1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
67 maybe_local_error=False, **kwargs):
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report,
76 maybe_local_error=maybe_local_error)
79 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
81 raise Exception("No connection event received from hostapd")
84 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
85 expect_failure=False, local_error_report=False,
86 maybe_local_error=False):
87 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
89 raise Exception("Association and EAP start timed out")
90 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
91 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
93 raise Exception("EAP method selection timed out")
94 if "CTRL-EVENT-EAP-FAILURE" in ev:
97 raise Exception("Could not select EAP method")
99 raise Exception("Unexpected EAP method")
101 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
103 raise Exception("EAP failure timed out")
104 ev = dev.wait_disconnected(timeout=10)
105 if maybe_local_error and "locally_generated=1" in ev:
107 if not local_error_report:
108 if "reason=23" not in ev:
109 raise Exception("Proper reason code for disconnection not reported")
111 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
113 raise Exception("EAP success timed out")
116 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
118 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
120 raise Exception("Association with the AP timed out")
121 status = dev.get_status()
122 if status["wpa_state"] != "COMPLETED":
123 raise Exception("Connection not completed")
125 if status["suppPortStatus"] != "Authorized":
126 raise Exception("Port not authorized")
127 if method not in status["selectedMethod"]:
128 raise Exception("Incorrect EAP method status")
130 e = "WPA2-EAP-SHA256"
132 e = "WPA2/IEEE 802.1X/EAP"
134 e = "WPA/IEEE 802.1X/EAP"
135 if status["key_mgmt"] != e:
136 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
139 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
140 dev.request("REAUTHENTICATE")
141 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
142 expect_failure=expect_failure)
144 def test_ap_wpa2_eap_sim(dev, apdev):
145 """WPA2-Enterprise connection using EAP-SIM"""
146 check_hlr_auc_gw_support()
147 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
149 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
150 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
151 hwsim_utils.test_connectivity(dev[0], hapd)
152 eap_reauth(dev[0], "SIM")
154 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
155 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
156 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
157 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
160 logger.info("Negative test with incorrect key")
161 dev[0].request("REMOVE_NETWORK all")
162 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
163 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
166 logger.info("Invalid GSM-Milenage key")
167 dev[0].request("REMOVE_NETWORK all")
168 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
169 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
172 logger.info("Invalid GSM-Milenage key(2)")
173 dev[0].request("REMOVE_NETWORK all")
174 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
175 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
178 logger.info("Invalid GSM-Milenage key(3)")
179 dev[0].request("REMOVE_NETWORK all")
180 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
181 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
184 logger.info("Invalid GSM-Milenage key(4)")
185 dev[0].request("REMOVE_NETWORK all")
186 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
187 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
190 logger.info("Missing key configuration")
191 dev[0].request("REMOVE_NETWORK all")
192 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
195 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
196 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
197 check_hlr_auc_gw_support()
201 raise HwsimSkip("No sqlite3 module available")
202 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
203 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
204 params['auth_server_port'] = "1814"
205 hostapd.add_ap(apdev[0]['ifname'], params)
206 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
207 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
209 logger.info("SIM fast re-authentication")
210 eap_reauth(dev[0], "SIM")
212 logger.info("SIM full auth with pseudonym")
215 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
216 eap_reauth(dev[0], "SIM")
218 logger.info("SIM full auth with permanent identity")
221 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
222 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
223 eap_reauth(dev[0], "SIM")
225 logger.info("SIM reauth with mismatching MK")
228 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
229 eap_reauth(dev[0], "SIM", expect_failure=True)
230 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
233 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
236 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
237 eap_reauth(dev[0], "SIM")
240 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with mismatching counter")
242 eap_reauth(dev[0], "SIM")
243 dev[0].request("REMOVE_NETWORK all")
245 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
246 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
250 logger.info("SIM reauth with max reauth count reached")
251 eap_reauth(dev[0], "SIM")
253 def test_ap_wpa2_eap_sim_config(dev, apdev):
254 """EAP-SIM configuration options"""
255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
256 hostapd.add_ap(apdev[0]['ifname'], params)
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=1",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
264 raise Exception("No EAP error message seen")
265 dev[0].request("REMOVE_NETWORK all")
267 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
268 identity="1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=4",
271 wait_connect=False, scan_freq="2412")
272 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
274 raise Exception("No EAP error message seen (2)")
275 dev[0].request("REMOVE_NETWORK all")
277 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
278 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
279 phase1="sim_min_num_chal=2")
280 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
281 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
282 anonymous_identity="345678")
284 def test_ap_wpa2_eap_sim_ext(dev, apdev):
285 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
287 _test_ap_wpa2_eap_sim_ext(dev, apdev)
289 dev[0].request("SET external_sim 0")
291 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
292 check_hlr_auc_gw_support()
293 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
294 hostapd.add_ap(apdev[0]['ifname'], params)
295 dev[0].request("SET external_sim 1")
296 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
297 identity="1232010000000000",
298 wait_connect=False, scan_freq="2412")
299 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
301 raise Exception("Network connected timed out")
303 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
305 raise Exception("Wait for external SIM processing request timed out")
307 if p[1] != "GSM-AUTH":
308 raise Exception("Unexpected CTRL-REQ-SIM type")
309 rid = p[0].split('-')[3]
312 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
313 # This will fail during processing, but the ctrl_iface command succeeds
314 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
317 raise Exception("EAP failure not reported")
318 dev[0].request("DISCONNECT")
319 dev[0].wait_disconnected()
322 dev[0].select_network(id, freq="2412")
323 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
325 raise Exception("Wait for external SIM processing request timed out")
327 if p[1] != "GSM-AUTH":
328 raise Exception("Unexpected CTRL-REQ-SIM type")
329 rid = p[0].split('-')[3]
330 # This will fail during GSM auth validation
331 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
332 raise Exception("CTRL-RSP-SIM failed")
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
337 dev[0].wait_disconnected()
340 dev[0].select_network(id, freq="2412")
341 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
343 raise Exception("Wait for external SIM processing request timed out")
345 if p[1] != "GSM-AUTH":
346 raise Exception("Unexpected CTRL-REQ-SIM type")
347 rid = p[0].split('-')[3]
348 # This will fail during GSM auth validation
349 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
350 raise Exception("CTRL-RSP-SIM failed")
351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
353 raise Exception("EAP failure not reported")
354 dev[0].request("DISCONNECT")
355 dev[0].wait_disconnected()
358 dev[0].select_network(id, freq="2412")
359 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
361 raise Exception("Wait for external SIM processing request timed out")
363 if p[1] != "GSM-AUTH":
364 raise Exception("Unexpected CTRL-REQ-SIM type")
365 rid = p[0].split('-')[3]
366 # This will fail during GSM auth validation
367 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
368 raise Exception("CTRL-RSP-SIM failed")
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
371 raise Exception("EAP failure not reported")
372 dev[0].request("DISCONNECT")
373 dev[0].wait_disconnected()
376 dev[0].select_network(id, freq="2412")
377 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
379 raise Exception("Wait for external SIM processing request timed out")
381 if p[1] != "GSM-AUTH":
382 raise Exception("Unexpected CTRL-REQ-SIM type")
383 rid = p[0].split('-')[3]
384 # This will fail during GSM auth validation
385 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
386 raise Exception("CTRL-RSP-SIM failed")
387 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
389 raise Exception("EAP failure not reported")
390 dev[0].request("DISCONNECT")
391 dev[0].wait_disconnected()
394 dev[0].select_network(id, freq="2412")
395 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
397 raise Exception("Wait for external SIM processing request timed out")
399 if p[1] != "GSM-AUTH":
400 raise Exception("Unexpected CTRL-REQ-SIM type")
401 rid = p[0].split('-')[3]
402 # This will fail during GSM auth validation
403 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
404 raise Exception("CTRL-RSP-SIM failed")
405 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
407 raise Exception("EAP failure not reported")
408 dev[0].request("DISCONNECT")
409 dev[0].wait_disconnected()
412 dev[0].select_network(id, freq="2412")
413 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
415 raise Exception("Wait for external SIM processing request timed out")
417 if p[1] != "GSM-AUTH":
418 raise Exception("Unexpected CTRL-REQ-SIM type")
419 rid = p[0].split('-')[3]
420 # This will fail during GSM auth validation
421 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
422 raise Exception("CTRL-RSP-SIM failed")
423 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
425 raise Exception("EAP failure not reported")
427 def test_ap_wpa2_eap_sim_oom(dev, apdev):
428 """EAP-SIM and OOM"""
