth_serv/user.pkcs12",
2970 private_key_passwd="whatever",
2971 domain_suffix_match="w1.fi",
2974 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2975 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2976 check_domain_suffix_match(dev[0])
2977 params = int_eap_server_params()
2978 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2979 params["private_key"] = "auth_serv/server-no-dnsname.key"
2980 hostapd.add_ap(apdev[0]['ifname'], params)
2981 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2982 identity="tls user", ca_cert="auth_serv/ca.pem",
2983 private_key="auth_serv/user.pkcs12",
2984 private_key_passwd="whatever",
2985 domain_suffix_match="example.com",
2988 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2989 identity="tls user", ca_cert="auth_serv/ca.pem",
2990 private_key="auth_serv/user.pkcs12",
2991 private_key_passwd="whatever",
2992 domain_suffix_match="erver3.w1.fi",
2995 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2997 raise Exception("Timeout on EAP failure report")
2998 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3000 raise Exception("Timeout on EAP failure report (2)")
3002 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3003 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3004 check_domain_match(dev[0])
3005 params = int_eap_server_params()
3006 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3007 params["private_key"] = "auth_serv/server-no-dnsname.key"
3008 hostapd.add_ap(apdev[0]['ifname'], params)
3009 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3010 identity="tls user", ca_cert="auth_serv/ca.pem",
3011 private_key="auth_serv/user.pkcs12",
3012 private_key_passwd="whatever",
3013 domain_match="example.com",
3016 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3017 identity="tls user", ca_cert="auth_serv/ca.pem",
3018 private_key="auth_serv/user.pkcs12",
3019 private_key_passwd="whatever",
3020 domain_match="w1.fi",
3023 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3025 raise Exception("Timeout on EAP failure report")
3026 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3028 raise Exception("Timeout on EAP failure report (2)")
3030 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3031 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3032 skip_with_fips(dev[0])
3033 params = int_eap_server_params()
3034 params["server_cert"] = "auth_serv/server-expired.pem"
3035 params["private_key"] = "auth_serv/server-expired.key"
3036 hostapd.add_ap(apdev[0]['ifname'], params)
3037 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3038 identity="mschap user", password="password",
3039 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3042 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3044 raise Exception("Timeout on EAP certificate error report")
3045 if "reason=4" not in ev or "certificate has expired" not in ev:
3046 raise Exception("Unexpected failure reason: " + ev)
3047 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3049 raise Exception("Timeout on EAP failure report")
3051 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3052 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3053 skip_with_fips(dev[0])
3054 params = int_eap_server_params()
3055 params["server_cert"] = "auth_serv/server-expired.pem"
3056 params["private_key"] = "auth_serv/server-expired.key"
3057 hostapd.add_ap(apdev[0]['ifname'], params)
3058 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3059 identity="mschap user", password="password",
3060 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3061 phase1="tls_disable_time_checks=1",
3064 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3065 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3066 skip_with_fips(dev[0])
3067 params = int_eap_server_params()
3068 params["server_cert"] = "auth_serv/server-long-duration.pem"
3069 params["private_key"] = "auth_serv/server-long-duration.key"
3070 hostapd.add_ap(apdev[0]['ifname'], params)
3071 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3072 identity="mschap user", password="password",
3073 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3076 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3077 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3078 skip_with_fips(dev[0])
3079 params = int_eap_server_params()
3080 params["server_cert"] = "auth_serv/server-eku-client.pem"
3081 params["private_key"] = "auth_serv/server-eku-client.key"
3082 hostapd.add_ap(apdev[0]['ifname'], params)
3083 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3084 identity="mschap user", password="password",
3085 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3088 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3090 raise Exception("Timeout on EAP failure report")
3092 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3093 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3094 skip_with_fips(dev[0])
3095 params = int_eap_server_params()
3096 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3097 params["private_key"] = "auth_serv/server-eku-client-server.key"
3098 hostapd.add_ap(apdev[0]['ifname'], params)
3099 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3100 identity="mschap user", password="password",
3101 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3104 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3105 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3106 skip_with_fips(dev[0])
3107 params = int_eap_server_params()
3108 del params["server_cert"]
3109 params["private_key"] = "auth_serv/server.pkcs12"
3110 hostapd.add_ap(apdev[0]['ifname'], params)
3111 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3112 identity="mschap user", password="password",
3113 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3116 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3117 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3118 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3119 hostapd.add_ap(apdev[0]['ifname'], params)
3120 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3121 anonymous_identity="ttls", password="password",
3122 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3123 dh_file="auth_serv/dh.conf")
3125 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3126 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3127 check_dh_dsa_support(dev[0])
3128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3129 hostapd.add_ap(apdev[0]['ifname'], params)
3130 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3131 anonymous_identity="ttls", password="password",
3132 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3133 dh_file="auth_serv/dsaparam.pem")
3135 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3136 """EAP-TTLS and DH params file not found"""
3137 skip_with_fips(dev[0])
3138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3139 hostapd.add_ap(apdev[0]['ifname'], params)
3140 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3141 identity="mschap user", password="password",
3142 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3143 dh_file="auth_serv/dh-no-such-file.conf",
3144 scan_freq="2412", wait_connect=False)
3145 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3147 raise Exception("EAP failure timed out")
3148 dev[0].request("REMOVE_NETWORK all")
3149 dev[0].wait_disconnected()
3151 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3152 """EAP-TTLS and invalid DH params file"""
3153 skip_with_fips(dev[0])
3154 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3155 hostapd.add_ap(apdev[0]['ifname'], params)
3156 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3157 identity="mschap user", password="password",
3158 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3159 dh_file="auth_serv/ca.pem",
3160 scan_freq="2412", wait_connect=False)
3161 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3163 raise Exception("EAP failure timed out")
3164 dev[0].request("REMOVE_NETWORK all")
3165 dev[0].wait_disconnected()
3167 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3168 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3169 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3170 hostapd.add_ap(apdev[0]['ifname'], params)
3171 dh = read_pem("auth_serv/dh2.conf")
3172 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3173 raise Exception("Could not set dhparams blob")
3174 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3175 anonymous_identity="ttls", password="password",
3176 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3177 dh_file="blob://dhparams")
3179 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3180 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3181 params = int_eap_server_params()
3182 params["dh_file"] = "auth_serv/dh2.conf"
3183 hostapd.add_ap(apdev[0]['ifname'], params)
3184 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3185 anonymous_identity="ttls", password="password",
3186 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3188 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3189 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3190 params = int_eap_server_params()
3191 params["dh_file"] = "auth_serv/dsaparam.pem"
3192 hostapd.add_ap(apdev[0]['ifname'], params)
3193 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3194 anonymous_identity="ttls", password="password",
3195 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3197 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3198 """EAP-TLS server and dhparams file not found"""
3199 params = int_eap_server_params()
3200 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3201 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3202 if "FAIL" not in hapd.request("ENABLE"):
3203 raise Exception("Invalid configuration accepted")
3205 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3206 """EAP-TLS server and invalid dhparams file"""
3207 params = int_eap_server_params()
3208 params["dh_file"] = "auth_serv/ca.pem"
3209 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3210 if "FAIL" not in hapd.request("ENABLE"):
3211 raise Exception("Invalid configuration accepted")