429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
430 hostapd.add_ap(apdev[0]['ifname'], params)
431 tests = [ (1, "milenage_f2345"),
432 (2, "milenage_f2345"),
433 (3, "milenage_f2345"),
434 (4, "milenage_f2345"),
435 (5, "milenage_f2345"),
436 (6, "milenage_f2345"),
437 (7, "milenage_f2345"),
438 (8, "milenage_f2345"),
439 (9, "milenage_f2345"),
440 (10, "milenage_f2345"),
441 (11, "milenage_f2345"),
442 (12, "milenage_f2345") ]
443 for count, func in tests:
444 with alloc_fail(dev[0], count, func):
445 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
446 identity="1232010000000000",
447 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
448 wait_connect=False, scan_freq="2412")
449 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
451 raise Exception("EAP method not selected")
452 dev[0].wait_disconnected()
453 dev[0].request("REMOVE_NETWORK all")
455 def test_ap_wpa2_eap_aka(dev, apdev):
456 """WPA2-Enterprise connection using EAP-AKA"""
457 check_hlr_auc_gw_support()
458 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
459 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
460 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
461 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
462 hwsim_utils.test_connectivity(dev[0], hapd)
463 eap_reauth(dev[0], "AKA")
465 logger.info("Negative test with incorrect key")
466 dev[0].request("REMOVE_NETWORK all")
467 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
468 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
471 logger.info("Invalid Milenage key")
472 dev[0].request("REMOVE_NETWORK all")
473 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
474 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
477 logger.info("Invalid Milenage key(2)")
478 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
479 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
482 logger.info("Invalid Milenage key(3)")
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
487 logger.info("Invalid Milenage key(4)")
488 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
489 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
492 logger.info("Invalid Milenage key(5)")
493 dev[0].request("REMOVE_NETWORK all")
494 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
495 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
498 logger.info("Invalid Milenage key(6)")
499 dev[0].request("REMOVE_NETWORK all")
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
504 logger.info("Missing key configuration")
505 dev[0].request("REMOVE_NETWORK all")
506 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
509 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
510 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
511 check_hlr_auc_gw_support()
515 raise HwsimSkip("No sqlite3 module available")
516 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
517 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
518 params['auth_server_port'] = "1814"
519 hostapd.add_ap(apdev[0]['ifname'], params)
520 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
521 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
523 logger.info("AKA fast re-authentication")
524 eap_reauth(dev[0], "AKA")
526 logger.info("AKA full auth with pseudonym")
529 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
530 eap_reauth(dev[0], "AKA")
532 logger.info("AKA full auth with permanent identity")
535 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
536 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
537 eap_reauth(dev[0], "AKA")
539 logger.info("AKA reauth with mismatching MK")
542 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
543 eap_reauth(dev[0], "AKA", expect_failure=True)
544 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
547 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
550 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
551 eap_reauth(dev[0], "AKA")
554 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with mismatching counter")
556 eap_reauth(dev[0], "AKA")
557 dev[0].request("REMOVE_NETWORK all")
559 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
560 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
564 logger.info("AKA reauth with max reauth count reached")
565 eap_reauth(dev[0], "AKA")
567 def test_ap_wpa2_eap_aka_config(dev, apdev):
568 """EAP-AKA configuration options"""
569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
570 hostapd.add_ap(apdev[0]['ifname'], params)
571 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
572 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
573 anonymous_identity="2345678")
575 def test_ap_wpa2_eap_aka_ext(dev, apdev):
576 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
578 _test_ap_wpa2_eap_aka_ext(dev, apdev)
580 dev[0].request("SET external_sim 0")
582 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
583 check_hlr_auc_gw_support()
584 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
585 hostapd.add_ap(apdev[0]['ifname'], params)
586 dev[0].request("SET external_sim 1")
587 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
588 identity="0232010000000000",
589 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
590 wait_connect=False, scan_freq="2412")
591 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
593 raise Exception("Network connected timed out")
595 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p[1] != "UMTS-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid = p[0].split('-')[3]
604 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
605 # This will fail during processing, but the ctrl_iface command succeeds
606 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
607 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
609 raise Exception("EAP failure not reported")
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
614 dev[0].select_network(id, freq="2412")
615 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
617 raise Exception("Wait for external SIM processing request timed out")
619 if p[1] != "UMTS-AUTH":
620 raise Exception("Unexpected CTRL-REQ-SIM type")
621 rid = p[0].split('-')[3]
622 # This will fail during UMTS auth validation
623 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
624 raise Exception("CTRL-RSP-SIM failed")
625 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
627 raise Exception("Wait for external SIM processing request timed out")
629 if p[1] != "UMTS-AUTH":
630 raise Exception("Unexpected CTRL-REQ-SIM type")
631 rid = p[0].split('-')[3]
632 # This will fail during UMTS auth validation
633 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
634 raise Exception("CTRL-RSP-SIM failed")
635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
637 raise Exception("EAP failure not reported")
638 dev[0].request("DISCONNECT")
639 dev[0].wait_disconnected()
642 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
644 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
645 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
646 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
647 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
648 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
650 dev[0].select_network(id, freq="2412")
651 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
653 raise Exception("Wait for external SIM processing request timed out")
655 if p[1] != "UMTS-AUTH":
656 raise Exception("Unexpected CTRL-REQ-SIM type")
657 rid = p[0].split('-')[3]
658 # This will fail during UMTS auth validation
659 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
660 raise Exception("CTRL-RSP-SIM failed")
661 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
663 raise Exception("EAP failure not reported")
664 dev[0].request("DISCONNECT")
665 dev[0].wait_disconnected()
668 def test_ap_wpa2_eap_aka_prime(dev, apdev):
669 """WPA2-Enterprise connection using EAP-AKA'"""
670 check_hlr_auc_gw_support()
671 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
672 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
673 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
674 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
675 hwsim_utils.test_connectivity(dev[0], hapd)
676 eap_reauth(dev[0], "AKA'")
678 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
679 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
680 identity="6555444333222111@both",
681 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 wait_connect=False, scan_freq="2412")
683 dev[1].wait_connected(timeout=15)
685 logger.info("Negative test with incorrect key")
686 dev[0].request("REMOVE_NETWORK all")
687 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
688 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
691 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
692 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
693 check_hlr_auc_gw_support()
697 raise HwsimSkip("No sqlite3 module available")
698 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
699 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
700 params['auth_server_port'] = "1814"
701 hostapd.add_ap(apdev[0]['ifname'], params)
702 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
703 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
705 logger.info("AKA' fast re-authentication")
706 eap_reauth(dev[0], "AKA'")
708 logger.info("AKA' full auth with pseudonym")
711 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
712 eap_reauth(dev[0], "AKA'")
714 logger.info("AKA' full auth with permanent identity")
717 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
718 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
719 eap_reauth(dev[0], "AKA'")
721 logger.info("AKA' reauth with mismatching k_aut")
724 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
725 eap_reauth(dev[0], "AKA'", expect_failure=True)
726 dev[0].request("REMOVE_NETWORK all")
728 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
729 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
732 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
733 eap_reauth(dev[0], "AKA'")
736 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with mismatching counter")
738 eap_reauth(dev[0], "AKA'")
739 dev[0].request("REMOVE_NETWORK all")
741 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
742 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
745 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
746 logger.info("AKA' reauth with max reauth count reached")
747 eap_reauth(dev[0], "AKA'")
749 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
750 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
751 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
752 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
753 key_mgmt = hapd.get_config()['key_mgmt']
754 if key_mgmt.split(' ')[0] != "WPA-EAP":
755 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
756 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
757 anonymous_identity="ttls", password="password",
758 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
759 hwsim_utils.test_connectivity(dev[0], hapd)
760 eap_reauth(dev[0], "TTLS")
761 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
762 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
764 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