3213 def test_ap_wpa2_eap_reauth(dev, apdev):
3214 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3215 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3216 params['eap_reauth_period'] = '2'
3217 hostapd.add_ap(apdev[0]['ifname'], params)
3218 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3219 password_hex="0123456789abcdef0123456789abcdef")
3220 logger.info("Wait for reauthentication")
3221 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3223 raise Exception("Timeout on reauthentication")
3224 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3226 raise Exception("Timeout on reauthentication")
3227 for i in range(0, 20):
3228 state = dev[0].get_status_field("wpa_state")
3229 if state == "COMPLETED":
3232 if state != "COMPLETED":
3233 raise Exception("Reauthentication did not complete")
3235 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3236 """Optional displayable message in EAP Request-Identity"""
3237 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3238 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3239 hostapd.add_ap(apdev[0]['ifname'], params)
3240 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3241 password_hex="0123456789abcdef0123456789abcdef")
3243 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3244 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3245 check_hlr_auc_gw_support()
3246 params = int_eap_server_params()
3247 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3248 params['eap_sim_aka_result_ind'] = "1"
3249 hostapd.add_ap(apdev[0]['ifname'], params)
3251 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3252 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3253 phase1="result_ind=1")
3254 eap_reauth(dev[0], "SIM")
3255 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3256 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3258 dev[0].request("REMOVE_NETWORK all")
3259 dev[1].request("REMOVE_NETWORK all")
3261 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3263 phase1="result_ind=1")
3264 eap_reauth(dev[0], "AKA")
3265 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3266 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3268 dev[0].request("REMOVE_NETWORK all")
3269 dev[1].request("REMOVE_NETWORK all")
3271 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3272 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3273 phase1="result_ind=1")
3274 eap_reauth(dev[0], "AKA'")
3275 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3276 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3278 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3279 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3280 skip_with_fips(dev[0])
3281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3282 hostapd.add_ap(apdev[0]['ifname'], params)
3283 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3284 eap="TTLS", identity="mschap user",
3285 wait_connect=False, scan_freq="2412", ieee80211w="1",
3286 anonymous_identity="ttls", password="password",
3287 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3289 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3291 raise Exception("EAP roundtrip limit not reached")
3293 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3294 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3296 hostapd.add_ap(apdev[0]['ifname'], params)
3297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3298 eap="PSK", identity="vendor-test",
3299 password_hex="ff23456789abcdef0123456789abcdef",
3303 for i in range(0, 5):
3304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3306 raise Exception("Association and EAP start timed out")
3307 if "refuse proposed method" in ev:
3311 raise Exception("Unexpected EAP status: " + ev)
3313 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3315 raise Exception("EAP failure timed out")
3317 def test_ap_wpa2_eap_sql(dev, apdev, params):
3318 """WPA2-Enterprise connection using SQLite for user DB"""
3319 skip_with_fips(dev[0])
3323 raise HwsimSkip("No sqlite3 module available")
3324 dbfile = os.path.join(params['logdir'], "eap-user.db")
3329 con = sqlite3.connect(dbfile)
3332 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3333 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3334 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3335 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3336 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3337 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3338 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3339 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3342 params = int_eap_server_params()
3343 params["eap_user_file"] = "sqlite:" + dbfile
3344 hostapd.add_ap(apdev[0]['ifname'], params)
3345 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3346 anonymous_identity="ttls", password="password",
3347 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3348 dev[0].request("REMOVE_NETWORK all")
3349 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3350 anonymous_identity="ttls", password="password",
3351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3352 dev[1].request("REMOVE_NETWORK all")
3353 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3354 anonymous_identity="ttls", password="password",
3355 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3356 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3357 anonymous_identity="ttls", password="password",
3358 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3362 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3363 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3364 params = int_eap_server_params()
3365 hostapd.add_ap(apdev[0]['ifname'], params)
3366 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3367 identity="\x80", password="password", wait_connect=False)
3368 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3369 identity="a\x80", password="password", wait_connect=False)
3370 for i in range(0, 2):
3371 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3373 raise Exception("Association and EAP start timed out")
3374 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3376 raise Exception("EAP method selection timed out")
3378 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3379 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3380 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3381 hostapd.add_ap(apdev[0]['ifname'], params)
3382 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3383 identity="\x80", password="password", wait_connect=False)
3384 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3385 identity="a\x80", password="password", wait_connect=False)
3386 for i in range(0, 2):
3387 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3389 raise Exception("Association and EAP start timed out")
3390 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3392 raise Exception("EAP method selection timed out")
3394 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3395 """OpenSSL cipher suite configuration on wpa_supplicant"""
3396 tls = dev[0].request("GET tls_library")
3397 if not tls.startswith("OpenSSL"):
3398 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3399 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3400 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3401 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3402 anonymous_identity="ttls", password="password",
3403 openssl_ciphers="AES128",
3404 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3405 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3406 anonymous_identity="ttls", password="password",
3407 openssl_ciphers="EXPORT",
3408 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3409 expect_failure=True, maybe_local_error=True)
3410 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3411 identity="pap user", anonymous_identity="ttls",
3412 password="password",
3413 openssl_ciphers="FOO",
3414 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3416 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3418 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3419 dev[2].request("DISCONNECT")
3421 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3422 """OpenSSL cipher suite configuration on hostapd"""
3423 tls = dev[0].request("GET tls_library")
3424 if not tls.startswith("OpenSSL"):
3425 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3426 params = int_eap_server_params()
3427 params['openssl_ciphers'] = "AES256"
3428 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3429 tls = hapd.request("GET tls_library")
3430 if not tls.startswith("OpenSSL"):
3431 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3432 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3433 anonymous_identity="ttls", password="password",
3434 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3435 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3436 anonymous_identity="ttls", password="password",
3437 openssl_ciphers="AES128",
3438 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3439 expect_failure=True)
3440 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3441 anonymous_identity="ttls", password="password",
3442 openssl_ciphers="HIGH:!ADH",
3443 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3445 params['openssl_ciphers'] = "FOO"
3446 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3447 if "FAIL" not in hapd2.request("ENABLE"):
3448 raise Exception("Invalid openssl_ciphers value accepted")
3450 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3451 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3452 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3453 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3454 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3455 pid = find_wpas_process(dev[0])
3456 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3457 anonymous_identity="ttls", password=password,
3458 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3459 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3460 # event has been delivered, so verify that wpa_supplicant has returned to
3461 # eloop before reading process memory.