765 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
766 check_subject_match_support(dev[0])
767 check_altsubject_match_support(dev[0])
768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
769 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
770 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
771 anonymous_identity="ttls", password="password",
772 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
773 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
774 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
775 eap_reauth(dev[0], "TTLS")
777 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
778 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
781 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
782 anonymous_identity="ttls", password="wrong",
783 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
785 eap_connect(dev[1], apdev[0], "TTLS", "user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
790 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
791 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
792 skip_with_fips(dev[0])
793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
794 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
795 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
796 anonymous_identity="ttls", password="password",
797 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
798 hwsim_utils.test_connectivity(dev[0], hapd)
799 eap_reauth(dev[0], "TTLS")
801 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
802 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
803 skip_with_fips(dev[0])
804 check_altsubject_match_support(dev[0])
805 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
806 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
807 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
808 anonymous_identity="ttls", password="password",
809 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
810 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
811 eap_reauth(dev[0], "TTLS")
813 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
814 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
815 skip_with_fips(dev[0])
816 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
817 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
818 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
819 anonymous_identity="ttls", password="wrong",
820 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
822 eap_connect(dev[1], apdev[0], "TTLS", "user",
823 anonymous_identity="ttls", password="password",
824 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
827 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
828 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
829 skip_with_fips(dev[0])
830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
831 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
832 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
833 anonymous_identity="ttls", password="password",
834 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
835 domain_suffix_match="server.w1.fi")
836 hwsim_utils.test_connectivity(dev[0], hapd)
837 eap_reauth(dev[0], "TTLS")
838 dev[0].request("REMOVE_NETWORK all")
839 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
844 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
846 skip_with_fips(dev[0])
847 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
848 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
849 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
850 anonymous_identity="ttls", password="wrong",
851 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
853 eap_connect(dev[1], apdev[0], "TTLS", "user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
857 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
858 anonymous_identity="ttls", password="password",
859 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
862 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
863 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
864 check_eap_capa(dev[0], "MSCHAPV2")
865 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
866 hostapd.add_ap(apdev[0]['ifname'], params)
867 hapd = hostapd.Hostapd(apdev[0]['ifname'])
868 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
869 anonymous_identity="ttls", password="password",
870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
871 domain_suffix_match="server.w1.fi")
872 hwsim_utils.test_connectivity(dev[0], hapd)
873 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
874 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
875 eap_reauth(dev[0], "TTLS")
876 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
877 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
878 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
879 raise Exception("dot1xAuthEapolFramesRx did not increase")
880 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
881 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
882 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
883 raise Exception("backendAuthSuccesses did not increase")
885 logger.info("Password as hash value")
886 dev[0].request("REMOVE_NETWORK all")
887 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
888 anonymous_identity="ttls",
889 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
892 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
893 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
894 check_domain_match_full(dev[0])
895 skip_with_fips(dev[0])
896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
897 hostapd.add_ap(apdev[0]['ifname'], params)
898 hapd = hostapd.Hostapd(apdev[0]['ifname'])
899 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
900 anonymous_identity="ttls", password="password",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
902 domain_suffix_match="w1.fi")
903 hwsim_utils.test_connectivity(dev[0], hapd)
904 eap_reauth(dev[0], "TTLS")
906 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
908 skip_with_fips(dev[0])
909 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
910 hostapd.add_ap(apdev[0]['ifname'], params)
911 hapd = hostapd.Hostapd(apdev[0]['ifname'])
912 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
913 anonymous_identity="ttls", password="password",
914 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 domain_match="Server.w1.fi")
916 hwsim_utils.test_connectivity(dev[0], hapd)
917 eap_reauth(dev[0], "TTLS")
919 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
920 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
921 skip_with_fips(dev[0])
922 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
923 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
924 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
925 anonymous_identity="ttls", password="password1",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
928 eap_connect(dev[1], apdev[0], "TTLS", "user",
929 anonymous_identity="ttls", password="password",
930 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
933 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
934 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
935 skip_with_fips(dev[0])
936 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
937 hostapd.add_ap(apdev[0]['ifname'], params)
938 hapd = hostapd.Hostapd(apdev[0]['ifname'])
939 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
940 anonymous_identity="ttls", password="secret-åäö-€-password",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
942 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
943 anonymous_identity="ttls",
944 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
945 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
947 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
954 hwsim_utils.test_connectivity(dev[0], hapd)
955 eap_reauth(dev[0], "TTLS")
957 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
958 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
959 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
960 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="wrong",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
966 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
967 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
968 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
970 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
971 anonymous_identity="ttls", password="password",
972 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
975 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
976 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
977 params = int_eap_server_params()
978 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
979 with alloc_fail(hapd, 1, "eap_gtc_init"):
980 eap_connect(dev[0], apdev[0], "TTLS", "user",
981 anonymous_identity="ttls", password="password",
982 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
984 dev[0].request("REMOVE_NETWORK all")
986 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
987 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
988 eap="TTLS", identity="user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
991 wait_connect=False, scan_freq="2412")
992 # This would eventually time out, but we can stop after having reached
993 # the allocation failure.
996 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
999 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1001 check_eap_capa(dev[0], "MD5")
1002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1003 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1004 eap_connect(dev[0], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1007 hwsim_utils.test_connectivity(dev[0], hapd)
1008 eap_reauth(dev[0], "TTLS")
1010 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1011 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1012 check_eap_capa(dev[0], "MD5")
1013 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1014 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1015 eap_connect(dev[0], apdev[0], "TTLS", "user",
1016 anonymous_identity="ttls", password="wrong",
1017 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1018 expect_failure=True)
1020 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1021 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1022 check_eap_capa(dev[0], "MD5")
1023 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1024 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1025 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1026 anonymous_identity="ttls", password="password",
1027 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1028 expect_failure=True)
1030 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1032 check_eap_capa(dev[0], "MD5")
1033 params = int_eap_server_params()
1034 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1035 with alloc_fail(hapd, 1, "eap_md5_init"):
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1039 expect_failure=True)
1040 dev[0].request("REMOVE_NETWORK all")
1042 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1043 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1044 eap="TTLS", identity="user",
1045 anonymous_identity="ttls", password="password",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1047 wait_connect=False, scan_freq="2412")
1048 # This would eventually time out, but we can stop after having reached
1049 # the allocation failure.
1052 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1055 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1057 check_eap_capa(dev[0], "MSCHAPV2")
1058 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1059 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1060 eap_connect(dev[0], apdev[0], "TTLS", "user",
1061 anonymous_identity="ttls", password="password",
1062 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1063 hwsim_utils.test_connectivity(dev[0], hapd)
1064 eap_reauth(dev[0], "TTLS")
1066 logger.info("Negative test with incorrect password")
1067 dev[0].request("REMOVE_NETWORK all")
1068 eap_connect(dev[0], apdev[0], "TTLS", "user",
1069 anonymous_identity="ttls", password="password1",
1070 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1071 expect_failure=True)
1073 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1074 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1075 check_eap_capa(dev[0], "MSCHAPV2")
1076 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1077 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1078 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1079 anonymous_identity="ttls", password="password",
1080 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1081 expect_failure=True)
1083 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1084 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1085 check_eap_capa(dev[0], "MSCHAPV2")
1086 params = int_eap_server_params()
1087 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1088 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1089 eap_connect(dev[0], apdev[0], "TTLS", "user",
1090 anonymous_identity="ttls", password="password",
1091 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1092 expect_failure=True)
1093 dev[0].request("REMOVE_NETWORK all")
1095 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1096 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1097 eap="TTLS", identity="user",
1098 anonymous_identity="ttls", password="password",
1099 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1100 wait_connect=False, scan_freq="2412")
1101 # This would eventually time out, but we can stop after having reached
1102 # the allocation failure.
1105 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1107 dev[0].request("REMOVE_NETWORK all")
1109 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1111 eap="TTLS", identity="user",
1112 anonymous_identity="ttls", password="password",
1113 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1114 wait_connect=False, scan_freq="2412")
1115 # This would eventually time out, but we can stop after having reached
1116 # the allocation failure.
1119 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1121 dev[0].request("REMOVE_NETWORK all")
1123 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1125 eap="TTLS", identity="user",
1126 anonymous_identity="ttls", password="wrong",
1127 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1128 wait_connect=False, scan_freq="2412")
1129 # This would eventually time out, but we can stop after having reached
1130 # the allocation failure.
1133 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1135 dev[0].request("REMOVE_NETWORK all")
1137 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1138 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1140 hostapd.add_ap(apdev[0]['ifname'], params)
1141 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1142 anonymous_identity="0232010000000000@ttls",
1143 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1144 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1146 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1147 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1148 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1149 hostapd.add_ap(apdev[0]['ifname'], params)
1150 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1151 anonymous_identity="0232010000000000@peap",
1152 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1155 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1156 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1157 check_eap_capa(dev[0], "FAST")
1158 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1159 hostapd.add_ap(apdev[0]['ifname'], params)
1160 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1161 anonymous_identity="0232010000000000@fast",
1162 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1163 phase1="fast_provisioning=2",
1164 pac_file="blob://fast_pac_auth_aka",
1165 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1167 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1168 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1169 check_eap_capa(dev[0], "MSCHAPV2")
1170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1171 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1172 eap_connect(dev[0], apdev[0], "PEAP", "user",
1173 anonymous_identity="peap", password="password",
1174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1175 hwsim_utils.test_connectivity(dev[0], hapd)
1176 eap_reauth(dev[0], "PEAP")
1177 dev[0].request("REMOVE_NETWORK all")
1178 eap_connect(dev[0], apdev[0], "PEAP", "user",
1179 anonymous_identity="peap", password="password",
1180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1181 fragment_size="200")
1183 logger.info("Password as hash value")
1184 dev[0].request("REMOVE_NETWORK all")
1185 eap_connect(dev[0], apdev[0], "PEAP", "user",
1186 anonymous_identity="peap",
1187 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1190 logger.info("Negative test with incorrect password")
1191 dev[0].request("REMOVE_NETWORK all")
1192 eap_connect(dev[0], apdev[0], "PEAP", "user",
1193 anonymous_identity="peap", password="password1",
1194 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1195 expect_failure=True)
1197 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1198 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1199 check_eap_capa(dev[0], "MSCHAPV2")
1200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1201 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1202 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1203 anonymous_identity="peap", password="password",
1204 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1205 hwsim_utils.test_connectivity(dev[0], hapd)
1206 eap_reauth(dev[0], "PEAP")
1208 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1209 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1210 check_eap_capa(dev[0], "MSCHAPV2")
1211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 eap_connect(dev[0], apdev[0], "PEAP", "user",
1214 anonymous_identity="peap", password="wrong",
1215 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1216 expect_failure=True)
1218 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1219 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1220 check_eap_capa(dev[0], "MSCHAPV2")
1221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1223 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1224 ca_cert="auth_serv/ca.pem",
1225 phase1="peapver=0 crypto_binding=2",
1226 phase2="auth=MSCHAPV2")
1227 hwsim_utils.test_connectivity(dev[0], hapd)
1228 eap_reauth(dev[0], "PEAP")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peapver=0 crypto_binding=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peapver=0 crypto_binding=0",
1237 phase2="auth=MSCHAPV2")
1239 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1240 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1241 check_eap_capa(dev[0], "MSCHAPV2")
1242 params = int_eap_server_params()
1243 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1244 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1245 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1246 ca_cert="auth_serv/ca.pem",
1247 phase1="peapver=0 crypto_binding=2",
1248 phase2="auth=MSCHAPV2",
1249 expect_failure=True, local_error_report=True)
1251 def test_ap_wpa2_eap_peap_params(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1253 check_eap_capa(dev[0], "MSCHAPV2")
1254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1255 hostapd.add_ap(apdev[0]['ifname'], params)
1256 eap_connect(dev[0], apdev[0], "PEAP", "user",
1257 anonymous_identity="peap", password="password",
1258 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1259 phase1="peapver=0 peaplabel=1",
1260 expect_failure=True)
1261 dev[0].request("REMOVE_NETWORK all")
1262 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1263 ca_cert="auth_serv/ca.pem",
1264 phase1="peap_outer_success=1",
1265 phase2="auth=MSCHAPV2")
1266 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1267 ca_cert="auth_serv/ca.pem",
1268 phase1="peap_outer_success=2",
1269 phase2="auth=MSCHAPV2")
1270 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1272 anonymous_identity="peap", password="password",
1273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1274 phase1="peapver=1 peaplabel=1",
1275 wait_connect=False, scan_freq="2412")
1276 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1278 raise Exception("No EAP success seen")
1279 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1281 raise Exception("Unexpected connection")
1283 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1284 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1286 hostapd.add_ap(apdev[0]['ifname'], params)
1287 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1288 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1289 ca_cert2="auth_serv/ca.pem",
1290 client_cert2="auth_serv/user.pem",
1291 private_key2="auth_serv/user.key")
1292 eap_reauth(dev[0], "PEAP")
1294 def test_ap_wpa2_eap_tls(dev, apdev):
1295 """WPA2-Enterprise connection using EAP-TLS"""
1296 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1297 hostapd.add_ap(apdev[0]['ifname'], params)
1298 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1299 client_cert="auth_serv/user.pem",
1300 private_key="auth_serv/user.key")
1301 eap_reauth(dev[0], "TLS")
1303 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1304 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1305 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1306 hostapd.add_ap(apdev[0]['ifname'], params)
1307 cert = read_pem("auth_serv/ca.pem")
1308 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1309 raise Exception("Could not set cacert blob")
1310 cert = read_pem("auth_serv/user.pem")
1311 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1312 raise Exception("Could not set usercert blob")