3464 buf = read_process_memory(pid, password)
3466 dev[0].request("DISCONNECT")
3467 dev[0].wait_disconnected()
3475 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3476 for l in f.readlines():
3477 if "EAP-TTLS: Derived key - hexdump" in l:
3478 val = l.strip().split(':')[3].replace(' ', '')
3479 msk = binascii.unhexlify(val)
3480 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3481 val = l.strip().split(':')[3].replace(' ', '')
3482 emsk = binascii.unhexlify(val)
3483 if "WPA: PMK - hexdump" in l:
3484 val = l.strip().split(':')[3].replace(' ', '')
3485 pmk = binascii.unhexlify(val)
3486 if "WPA: PTK - hexdump" in l:
3487 val = l.strip().split(':')[3].replace(' ', '')
3488 ptk = binascii.unhexlify(val)
3489 if "WPA: Group Key - hexdump" in l:
3490 val = l.strip().split(':')[3].replace(' ', '')
3491 gtk = binascii.unhexlify(val)
3492 if not msk or not emsk or not pmk or not ptk or not gtk:
3493 raise Exception("Could not find keys from debug log")
3495 raise Exception("Unexpected GTK length")
3501 fname = os.path.join(params['logdir'],
3502 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3504 logger.info("Checking keys in memory while associated")
3505 get_key_locations(buf, password, "Password")
3506 get_key_locations(buf, pmk, "PMK")
3507 get_key_locations(buf, msk, "MSK")
3508 get_key_locations(buf, emsk, "EMSK")
3509 if password not in buf:
3510 raise HwsimSkip("Password not found while associated")
3512 raise HwsimSkip("PMK not found while associated")
3514 raise Exception("KCK not found while associated")
3516 raise Exception("KEK not found while associated")
3518 raise Exception("TK found from memory")
3520 get_key_locations(buf, gtk, "GTK")
3521 raise Exception("GTK found from memory")
3523 logger.info("Checking keys in memory after disassociation")
3524 buf = read_process_memory(pid, password)
3526 # Note: Password is still present in network configuration
3527 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3529 get_key_locations(buf, password, "Password")
3530 get_key_locations(buf, pmk, "PMK")
3531 get_key_locations(buf, msk, "MSK")
3532 get_key_locations(buf, emsk, "EMSK")
3533 verify_not_present(buf, kck, fname, "KCK")
3534 verify_not_present(buf, kek, fname, "KEK")
3535 verify_not_present(buf, tk, fname, "TK")
3536 verify_not_present(buf, gtk, fname, "GTK")
3538 dev[0].request("PMKSA_FLUSH")
3539 dev[0].set_network_quoted(id, "identity", "foo")
3540 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3541 buf = read_process_memory(pid, password)
3542 get_key_locations(buf, password, "Password")
3543 get_key_locations(buf, pmk, "PMK")
3544 get_key_locations(buf, msk, "MSK")
3545 get_key_locations(buf, emsk, "EMSK")
3546 verify_not_present(buf, pmk, fname, "PMK")
3548 dev[0].request("REMOVE_NETWORK all")
3550 logger.info("Checking keys in memory after network profile removal")
3551 buf = read_process_memory(pid, password)
3553 get_key_locations(buf, password, "Password")
3554 get_key_locations(buf, pmk, "PMK")
3555 get_key_locations(buf, msk, "MSK")
3556 get_key_locations(buf, emsk, "EMSK")
3557 verify_not_present(buf, password, fname, "password")
3558 verify_not_present(buf, pmk, fname, "PMK")
3559 verify_not_present(buf, kck, fname, "KCK")
3560 verify_not_present(buf, kek, fname, "KEK")
3561 verify_not_present(buf, tk, fname, "TK")
3562 verify_not_present(buf, gtk, fname, "GTK")
3563 verify_not_present(buf, msk, fname, "MSK")
3564 verify_not_present(buf, emsk, fname, "EMSK")
3566 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3567 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3568 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3569 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3570 bssid = apdev[0]['bssid']
3571 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3572 anonymous_identity="ttls", password="password",
3573 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3575 # Send unexpected WEP EAPOL-Key; this gets dropped
3576 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3578 raise Exception("EAPOL_RX to wpa_supplicant failed")
3580 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3581 """WPA2-EAP and wpas interface in a bridge"""
3585 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3587 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3588 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3589 subprocess.call(['brctl', 'delbr', br_ifname])
3590 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3592 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3593 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3594 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3598 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3599 subprocess.call(['brctl', 'addbr', br_ifname])
3600 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3601 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3602 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3603 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3604 wpas.interface_add(ifname, br_ifname=br_ifname)
3607 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3608 password_hex="0123456789abcdef0123456789abcdef")
3610 eap_reauth(wpas, "PAX")
3612 # Try again as a regression test for packet socket workaround
3613 eap_reauth(wpas, "PAX")
3615 wpas.request("DISCONNECT")
3616 wpas.wait_disconnected()
3618 wpas.request("RECONNECT")
3619 wpas.wait_connected()
3622 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3623 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3625 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3626 key_mgmt = hapd.get_config()['key_mgmt']
3627 if key_mgmt.split(' ')[0] != "WPA-EAP":
3628 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3629 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3630 anonymous_identity="ttls", password="password",
3631 ca_cert="auth_serv/ca.pem",
3632 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3633 eap_reauth(dev[0], "TTLS")
3635 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3636 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3638 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3639 key_mgmt = hapd.get_config()['key_mgmt']
3640 if key_mgmt.split(' ')[0] != "WPA-EAP":
3641 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3642 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3643 anonymous_identity="ttls", password="password",
3644 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3646 eap_reauth(dev[0], "TTLS")
3648 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3649 """EAP-TLS and server checking CRL"""
3650 params = int_eap_server_params()
3651 params['check_crl'] = '1'
3652 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3654 # check_crl=1 and no CRL available --> reject connection
3655 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3656 client_cert="auth_serv/user.pem",
3657 private_key="auth_serv/user.key", expect_failure=True)
3658 dev[0].request("REMOVE_NETWORK all")
3661 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3664 # check_crl=1 and valid CRL --> accept
3665 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3666 client_cert="auth_serv/user.pem",
3667 private_key="auth_serv/user.key")
3668 dev[0].request("REMOVE_NETWORK all")
3671 hapd.set("check_crl", "2")
3674 # check_crl=2 and valid CRL --> accept
3675 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3676 client_cert="auth_serv/user.pem",
3677 private_key="auth_serv/user.key")
3678 dev[0].request("REMOVE_NETWORK all")
3680 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3681 """EAP-TLS and OOM"""
3682 check_subject_match_support(dev[0])
3683 check_altsubject_match_support(dev[0])
3684 check_domain_match(dev[0])
3685 check_domain_match_full(dev[0])
3687 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3688 hostapd.add_ap(apdev[0]['ifname'], params)
3690 tests = [ (1, "tls_connection_set_subject_match"),
3691 (2, "tls_connection_set_subject_match"),
3692 (3, "tls_connection_set_subject_match"),
3693 (4, "tls_connection_set_subject_match") ]
3694 for count, func in tests:
3695 with alloc_fail(dev[0], count, func):
3696 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3697 identity="tls user", ca_cert="auth_serv/ca.pem",
3698 client_cert="auth_serv/user.pem",
3699 private_key="auth_serv/user.key",
3700 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3701 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3702 domain_suffix_match="server.w1.fi",
3703 domain_match="server.w1.fi",
3704 wait_connect=False, scan_freq="2412")
3705 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3706 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3708 raise Exception("No passphrase request")
3709 dev[0].request("REMOVE_NETWORK all")
3710 dev[0].wait_disconnected()
3712 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3713 """WPA2-Enterprise connection using MAC ACL"""
3714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3715 params["macaddr_acl"] = "2"
3716 hostapd.add_ap(apdev[0]['ifname'], params)
3717 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3718 client_cert="auth_serv/user.pem",
3719 private_key="auth_serv/user.key")
3721 def test_ap_wpa2_eap_oom(dev, apdev):
3722 """EAP server and OOM"""
3723 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3724 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3725 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3727 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3728 # The first attempt fails, but STA will send EAPOL-Start to retry and
3730 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3731 identity="tls user", ca_cert="auth_serv/ca.pem",
3732 client_cert="auth_serv/user.pem",
3733 private_key="auth_serv/user.key",
3736 def check_tls_ver(dev, ap, phase1, expected):
3737 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3738 client_cert="auth_serv/user.pem",
3739 private_key="auth_serv/user.key",
3741 ver = dev.get_status_field("eap_tls_version")
3743 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3745 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3746 """EAP-TLS and TLS version configuration"""
3747 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3748 hostapd.add_ap(apdev[0]['ifname'], params)
3750 tls = dev[0].request("GET tls_library")
3751 if tls.startswith("OpenSSL"):
3752 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3753 check_tls_ver(dev[0], apdev[0],
3754 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3756 elif tls.startswith("internal"):
3757 check_tls_ver(dev[0], apdev[0],
3758 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3759 check_tls_ver(dev[1], apdev[0],
3760 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3761 check_tls_ver(dev[2], apdev[0],
3762 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3764 def test_rsn_ie_proto_eap_sta(dev, apdev):
3765 """RSN element protocol testing for EAP cases on STA side"""
3766 bssid = apdev[0]['bssid']
3767 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3768 # This is the RSN element used normally by hostapd
3769 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3770 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3771 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3772 identity="gpsk user",
3773 password="abcdefghijklmnop0123456789abcdef",
3776 tests = [ ('No RSN Capabilities field',
3777 '30120100000fac040100000fac040100000fac01'),
3778 ('No AKM Suite fields',
3779 '300c0100000fac040100000fac04'),
3780 ('No Pairwise Cipher Suite fields',
3781 '30060100000fac04'),
3782 ('No Group Data Cipher Suite field',
3784 for txt,ie in tests:
3785 dev[0].request("DISCONNECT")
3786 dev[0].wait_disconnected()
3789 hapd.set('own_ie_override', ie)
3791 dev[0].request("BSS_FLUSH 0")
3792 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3793 dev[0].select_network(id, freq=2412)
3794 dev[0].wait_connected()
3796 def check_tls_session_resumption_capa(dev, hapd):
3797 tls = hapd.request("GET tls_library")
3798 if not tls.startswith("OpenSSL"):
3799 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3801 tls = dev.request("GET tls_library")
3802 if not tls.startswith("OpenSSL"):
3803 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3805 def test_eap_ttls_pap_session_resumption(dev, apdev):
3806 """EAP-TTLS/PAP session resumption"""
3807 params = int_eap_server_params()
3808 params['tls_session_lifetime'] = '60'
3809 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3810 check_tls_session_resumption_capa(dev[0], hapd)
3811 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3812 anonymous_identity="ttls", password="password",
3813 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3815 if dev[0].get_status_field("tls_session_reused") != '0':
3816 raise Exception("Unexpected session resumption on the first connection")
3818 dev[0].request("REAUTHENTICATE")
3819 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3821 raise Exception("EAP success timed out")
3822 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3824 raise Exception("Key handshake with the AP timed out")
3825 if dev[0].get_status_field("tls_session_reused") != '1':
3826 raise Exception("Session resumption not used on the second connection")
3828 def test_eap_ttls_chap_session_resumption(dev, apdev):
3829 """EAP-TTLS/CHAP session resumption"""
3830 params = int_eap_server_params()
3831 params['tls_session_lifetime'] = '60'
3832 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3833 check_tls_session_resumption_capa(dev[0], hapd)
3834 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3835 anonymous_identity="ttls", password="password",
3836 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3837 if dev[0].get_status_field("tls_session_reused") != '0':
3838 raise Exception("Unexpected session resumption on the first connection")
3840 dev[0].request("REAUTHENTICATE")
3841 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3843 raise Exception("EAP success timed out")
3844 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3846 raise Exception("Key handshake with the AP timed out")
3847 if dev[0].get_status_field("tls_session_reused") != '1':
3848 raise Exception("Session resumption not used on the second connection")
3850 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3851 """EAP-TTLS/MSCHAP session resumption"""
3852 check_domain_suffix_match(dev[0])
3853 params = int_eap_server_params()
3854 params['tls_session_lifetime'] = '60'
3855 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3856 check_tls_session_resumption_capa(dev[0], hapd)
3857 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3858 anonymous_identity="ttls", password="password",
3859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3860 domain_suffix_match="server.w1.fi")
3861 if dev[0].get_status_field("tls_session_reused") != '0':
3862 raise Exception("Unexpected session resumption on the first connection")
3864 dev[0].request("REAUTHENTICATE")
3865 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3867 raise Exception("EAP success timed out")