1313 key = read_pem("auth_serv/user.rsa-key")
1314 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1315 raise Exception("Could not set cacert blob")
1316 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1317 client_cert="blob://usercert",
1318 private_key="blob://userkey")
1320 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1321 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1322 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1323 hostapd.add_ap(apdev[0]['ifname'], params)
1324 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1325 private_key="auth_serv/user.pkcs12",
1326 private_key_passwd="whatever")
1327 dev[0].request("REMOVE_NETWORK all")
1328 dev[0].wait_disconnected()
1330 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1331 identity="tls user",
1332 ca_cert="auth_serv/ca.pem",
1333 private_key="auth_serv/user.pkcs12",
1334 wait_connect=False, scan_freq="2412")
1335 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1337 raise Exception("Request for private key passphrase timed out")
1338 id = ev.split(':')[0].split('-')[-1]
1339 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1340 dev[0].wait_connected(timeout=10)
1341 dev[0].request("REMOVE_NETWORK all")
1342 dev[0].wait_disconnected()
1344 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1345 private_key="auth_serv/user2.pkcs12",
1346 private_key_passwd="whatever")
1347 dev[0].request("REMOVE_NETWORK all")
1348 dev[0].wait_disconnected()
1350 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1351 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1352 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1353 hostapd.add_ap(apdev[0]['ifname'], params)
1354 cert = read_pem("auth_serv/ca.pem")
1355 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1356 raise Exception("Could not set cacert blob")
1357 with open("auth_serv/user.pkcs12", "rb") as f:
1358 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1359 raise Exception("Could not set pkcs12 blob")
1360 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1361 private_key="blob://pkcs12",
1362 private_key_passwd="whatever")
1364 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1365 """WPA2-Enterprise negative test - incorrect trust root"""
1366 check_eap_capa(dev[0], "MSCHAPV2")
1367 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1368 hostapd.add_ap(apdev[0]['ifname'], params)
1369 cert = read_pem("auth_serv/ca-incorrect.pem")
1370 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1371 raise Exception("Could not set cacert blob")
1372 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1373 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1374 password="password", phase2="auth=MSCHAPV2",
1375 ca_cert="blob://cacert",
1376 wait_connect=False, scan_freq="2412")
1377 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1378 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1379 password="password", phase2="auth=MSCHAPV2",
1380 ca_cert="auth_serv/ca-incorrect.pem",
1381 wait_connect=False, scan_freq="2412")
1383 for dev in (dev[0], dev[1]):
1384 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1386 raise Exception("Association and EAP start timed out")
1388 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1390 raise Exception("EAP method selection timed out")
1391 if "TTLS" not in ev:
1392 raise Exception("Unexpected EAP method")
1394 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1395 "CTRL-EVENT-EAP-SUCCESS",
1396 "CTRL-EVENT-EAP-FAILURE",
1397 "CTRL-EVENT-CONNECTED",
1398 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1400 raise Exception("EAP result timed out")
1401 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1402 raise Exception("TLS certificate error not reported")
1404 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1405 "CTRL-EVENT-EAP-FAILURE",
1406 "CTRL-EVENT-CONNECTED",
1407 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1409 raise Exception("EAP result(2) timed out")
1410 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1411 raise Exception("EAP failure not reported")
1413 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1414 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1416 raise Exception("EAP result(3) timed out")
1417 if "CTRL-EVENT-DISCONNECTED" not in ev:
1418 raise Exception("Disconnection not reported")
1420 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1422 raise Exception("Network block disabling not reported")
1424 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1425 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1426 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1427 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1428 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1429 identity="pap user", anonymous_identity="ttls",
1430 password="password", phase2="auth=PAP",
1431 ca_cert="auth_serv/ca.pem",
1432 wait_connect=True, scan_freq="2412")
1433 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1434 identity="pap user", anonymous_identity="ttls",
1435 password="password", phase2="auth=PAP",
1436 ca_cert="auth_serv/ca-incorrect.pem",
1437 only_add_network=True, scan_freq="2412")
1439 dev[0].request("DISCONNECT")
1440 dev[0].wait_disconnected()
1441 dev[0].dump_monitor()
1442 dev[0].select_network(id, freq="2412")
1444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1446 raise Exception("EAP-TTLS not re-started")
1448 ev = dev[0].wait_disconnected(timeout=15)
1449 if "reason=23" not in ev:
1450 raise Exception("Proper reason code for disconnection not reported")
1452 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1453 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1454 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1455 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1456 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1457 identity="pap user", anonymous_identity="ttls",
1458 password="password", phase2="auth=PAP",
1459 wait_connect=True, scan_freq="2412")
1460 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1461 identity="pap user", anonymous_identity="ttls",
1462 password="password", phase2="auth=PAP",
1463 ca_cert="auth_serv/ca-incorrect.pem",
1464 only_add_network=True, scan_freq="2412")
1466 dev[0].request("DISCONNECT")
1467 dev[0].wait_disconnected()
1468 dev[0].dump_monitor()
1469 dev[0].select_network(id, freq="2412")
1471 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1473 raise Exception("EAP-TTLS not re-started")
1475 ev = dev[0].wait_disconnected(timeout=15)
1476 if "reason=23" not in ev:
1477 raise Exception("Proper reason code for disconnection not reported")
1479 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1480 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1481 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1482 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1483 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1484 identity="pap user", anonymous_identity="ttls",
1485 password="password", phase2="auth=PAP",
1486 ca_cert="auth_serv/ca.pem",
1487 wait_connect=True, scan_freq="2412")
1488 dev[0].request("DISCONNECT")
1489 dev[0].wait_disconnected()
1490 dev[0].dump_monitor()
1491 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1492 dev[0].select_network(id, freq="2412")
1494 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1496 raise Exception("EAP-TTLS not re-started")
1498 ev = dev[0].wait_disconnected(timeout=15)
1499 if "reason=23" not in ev:
1500 raise Exception("Proper reason code for disconnection not reported")
1502 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1503 """WPA2-Enterprise negative test - domain suffix mismatch"""
1504 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1505 hostapd.add_ap(apdev[0]['ifname'], params)
1506 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1507 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1508 password="password", phase2="auth=MSCHAPV2",
1509 ca_cert="auth_serv/ca.pem",
1510 domain_suffix_match="incorrect.example.com",
1511 wait_connect=False, scan_freq="2412")
1513 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1515 raise Exception("Association and EAP start timed out")
1517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1519 raise Exception("EAP method selection timed out")
1520 if "TTLS" not in ev:
1521 raise Exception("Unexpected EAP method")
1523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1524 "CTRL-EVENT-EAP-SUCCESS",
1525 "CTRL-EVENT-EAP-FAILURE",
1526 "CTRL-EVENT-CONNECTED",
1527 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1529 raise Exception("EAP result timed out")
1530 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1531 raise Exception("TLS certificate error not reported")
1532 if "Domain suffix mismatch" not in ev:
1533 raise Exception("Domain suffix mismatch not reported")
1535 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1536 "CTRL-EVENT-EAP-FAILURE",
1537 "CTRL-EVENT-CONNECTED",
1538 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1540 raise Exception("EAP result(2) timed out")
1541 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1542 raise Exception("EAP failure not reported")
1544 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1545 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1547 raise Exception("EAP result(3) timed out")
1548 if "CTRL-EVENT-DISCONNECTED" not in ev:
1549 raise Exception("Disconnection not reported")
1551 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1553 raise Exception("Network block disabling not reported")
1555 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1556 """WPA2-Enterprise negative test - domain mismatch"""
1557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1558 hostapd.add_ap(apdev[0]['ifname'], params)
1559 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1560 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1561 password="password", phase2="auth=MSCHAPV2",
1562 ca_cert="auth_serv/ca.pem",
1563 domain_match="w1.fi",
1564 wait_connect=False, scan_freq="2412")
1566 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1568 raise Exception("Association and EAP start timed out")
1570 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1572 raise Exception("EAP method selection timed out")
1573 if "TTLS" not in ev:
1574 raise Exception("Unexpected EAP method")
1576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1577 "CTRL-EVENT-EAP-SUCCESS",
1578 "CTRL-EVENT-EAP-FAILURE",
1579 "CTRL-EVENT-CONNECTED",