3868 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3870 raise Exception("Key handshake with the AP timed out")
3871 if dev[0].get_status_field("tls_session_reused") != '1':
3872 raise Exception("Session resumption not used on the second connection")
3874 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3875 """EAP-TTLS/MSCHAPv2 session resumption"""
3876 check_domain_suffix_match(dev[0])
3877 check_eap_capa(dev[0], "MSCHAPV2")
3878 params = int_eap_server_params()
3879 params['tls_session_lifetime'] = '60'
3880 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3881 check_tls_session_resumption_capa(dev[0], hapd)
3882 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3883 anonymous_identity="ttls", password="password",
3884 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3885 domain_suffix_match="server.w1.fi")
3886 if dev[0].get_status_field("tls_session_reused") != '0':
3887 raise Exception("Unexpected session resumption on the first connection")
3889 dev[0].request("REAUTHENTICATE")
3890 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3892 raise Exception("EAP success timed out")
3893 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3895 raise Exception("Key handshake with the AP timed out")
3896 if dev[0].get_status_field("tls_session_reused") != '1':
3897 raise Exception("Session resumption not used on the second connection")
3899 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3900 """EAP-TTLS/EAP-GTC session resumption"""
3901 params = int_eap_server_params()
3902 params['tls_session_lifetime'] = '60'
3903 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3904 check_tls_session_resumption_capa(dev[0], hapd)
3905 eap_connect(dev[0], apdev[0], "TTLS", "user",
3906 anonymous_identity="ttls", password="password",
3907 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3908 if dev[0].get_status_field("tls_session_reused") != '0':
3909 raise Exception("Unexpected session resumption on the first connection")
3911 dev[0].request("REAUTHENTICATE")
3912 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3914 raise Exception("EAP success timed out")
3915 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3917 raise Exception("Key handshake with the AP timed out")
3918 if dev[0].get_status_field("tls_session_reused") != '1':
3919 raise Exception("Session resumption not used on the second connection")
3921 def test_eap_ttls_no_session_resumption(dev, apdev):
3922 """EAP-TTLS session resumption disabled on server"""
3923 params = int_eap_server_params()
3924 params['tls_session_lifetime'] = '0'
3925 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3926 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3927 anonymous_identity="ttls", password="password",
3928 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3930 if dev[0].get_status_field("tls_session_reused") != '0':
3931 raise Exception("Unexpected session resumption on the first connection")
3933 dev[0].request("REAUTHENTICATE")
3934 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3936 raise Exception("EAP success timed out")
3937 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3939 raise Exception("Key handshake with the AP timed out")
3940 if dev[0].get_status_field("tls_session_reused") != '0':
3941 raise Exception("Unexpected session resumption on the second connection")
3943 def test_eap_peap_session_resumption(dev, apdev):
3944 """EAP-PEAP session resumption"""
3945 params = int_eap_server_params()
3946 params['tls_session_lifetime'] = '60'
3947 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3948 check_tls_session_resumption_capa(dev[0], hapd)
3949 eap_connect(dev[0], apdev[0], "PEAP", "user",
3950 anonymous_identity="peap", password="password",
3951 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3952 if dev[0].get_status_field("tls_session_reused") != '0':
3953 raise Exception("Unexpected session resumption on the first connection")
3955 dev[0].request("REAUTHENTICATE")
3956 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3958 raise Exception("EAP success timed out")
3959 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3961 raise Exception("Key handshake with the AP timed out")
3962 if dev[0].get_status_field("tls_session_reused") != '1':
3963 raise Exception("Session resumption not used on the second connection")
3965 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
3966 """EAP-PEAP session resumption with crypto binding"""
3967 params = int_eap_server_params()
3968 params['tls_session_lifetime'] = '60'
3969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3970 check_tls_session_resumption_capa(dev[0], hapd)
3971 eap_connect(dev[0], apdev[0], "PEAP", "user",
3972 anonymous_identity="peap", password="password",
3973 phase1="peapver=0 crypto_binding=2",
3974 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3975 if dev[0].get_status_field("tls_session_reused") != '0':
3976 raise Exception("Unexpected session resumption on the first connection")
3978 dev[0].request("REAUTHENTICATE")
3979 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3981 raise Exception("EAP success timed out")
3982 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3984 raise Exception("Key handshake with the AP timed out")
3985 if dev[0].get_status_field("tls_session_reused") != '1':
3986 raise Exception("Session resumption not used on the second connection")
3988 def test_eap_peap_no_session_resumption(dev, apdev):
3989 """EAP-PEAP session resumption disabled on server"""
3990 params = int_eap_server_params()
3991 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3992 eap_connect(dev[0], apdev[0], "PEAP", "user",
3993 anonymous_identity="peap", password="password",
3994 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3995 if dev[0].get_status_field("tls_session_reused") != '0':
3996 raise Exception("Unexpected session resumption on the first connection")
3998 dev[0].request("REAUTHENTICATE")
3999 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4001 raise Exception("EAP success timed out")
4002 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4004 raise Exception("Key handshake with the AP timed out")
4005 if dev[0].get_status_field("tls_session_reused") != '0':
4006 raise Exception("Unexpected session resumption on the second connection")
4008 def test_eap_tls_session_resumption(dev, apdev):
4009 """EAP-TLS session resumption"""
4010 params = int_eap_server_params()
4011 params['tls_session_lifetime'] = '60'
4012 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4013 check_tls_session_resumption_capa(dev[0], hapd)
4014 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4015 client_cert="auth_serv/user.pem",
4016 private_key="auth_serv/user.key")
4017 if dev[0].get_status_field("tls_session_reused") != '0':
4018 raise Exception("Unexpected session resumption on the first connection")
4020 dev[0].request("REAUTHENTICATE")
4021 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4023 raise Exception("EAP success timed out")
4024 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4026 raise Exception("Key handshake with the AP timed out")
4027 if dev[0].get_status_field("tls_session_reused") != '1':
4028 raise Exception("Session resumption not used on the second connection")
4030 dev[0].request("REAUTHENTICATE")
4031 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4033 raise Exception("EAP success timed out")
4034 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4036 raise Exception("Key handshake with the AP timed out")
4037 if dev[0].get_status_field("tls_session_reused") != '1':
4038 raise Exception("Session resumption not used on the third connection")
4040 def test_eap_tls_session_resumption_expiration(dev, apdev):
4041 """EAP-TLS session resumption"""
4042 params = int_eap_server_params()
4043 params['tls_session_lifetime'] = '1'
4044 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4045 check_tls_session_resumption_capa(dev[0], hapd)
4046 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4047 client_cert="auth_serv/user.pem",
4048 private_key="auth_serv/user.key")
4049 if dev[0].get_status_field("tls_session_reused") != '0':
4050 raise Exception("Unexpected session resumption on the first connection")
4052 # Allow multiple attempts since OpenSSL may not expire the cached entry
4057 dev[0].request("REAUTHENTICATE")
4058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4060 raise Exception("EAP success timed out")
4061 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4063 raise Exception("Key handshake with the AP timed out")
4064 if dev[0].get_status_field("tls_session_reused") == '0':
4066 if dev[0].get_status_field("tls_session_reused") != '0':
4067 raise Exception("Session resumption used after lifetime expiration")
4069 def test_eap_tls_no_session_resumption(dev, apdev):
4070 """EAP-TLS session resumption disabled on server"""
4071 params = int_eap_server_params()
4072 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4073 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4074 client_cert="auth_serv/user.pem",
4075 private_key="auth_serv/user.key")
4076 if dev[0].get_status_field("tls_session_reused") != '0':
4077 raise Exception("Unexpected session resumption on the first connection")
4079 dev[0].request("REAUTHENTICATE")
4080 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4082 raise Exception("EAP success timed out")
4083 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4085 raise Exception("Key handshake with the AP timed out")
4086 if dev[0].get_status_field("tls_session_reused") != '0':
4087 raise Exception("Unexpected session resumption on the second connection")
4089 def test_eap_tls_session_resumption_radius(dev, apdev):
4090 """EAP-TLS session resumption (RADIUS)"""
4091 params = { "ssid": "as", "beacon_int": "2000",
4092 "radius_server_clients": "auth_serv/radius_clients.conf",
4093 "radius_server_auth_port": '18128',
4095 "eap_user_file": "auth_serv/eap_user.conf",
4096 "ca_cert": "auth_serv/ca.pem",
4097 "server_cert": "auth_serv/server.pem",
4098 "private_key": "auth_serv/server.key",
4099 "tls_session_lifetime": "60" }
4100 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4101 check_tls_session_resumption_capa(dev[0], authsrv)
4103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4104 params['auth_server_port'] = "18128"
4105 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4106 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4107 client_cert="auth_serv/user.pem",
4108 private_key="auth_serv/user.key")
4109 if dev[0].get_status_field("tls_session_reused") != '0':
4110 raise Exception("Unexpected session resumption on the first connection")
4112 dev[0].request("REAUTHENTICATE")
4113 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4115 raise Exception("EAP success timed out")
4116 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4118 raise Exception("Key handshake with the AP timed out")
4119 if dev[0].get_status_field("tls_session_reused") != '1':
4120 raise Exception("Session resumption not used on the second connection")
4122 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4123 """EAP-TLS session resumption disabled (RADIUS)"""
4124 params = { "ssid": "as", "beacon_int": "2000",
4125 "radius_server_clients": "auth_serv/radius_clients.conf",
4126 "radius_server_auth_port": '18128',
4128 "eap_user_file": "auth_serv/eap_user.conf",
4129 "ca_cert": "auth_serv/ca.pem",
4130 "server_cert": "auth_serv/server.pem",
4131 "private_key": "auth_serv/server.key",
4132 "tls_session_lifetime": "0" }
4133 hostapd.add_ap(apdev[1]['ifname'], params)
4135 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4136 params['auth_server_port'] = "18128"
4137 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4138 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4139 client_cert="auth_serv/user.pem",
4140 private_key="auth_serv/user.key")
4141 if dev[0].get_status_field("tls_session_reused") != '0':
4142 raise Exception("Unexpected session resumption on the first connection")
4144 dev[0].request("REAUTHENTICATE")
4145 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4147 raise Exception("EAP success timed out")
4148 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4150 raise Exception("Key handshake with the AP timed out")
4151 if dev[0].get_status_field("tls_session_reused") != '0':
4152 raise Exception("Unexpected session resumption on the second connection")
4154 def test_eap_mschapv2_errors(dev, apdev):
4155 """EAP-MSCHAPv2 error cases"""
4156 check_eap_capa(dev[0], "MSCHAPV2")
4157 check_eap_capa(dev[0], "FAST")
4159 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4160 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4161 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4162 identity="phase1-user", password="password",
4164 dev[0].request("REMOVE_NETWORK all")
4165 dev[0].wait_disconnected()
4167 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4168 (1, "nt_password_hash;mschapv2_derive_response"),
4169 (1, "nt_password_hash;=mschapv2_derive_response"),
4170 (1, "generate_nt_response;mschapv2_derive_response"),
4171 (1, "generate_authenticator_response;mschapv2_derive_response"),
4172 (1, "nt_password_hash;=mschapv2_derive_response"),
4173 (1, "get_master_key;mschapv2_derive_response"),
4174 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4175 for count, func in tests:
4176 with fail_test(dev[0], count, func):
4177 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4178 identity="phase1-user", password="password",
4179 wait_connect=False, scan_freq="2412")
4180 wait_fail_trigger(dev[0], "GET_FAIL")
4181 dev[0].request("REMOVE_NETWORK all")
4182 dev[0].wait_disconnected()
4184 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4185 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4186 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4187 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4188 for count, func in tests:
4189 with fail_test(dev[0], count, func):
4190 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4191 identity="phase1-user",
4192 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4193 wait_connect=False, scan_freq="2412")
4194 wait_fail_trigger(dev[0], "GET_FAIL")
4195 dev[0].request("REMOVE_NETWORK all")
4196 dev[0].wait_disconnected()
4198 tests = [ (1, "eap_mschapv2_init"),
4199 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4200 (1, "eap_msg_alloc;eap_mschapv2_success"),
4201 (1, "eap_mschapv2_getKey") ]
4202 for count, func in tests:
4203 with alloc_fail(dev[0], count, func):
4204 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4205 identity="phase1-user", password="password",
4206 wait_connect=False, scan_freq="2412")
4207 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4208 dev[0].request("REMOVE_NETWORK all")
4209 dev[0].wait_disconnected()
4211 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4212 for count, func in tests:
4213 with alloc_fail(dev[0], count, func):