1580 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1582 raise Exception("EAP result timed out")
1583 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1584 raise Exception("TLS certificate error not reported")
1585 if "Domain mismatch" not in ev:
1586 raise Exception("Domain mismatch not reported")
1588 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1589 "CTRL-EVENT-EAP-FAILURE",
1590 "CTRL-EVENT-CONNECTED",
1591 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1593 raise Exception("EAP result(2) timed out")
1594 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1595 raise Exception("EAP failure not reported")
1597 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1598 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1600 raise Exception("EAP result(3) timed out")
1601 if "CTRL-EVENT-DISCONNECTED" not in ev:
1602 raise Exception("Disconnection not reported")
1604 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1606 raise Exception("Network block disabling not reported")
1608 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1609 """WPA2-Enterprise negative test - subject mismatch"""
1610 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1611 hostapd.add_ap(apdev[0]['ifname'], params)
1612 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1613 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1614 password="password", phase2="auth=MSCHAPV2",
1615 ca_cert="auth_serv/ca.pem",
1616 subject_match="/C=FI/O=w1.fi/CN=example.com",
1617 wait_connect=False, scan_freq="2412")
1619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1621 raise Exception("Association and EAP start timed out")
1623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1624 "EAP: Failed to initialize EAP method"], timeout=10)
1626 raise Exception("EAP method selection timed out")
1627 if "EAP: Failed to initialize EAP method" in ev:
1628 tls = dev[0].request("GET tls_library")
1629 if tls.startswith("OpenSSL"):
1630 raise Exception("Failed to select EAP method")
1631 logger.info("subject_match not supported - connection failed, so test succeeded")
1633 if "TTLS" not in ev:
1634 raise Exception("Unexpected EAP method")
1636 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1637 "CTRL-EVENT-EAP-SUCCESS",
1638 "CTRL-EVENT-EAP-FAILURE",
1639 "CTRL-EVENT-CONNECTED",
1640 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1642 raise Exception("EAP result timed out")
1643 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1644 raise Exception("TLS certificate error not reported")
1645 if "Subject mismatch" not in ev:
1646 raise Exception("Subject mismatch not reported")
1648 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1649 "CTRL-EVENT-EAP-FAILURE",
1650 "CTRL-EVENT-CONNECTED",
1651 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1653 raise Exception("EAP result(2) timed out")
1654 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1655 raise Exception("EAP failure not reported")
1657 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1658 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1660 raise Exception("EAP result(3) timed out")
1661 if "CTRL-EVENT-DISCONNECTED" not in ev:
1662 raise Exception("Disconnection not reported")
1664 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1666 raise Exception("Network block disabling not reported")
1668 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1669 """WPA2-Enterprise negative test - altsubject mismatch"""
1670 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1671 hostapd.add_ap(apdev[0]['ifname'], params)
1673 tests = [ "incorrect.example.com",
1674 "DNS:incorrect.example.com",
1678 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1680 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1681 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1682 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1683 password="password", phase2="auth=MSCHAPV2",
1684 ca_cert="auth_serv/ca.pem",
1685 altsubject_match=match,
1686 wait_connect=False, scan_freq="2412")
1688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1690 raise Exception("Association and EAP start timed out")
1692 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1693 "EAP: Failed to initialize EAP method"], timeout=10)
1695 raise Exception("EAP method selection timed out")
1696 if "EAP: Failed to initialize EAP method" in ev:
1697 tls = dev[0].request("GET tls_library")
1698 if tls.startswith("OpenSSL"):
1699 raise Exception("Failed to select EAP method")
1700 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1702 if "TTLS" not in ev:
1703 raise Exception("Unexpected EAP method")
1705 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1706 "CTRL-EVENT-EAP-SUCCESS",
1707 "CTRL-EVENT-EAP-FAILURE",
1708 "CTRL-EVENT-CONNECTED",
1709 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1711 raise Exception("EAP result timed out")
1712 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1713 raise Exception("TLS certificate error not reported")
1714 if "AltSubject mismatch" not in ev:
1715 raise Exception("altsubject mismatch not reported")
1717 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1718 "CTRL-EVENT-EAP-FAILURE",
1719 "CTRL-EVENT-CONNECTED",
1720 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1722 raise Exception("EAP result(2) timed out")
1723 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1724 raise Exception("EAP failure not reported")
1726 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1727 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1729 raise Exception("EAP result(3) timed out")
1730 if "CTRL-EVENT-DISCONNECTED" not in ev:
1731 raise Exception("Disconnection not reported")
1733 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1735 raise Exception("Network block disabling not reported")
1737 dev[0].request("REMOVE_NETWORK all")
1739 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1740 """WPA2-Enterprise connection using UNAUTH-TLS"""
1741 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1742 hostapd.add_ap(apdev[0]['ifname'], params)
1743 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1744 ca_cert="auth_serv/ca.pem")
1745 eap_reauth(dev[0], "UNAUTH-TLS")
1747 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1748 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1749 check_cert_probe_support(dev[0])
1750 skip_with_fips(dev[0])
1751 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1753 hostapd.add_ap(apdev[0]['ifname'], params)
1754 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1755 identity="probe", ca_cert="probe://",
1756 wait_connect=False, scan_freq="2412")
1757 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1759 raise Exception("Association and EAP start timed out")
1760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1762 raise Exception("No peer server certificate event seen")
1763 if "hash=" + srv_cert_hash not in ev:
1764 raise Exception("Expected server certificate hash not reported")
1765 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1767 raise Exception("EAP result timed out")
1768 if "Server certificate chain probe" not in ev:
1769 raise Exception("Server certificate probe not reported")
1770 dev[0].wait_disconnected(timeout=10)
1771 dev[0].request("REMOVE_NETWORK all")
1773 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1774 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1775 password="password", phase2="auth=MSCHAPV2",
1776 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1777 wait_connect=False, scan_freq="2412")
1778 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1780 raise Exception("Association and EAP start timed out")
1781 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1783 raise Exception("EAP result timed out")
1784 if "Server certificate mismatch" not in ev:
1785 raise Exception("Server certificate mismatch not reported")
1786 dev[0].wait_disconnected(timeout=10)
1787 dev[0].request("REMOVE_NETWORK all")
1789 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1790 anonymous_identity="ttls", password="password",
1791 ca_cert="hash://server/sha256/" + srv_cert_hash,
1792 phase2="auth=MSCHAPV2")
1794 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1795 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1796 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1797 hostapd.add_ap(apdev[0]['ifname'], params)
1798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1799 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1800 password="password", phase2="auth=MSCHAPV2",
1801 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1802 wait_connect=False, scan_freq="2412")
1803 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1804 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1805 password="password", phase2="auth=MSCHAPV2",
1806 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1807 wait_connect=False, scan_freq="2412")
1808 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1809 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1810 password="password", phase2="auth=MSCHAPV2",
1811 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1812 wait_connect=False, scan_freq="2412")
1813 for i in range(0, 3):
1814 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1816 raise Exception("Association and EAP start timed out")
1817 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1819 raise Exception("Did not report EAP method initialization failure")
1821 def test_ap_wpa2_eap_pwd(dev, apdev):
1822 """WPA2-Enterprise connection using EAP-pwd"""
1823 check_eap_capa(dev[0], "PWD")
1824 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1825 hostapd.add_ap(apdev[0]['ifname'], params)
1826 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1827 eap_reauth(dev[0], "PWD")
1828 dev[0].request("REMOVE_NETWORK all")
1830 eap_connect(dev[1], apdev[0], "PWD",
1831 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1832 password="secret password",
1835 logger.info("Negative test with incorrect password")
1836 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1837 expect_failure=True, local_error_report=True)
1839 eap_connect(dev[0], apdev[0], "PWD",
1840 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1841 password="secret password",
1844 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1845 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1846 check_eap_capa(dev[0], "PWD")
1847 skip_with_fips(dev[0])
1848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1849 hostapd.add_ap(apdev[0]['ifname'], params)
1850 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1851 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1852 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1853 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1854 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1855 expect_failure=True, local_error_report=True)
1857 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1858 """WPA2-Enterprise connection using various EAP-pwd groups"""
1859 check_eap_capa(dev[0], "PWD")
1860 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1861 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1862 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1863 for i in [ 19, 20, 21, 25, 26 ]:
1864 params['pwd_group'] = str(i)
1865 hostapd.add_ap(apdev[0]['ifname'], params)
1866 dev[0].request("REMOVE_NETWORK all")
1867 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1869 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1870 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1871 check_eap_capa(dev[0], "PWD")
1872 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1873 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1874 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1875 params['pwd_group'] = "0"
1876 hostapd.add_ap(apdev[0]['ifname'], params)
1877 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1878 identity="pwd user", password="secret password",
1879 scan_freq="2412", wait_connect=False)
1880 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1882 raise Exception("Timeout on EAP failure report")
1884 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1885 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1886 check_eap_capa(dev[0], "PWD")
1887 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1888 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1889 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1890 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1891 "pwd_group": "19", "fragment_size": "40" }
1892 hostapd.add_ap(apdev[0]['ifname'], params)
1893 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1895 def test_ap_wpa2_eap_gpsk(dev, apdev):
1896 """WPA2-Enterprise connection using EAP-GPSK"""
1897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1898 hostapd.add_ap(apdev[0]['ifname'], params)
1899 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1900 password="abcdefghijklmnop0123456789abcdef")
1901 eap_reauth(dev[0], "GPSK")
1903 logger.info("Test forced algorithm selection")
1904 for phase1 in [ "cipher=1", "cipher=2" ]:
1905 dev[0].set_network_quoted(id, "phase1", phase1)
1906 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1908 raise Exception("EAP success timed out")
1909 dev[0].wait_connected(timeout=10)
1911 logger.info("Test failed algorithm negotiation")
1912 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1913 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1915 raise Exception("EAP failure timed out")
1917 logger.info("Negative test with incorrect password")
1918 dev[0].request("REMOVE_NETWORK all")
1919 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1920 password="ffcdefghijklmnop0123456789abcdef",
1921 expect_failure=True)
1923 def test_ap_wpa2_eap_sake(dev, apdev):
1924 """WPA2-Enterprise connection using EAP-SAKE"""
1925 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1926 hostapd.add_ap(apdev[0]['ifname'], params)
1927 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1928 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1929 eap_reauth(dev[0], "SAKE")
1931 logger.info("Negative test with incorrect password")
1932 dev[0].request("REMOVE_NETWORK all")
1933 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1934 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1935 expect_failure=True)
1937 def test_ap_wpa2_eap_eke(dev, apdev):
1938 """WPA2-Enterprise connection using EAP-EKE"""
1939 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1940 hostapd.add_ap(apdev[0]['ifname'], params)
1941 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1942 eap_reauth(dev[0], "EKE")
1944 logger.info("Test forced algorithm selection")
1945 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1946 "dhgroup=4 encr=1 prf=2 mac=2",
1947 "dhgroup=3 encr=1 prf=2 mac=2",
1948 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1949 dev[0].set_network_quoted(id, "phase1", phase1)
1950 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1952 raise Exception("EAP success timed out")
1953 dev[0].wait_connected(timeout=10)
1955 logger.info("Test failed algorithm negotiation")
1956 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1957 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1959 raise Exception("EAP failure timed out")
1961 logger.info("Negative test with incorrect password")
1962 dev[0].request("REMOVE_NETWORK all")
1963 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1964 expect_failure=True)
1966 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1967 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1968 params = int_eap_server_params()
1969 params['server_id'] = 'example.server@w1.fi'
1970 hostapd.add_ap(apdev[0]['ifname'], params)
1971 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1973 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1974 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1975 params = int_eap_server_params()
1976 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1977 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1979 for count,func in [ (1, "eap_eke_build_commit"),
1980 (2, "eap_eke_build_commit"),
1981 (3, "eap_eke_build_commit"),
1982 (1, "eap_eke_build_confirm"),
1983 (2, "eap_eke_build_confirm"),
1984 (1, "eap_eke_process_commit"),
1985 (2, "eap_eke_process_commit"),
1986 (1, "eap_eke_process_confirm"),
1987 (1, "eap_eke_process_identity"),
1988 (2, "eap_eke_process_identity"),
1989 (3, "eap_eke_process_identity"),
1990 (4, "eap_eke_process_identity") ]:
1991 with alloc_fail(hapd, count, func):
1992 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1993 expect_failure=True)
1994 dev[0].request("REMOVE_NETWORK all")
1996 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1997 (1, "eap_eke_get_session_id", "hello"),
1998 (1, "eap_eke_getKey", "hello"),
1999 (1, "eap_eke_build_msg", "hello"),
2000 (1, "eap_eke_build_failure", "wrong"),
2001 (1, "eap_eke_build_identity", "hello"),
2002 (2, "eap_eke_build_identity", "hello") ]:
2003 with alloc_fail(hapd, count, func):
2004 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2005 eap="EKE", identity="eke user", password=pw,
2006 wait_connect=False, scan_freq="2412")
2007 # This would eventually time out, but we can stop after having
2008 # reached the allocation failure.
2011 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2013 dev[0].request("REMOVE_NETWORK all")
2015 for count in range(1, 1000):
2017 with alloc_fail(hapd, count, "eap_server_sm_step"):
2018 dev[0].connect("test-wpa2-eap",
2019 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2020 eap="EKE", identity="eke user", password=pw,
2021 wait_connect=False, scan_freq="2412")
2022 # This would eventually time out, but we can stop after having
2023 # reached the allocation failure.
2026 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2028 dev[0].request("REMOVE_NETWORK all")
2029 except Exception, e:
2030 if str(e) == "Allocation failure did not trigger":
2032 raise Exception("Too few allocation failures")
2033 logger.info("%d allocation failures tested" % (count - 1))
2037 def test_ap_wpa2_eap_ikev2(dev, apdev):
2038 """WPA2-Enterprise connection using EAP-IKEv2"""
2039 check_eap_capa(dev[0], "IKEV2")
2040 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2041 hostapd.add_ap(apdev[0]['ifname'], params)
2042 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2043 password="ike password")
2044 eap_reauth(dev[0], "IKEV2")
2045 dev[0].request("REMOVE_NETWORK all")
2046 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2047 password="ike password", fragment_size="50")
2049 logger.info("Negative test with incorrect password")
2050 dev[0].request("REMOVE_NETWORK all")
2051 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2052 password="ike-password", expect_failure=True)
2054 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2055 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2056 check_eap_capa(dev[0], "IKEV2")
2057 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2058 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2059 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2060 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2061 "fragment_size": "50" }
2062 hostapd.add_ap(apdev[0]['ifname'], params)
2063 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2064 password="ike password")
2065 eap_reauth(dev[0], "IKEV2")
2067 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2068 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2069 check_eap_capa(dev[0], "IKEV2")
2070 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2071 hostapd.add_ap(apdev[0]['ifname'], params)
2073 tests = [ (1, "dh_init"),
2075 (1, "dh_derive_shared") ]
2076 for count, func in tests:
2077 with alloc_fail(dev[0], count, func):
2078 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2079 identity="ikev2 user", password="ike password",
2080 wait_connect=False, scan_freq="2412")
2081 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2083 raise Exception("EAP method not selected")
2085 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2088 dev[0].request("REMOVE_NETWORK all")
2090 tests = [ (1, "os_get_random;dh_init") ]
2091 for count, func in tests:
2092 with fail_test(dev[0], count, func):
2093 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2094 identity="ikev2 user", password="ike password",
2095 wait_connect=False, scan_freq="2412")
2096 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2098 raise Exception("EAP method not selected")
2100 if "0:" in dev[0].request("GET_FAIL"):
2103 dev[0].request("REMOVE_NETWORK all")
2105 def test_ap_wpa2_eap_pax(dev, apdev):
2106 """WPA2-Enterprise connection using EAP-PAX"""
2107 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2108 hostapd.add_ap(apdev[0]['ifname'], params)
2109 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2110 password_hex="0123456789abcdef0123456789abcdef")
2111 eap_reauth(dev[0], "PAX")
2113 logger.info("Negative test with incorrect password")