4214 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4215 identity="phase1-user", password="wrong password",
4216 wait_connect=False, scan_freq="2412")
4217 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4218 dev[0].request("REMOVE_NETWORK all")
4219 dev[0].wait_disconnected()
4221 tests = [ (2, "eap_mschapv2_init"),
4222 (3, "eap_mschapv2_init") ]
4223 for count, func in tests:
4224 with alloc_fail(dev[0], count, func):
4225 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4226 anonymous_identity="FAST", identity="user",
4227 password="password",
4228 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4229 phase1="fast_provisioning=1",
4230 pac_file="blob://fast_pac",
4231 wait_connect=False, scan_freq="2412")
4232 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4233 dev[0].request("REMOVE_NETWORK all")
4234 dev[0].wait_disconnected()
4236 def test_eap_gpsk_errors(dev, apdev):
4237 """EAP-GPSK error cases"""
4238 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4239 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4240 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4241 identity="gpsk user",
4242 password="abcdefghijklmnop0123456789abcdef",
4244 dev[0].request("REMOVE_NETWORK all")
4245 dev[0].wait_disconnected()
4247 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4248 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4250 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4252 (1, "eap_gpsk_derive_keys_helper", None),
4253 (2, "eap_gpsk_derive_keys_helper", None),
4254 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4256 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4258 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4259 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4260 (1, "eap_gpsk_derive_mid_helper", None) ]
4261 for count, func, phase1 in tests:
4262 with fail_test(dev[0], count, func):
4263 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4264 identity="gpsk user",
4265 password="abcdefghijklmnop0123456789abcdef",
4267 wait_connect=False, scan_freq="2412")
4268 wait_fail_trigger(dev[0], "GET_FAIL")
4269 dev[0].request("REMOVE_NETWORK all")
4270 dev[0].wait_disconnected()
4272 tests = [ (1, "eap_gpsk_init"),
4273 (2, "eap_gpsk_init"),
4274 (3, "eap_gpsk_init"),
4275 (1, "eap_gpsk_process_id_server"),
4276 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4277 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4278 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4279 (1, "eap_gpsk_derive_keys"),
4280 (1, "eap_gpsk_derive_keys_helper"),
4281 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4282 (1, "eap_gpsk_getKey"),
4283 (1, "eap_gpsk_get_emsk"),
4284 (1, "eap_gpsk_get_session_id") ]
4285 for count, func in tests:
4286 with alloc_fail(dev[0], count, func):
4287 dev[0].request("ERP_FLUSH")
4288 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4289 identity="gpsk user", erp="1",
4290 password="abcdefghijklmnop0123456789abcdef",
4291 wait_connect=False, scan_freq="2412")
4292 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4293 dev[0].request("REMOVE_NETWORK all")
4294 dev[0].wait_disconnected()
4296 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4297 """EAP-SIM DB error cases"""
4298 sockpath = '/tmp/hlr_auc_gw.sock-test'
4303 hparams = int_eap_server_params()
4304 hparams['eap_sim_db'] = 'unix:' + sockpath
4305 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4307 # Initial test with hlr_auc_gw socket not available
4308 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4309 eap="SIM", identity="1232010000000000",
4310 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4311 scan_freq="2412", wait_connect=False)
4312 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4314 raise Exception("EAP-Failure not reported")
4315 dev[0].wait_disconnected()
4316 dev[0].request("DISCONNECT")
4318 # Test with invalid responses and response timeout
4320 class test_handler(SocketServer.DatagramRequestHandler):
4322 data = self.request[0].strip()
4323 socket = self.request[1]
4324 logger.debug("Received hlr_auc_gw request: " + data)
4325 # EAP-SIM DB: Failed to parse response string
4326 socket.sendto("FOO", self.client_address)
4327 # EAP-SIM DB: Failed to parse response string
4328 socket.sendto("FOO 1", self.client_address)
4329 # EAP-SIM DB: Unknown external response
4330 socket.sendto("FOO 1 2", self.client_address)
4331 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4333 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4336 dev[0].select_network(id)
4337 server.handle_request()
4338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4340 raise Exception("EAP-Failure not reported")
4341 dev[0].wait_disconnected()
4342 dev[0].request("DISCONNECT")
4344 # Test with a valid response
4346 class test_handler2(SocketServer.DatagramRequestHandler):
4348 data = self.request[0].strip()
4349 socket = self.request[1]
4350 logger.debug("Received hlr_auc_gw request: " + data)
4351 fname = os.path.join(params['logdir'],
4352 'hlr_auc_gw.milenage_db')
4353 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4355 stdout=subprocess.PIPE)
4356 res = cmd.stdout.read().strip()
4358 logger.debug("hlr_auc_gw response: " + res)
4359 socket.sendto(res, self.client_address)
4361 server.RequestHandlerClass = test_handler2
4363 dev[0].select_network(id)
4364 server.handle_request()
4365 dev[0].wait_connected()
4366 dev[0].request("DISCONNECT")
4367 dev[0].wait_disconnected()
4369 def test_eap_tls_sha512(dev, apdev, params):
4370 """EAP-TLS with SHA512 signature"""
4371 params = int_eap_server_params()
4372 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4373 params["server_cert"] = "auth_serv/sha512-server.pem"
4374 params["private_key"] = "auth_serv/sha512-server.key"
4375 hostapd.add_ap(apdev[0]['ifname'], params)
4377 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4378 identity="tls user sha512",
4379 ca_cert="auth_serv/sha512-ca.pem",
4380 client_cert="auth_serv/sha512-user.pem",
4381 private_key="auth_serv/sha512-user.key",
4383 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4384 identity="tls user sha512",
4385 ca_cert="auth_serv/sha512-ca.pem",
4386 client_cert="auth_serv/sha384-user.pem",
4387 private_key="auth_serv/sha384-user.key",
4390 def test_eap_tls_sha384(dev, apdev, params):
4391 """EAP-TLS with SHA384 signature"""
4392 params = int_eap_server_params()
4393 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4394 params["server_cert"] = "auth_serv/sha384-server.pem"
4395 params["private_key"] = "auth_serv/sha384-server.key"
4396 hostapd.add_ap(apdev[0]['ifname'], params)
4398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4399 identity="tls user sha512",
4400 ca_cert="auth_serv/sha512-ca.pem",
4401 client_cert="auth_serv/sha512-user.pem",
4402 private_key="auth_serv/sha512-user.key",
4404 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4405 identity="tls user sha512",
4406 ca_cert="auth_serv/sha512-ca.pem",
4407 client_cert="auth_serv/sha384-user.pem",
4408 private_key="auth_serv/sha384-user.key",
4411 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4412 """WPA2-Enterprise AP and association request RSN IE differences"""
4413 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4414 hostapd.add_ap(apdev[0]['ifname'], params)
4416 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4417 params["ieee80211w"] = "2"
4418 hostapd.add_ap(apdev[1]['ifname'], params)
4420 # Success cases with optional RSN IE fields removed one by one
4421 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4422 "30140100000fac040100000fac040100000fac010000"),
4423 ("Extra PMKIDCount field in RSN IE",
4424 "30160100000fac040100000fac040100000fac0100000000"),
4425 ("Extra Group Management Cipher Suite in RSN IE",
4426 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4427 ("Extra undefined extension field in RSN IE",
4428 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4429 ("RSN IE without RSN Capabilities",
4430 "30120100000fac040100000fac040100000fac01"),
4431 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4432 ("RSN IE without pairwise", "30060100000fac04"),
4433 ("RSN IE without group", "30020100") ]
4434 for title, ie in tests:
4436 set_test_assoc_ie(dev[0], ie)
4437 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4438 identity="gpsk user",
4439 password="abcdefghijklmnop0123456789abcdef",
4441 dev[0].request("REMOVE_NETWORK all")
4442 dev[0].wait_disconnected()
4444 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4445 "30140100000fac040100000fac040100000fac01cc00"),
4446 ("Group management cipher included in assoc req RSN IE",
4447 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4448 for title, ie in tests:
4450 set_test_assoc_ie(dev[0], ie)
4451 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4452 eap="GPSK", identity="gpsk user",
4453 password="abcdefghijklmnop0123456789abcdef",
4455 dev[0].request("REMOVE_NETWORK all")
4456 dev[0].wait_disconnected()
4458 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4459 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4460 for title, ie, status in tests:
4462 set_test_assoc_ie(dev[0], ie)
4463 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4464 identity="gpsk user",
4465 password="abcdefghijklmnop0123456789abcdef",
4466 scan_freq="2412", wait_connect=False)
4467 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4469 raise Exception("Association rejection not reported")
4470 if "status_code=" + str(status) not in ev:
4471 raise Exception("Unexpected status code: " + ev)
4472 dev[0].request("REMOVE_NETWORK all")
4473 dev[0].dump_monitor()
4475 tests = [ ("Management frame protection not enabled",
4476 "30140100000fac040100000fac040100000fac010000", 31),
4477 ("Unsupported management group cipher",
4478 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4479 for title, ie, status in tests:
4481 set_test_assoc_ie(dev[0], ie)
4482 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4483 eap="GPSK", identity="gpsk user",
4484 password="abcdefghijklmnop0123456789abcdef",
4485 scan_freq="2412", wait_connect=False)
4486 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4488 raise Exception("Association rejection not reported")
4489 if "status_code=" + str(status) not in ev:
4490 raise Exception("Unexpected status code: " + ev)
4491 dev[0].request("REMOVE_NETWORK all")
4492 dev[0].dump_monitor()
4494 def test_eap_tls_ext_cert_check(dev, apdev):
4495 """EAP-TLS and external server certification validation"""
4496 # With internal server certificate chain validation
4497 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4498 identity="tls user",
4499 ca_cert="auth_serv/ca.pem",
4500 client_cert="auth_serv/user.pem",
4501 private_key="auth_serv/user.key",
4502 phase1="tls_ext_cert_check=1", scan_freq="2412",
4503 only_add_network=True)
4504 run_ext_cert_check(dev, apdev, id)
4506 def test_eap_ttls_ext_cert_check(dev, apdev):
4507 """EAP-TTLS and external server certification validation"""
4508 # Without internal server certificate chain validation
4509 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4510 identity="pap user", anonymous_identity="ttls",
4511 password="password", phase2="auth=PAP",
4512 phase1="tls_ext_cert_check=1", scan_freq="2412",
4513 only_add_network=True)
4514 run_ext_cert_check(dev, apdev, id)
4516 def test_eap_peap_ext_cert_check(dev, apdev):
4517 """EAP-PEAP and external server certification validation"""
4518 # With internal server certificate chain validation
4519 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4520 identity="user", anonymous_identity="peap",
4521 ca_cert="auth_serv/ca.pem",
4522 password="password", phase2="auth=MSCHAPV2",
4523 phase1="tls_ext_cert_check=1", scan_freq="2412",
4524 only_add_network=True)
4525 run_ext_cert_check(dev, apdev, id)
4527 def test_eap_fast_ext_cert_check(dev, apdev):
4528 """EAP-FAST and external server certification validation"""
4529 check_eap_capa(dev[0], "FAST")
4530 # With internal server certificate chain validation
4531 dev[0].request("SET blob fast_pac_auth_ext ")
4532 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4533 identity="user", anonymous_identity="FAST",
4534 ca_cert="auth_serv/ca.pem",
4535 password="password", phase2="auth=GTC",
4536 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4537 pac_file="blob://fast_pac_auth_ext",
4539 only_add_network=True)
4540 run_ext_cert_check(dev, apdev, id)
4542 def run_ext_cert_check(dev, apdev, net_id):
4543 check_ext_cert_check_support(dev[0])
4544 if not openssl_imported:
4545 raise HwsimSkip("OpenSSL python method not available")
4547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4548 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4550 dev[0].select_network(net_id)
4553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4554 "CTRL-REQ-EXT_CERT_CHECK",
4555 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4557 raise Exception("No peer server certificate event seen")
4558 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4561 vals = ev.split(' ')
4563 if v.startswith("depth="):
4564 depth = int(v.split('=')[1])
4565 elif v.startswith("cert="):
4566 cert = v.split('=')[1]
4567 if depth is not None and cert:
4568 certs[depth] = binascii.unhexlify(cert)
4569 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4570 raise Exception("Unexpected EAP-Success")
4571 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4572 id = ev.split(':')[0].split('-')[-1]
4575 raise Exception("Server certificate not received")
4577 raise Exception("Server certificate issuer not received")
4579 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4581 cn = cert.get_subject().commonName
4582 logger.info("Server certificate CN=" + cn)
4584 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4586 icn = issuer.get_subject().commonName
4587 logger.info("Issuer certificate CN=" + icn)
4589 if cn != "server.w1.fi":
4590 raise Exception("Unexpected server certificate CN: " + cn)
4591 if icn != "Root CA":
4592 raise Exception("Unexpected server certificate issuer CN: " + icn)
4594 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4596 raise Exception("Unexpected EAP-Success before external check result indication")
4598 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4599 dev[0].wait_connected()
4601 dev[0].request("DISCONNECT")
4602 dev[0].wait_disconnected()
4603 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4604 raise Exception("PMKSA_FLUSH failed")
4605 dev[0].request("SET blob fast_pac_auth_ext ")
4606 dev[0].request("RECONNECT")
4608 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4610 raise Exception("No peer server certificate event seen (2)")
4611 id = ev.split(':')[0].split('-')[-1]
4612 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4613 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4615 raise Exception("EAP-Failure not reported")
4616 dev[0].request("REMOVE_NETWORK all")
4617 dev[0].wait_disconnected()