2114 dev[0].request("REMOVE_NETWORK all")
2115 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2116 password_hex="ff23456789abcdef0123456789abcdef",
2117 expect_failure=True)
2119 def test_ap_wpa2_eap_psk(dev, apdev):
2120 """WPA2-Enterprise connection using EAP-PSK"""
2121 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2122 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2123 params["ieee80211w"] = "2"
2124 hostapd.add_ap(apdev[0]['ifname'], params)
2125 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2126 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2127 eap_reauth(dev[0], "PSK", sha256=True)
2128 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2129 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2131 bss = dev[0].get_bss(apdev[0]['bssid'])
2132 if 'flags' not in bss:
2133 raise Exception("Could not get BSS flags from BSS table")
2134 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2135 raise Exception("Unexpected BSS flags: " + bss['flags'])
2137 logger.info("Negative test with incorrect password")
2138 dev[0].request("REMOVE_NETWORK all")
2139 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2140 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2141 expect_failure=True)
2143 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2144 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2145 skip_with_fips(dev[0])
2146 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2147 hostapd.add_ap(apdev[0]['ifname'], params)
2148 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2149 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2150 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2151 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2152 (1, "=aes_128_eax_encrypt"),
2153 (1, "omac1_aes_vector"),
2154 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2155 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2156 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2157 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2158 (1, "=aes_128_eax_decrypt") ]
2159 for count, func in tests:
2160 with alloc_fail(dev[0], count, func):
2161 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2162 identity="psk.user@example.com",
2163 password_hex="0123456789abcdef0123456789abcdef",
2164 wait_connect=False, scan_freq="2412")
2165 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2167 raise Exception("EAP method not selected")
2169 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2172 dev[0].request("REMOVE_NETWORK all")
2174 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2175 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2176 identity="psk.user@example.com",
2177 password_hex="0123456789abcdef0123456789abcdef",
2178 wait_connect=False, scan_freq="2412")
2179 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2181 raise Exception("EAP method failure not reported")
2182 dev[0].request("REMOVE_NETWORK all")
2184 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2185 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2186 check_eap_capa(dev[0], "MSCHAPV2")
2187 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2189 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2190 identity="user", password="password", phase2="auth=MSCHAPV2",
2191 ca_cert="auth_serv/ca.pem", wait_connect=False,
2193 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2194 hwsim_utils.test_connectivity(dev[0], hapd)
2195 eap_reauth(dev[0], "PEAP", rsn=False)
2196 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2197 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2198 status = dev[0].get_status(extra="VERBOSE")
2199 if 'portControl' not in status:
2200 raise Exception("portControl missing from STATUS-VERBOSE")
2201 if status['portControl'] != 'Auto':
2202 raise Exception("Unexpected portControl value: " + status['portControl'])
2203 if 'eap_session_id' not in status:
2204 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2205 if not status['eap_session_id'].startswith("19"):
2206 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2208 def test_ap_wpa2_eap_interactive(dev, apdev):
2209 """WPA2-Enterprise connection using interactive identity/password entry"""
2210 check_eap_capa(dev[0], "MSCHAPV2")
2211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2212 hostapd.add_ap(apdev[0]['ifname'], params)
2213 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2215 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2216 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2218 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2219 "TTLS", "ttls", None, "auth=MSCHAPV2",
2220 "DOMAIN\mschapv2 user", "password"),
2221 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2222 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2223 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2224 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2225 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2226 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2227 ("Connection with dynamic PEAP/EAP-GTC password entry",
2228 "PEAP", None, "user", "auth=GTC", None, "password") ]
2229 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2231 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2232 anonymous_identity=anon, identity=identity,
2233 ca_cert="auth_serv/ca.pem", phase2=phase2,
2234 wait_connect=False, scan_freq="2412")
2236 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2238 raise Exception("Request for identity timed out")
2239 id = ev.split(':')[0].split('-')[-1]
2240 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2241 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2243 raise Exception("Request for password timed out")
2244 id = ev.split(':')[0].split('-')[-1]
2245 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2246 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2247 dev[0].wait_connected(timeout=10)
2248 dev[0].request("REMOVE_NETWORK all")
2250 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2251 """WPA2-Enterprise connection using EAP vendor test"""
2252 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2253 hostapd.add_ap(apdev[0]['ifname'], params)
2254 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2255 eap_reauth(dev[0], "VENDOR-TEST")
2256 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2259 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2260 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2261 check_eap_capa(dev[0], "FAST")
2262 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2263 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2264 eap_connect(dev[0], apdev[0], "FAST", "user",
2265 anonymous_identity="FAST", password="password",
2266 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2267 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2268 hwsim_utils.test_connectivity(dev[0], hapd)
2269 res = eap_reauth(dev[0], "FAST")
2270 if res['tls_session_reused'] != '1':
2271 raise Exception("EAP-FAST could not use PAC session ticket")
2273 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2274 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2275 check_eap_capa(dev[0], "FAST")
2276 pac_file = os.path.join(params['logdir'], "fast.pac")
2277 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2279 hostapd.add_ap(apdev[0]['ifname'], params)
2282 eap_connect(dev[0], apdev[0], "FAST", "user",
2283 anonymous_identity="FAST", password="password",
2284 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2285 phase1="fast_provisioning=1", pac_file=pac_file)
2286 with open(pac_file, "r") as f:
2288 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2289 raise Exception("PAC file header missing")
2290 if "PAC-Key=" not in data:
2291 raise Exception("PAC-Key missing from PAC file")
2292 dev[0].request("REMOVE_NETWORK all")
2293 eap_connect(dev[0], apdev[0], "FAST", "user",
2294 anonymous_identity="FAST", password="password",
2295 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2298 eap_connect(dev[1], apdev[0], "FAST", "user",
2299 anonymous_identity="FAST", password="password",
2300 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2301 phase1="fast_provisioning=1 fast_pac_format=binary",
2303 dev[1].request("REMOVE_NETWORK all")
2304 eap_connect(dev[1], apdev[0], "FAST", "user",
2305 anonymous_identity="FAST", password="password",
2306 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2307 phase1="fast_pac_format=binary",
2315 os.remove(pac_file2)
2319 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2320 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2321 check_eap_capa(dev[0], "FAST")
2322 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2323 hostapd.add_ap(apdev[0]['ifname'], params)
2324 eap_connect(dev[0], apdev[0], "FAST", "user",
2325 anonymous_identity="FAST", password="password",
2326 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2327 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2328 pac_file="blob://fast_pac_bin")
2329 res = eap_reauth(dev[0], "FAST")
2330 if res['tls_session_reused'] != '1':
2331 raise Exception("EAP-FAST could not use PAC session ticket")
2333 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2334 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2335 check_eap_capa(dev[0], "FAST")
2336 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2337 hostapd.add_ap(apdev[0]['ifname'], params)
2339 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2340 identity="user", anonymous_identity="FAST",
2341 password="password",
2342 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2343 pac_file="blob://fast_pac_not_in_use",
2344 wait_connect=False, scan_freq="2412")
2345 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2347 raise Exception("Timeout on EAP failure report")
2348 dev[0].request("REMOVE_NETWORK all")
2350 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2351 identity="user", anonymous_identity="FAST",
2352 password="password",
2353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2354 wait_connect=False, scan_freq="2412")
2355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2357 raise Exception("Timeout on EAP failure report")
2359 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2360 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2361 check_eap_capa(dev[0], "FAST")
2362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2363 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2364 eap_connect(dev[0], apdev[0], "FAST", "user",
2365 anonymous_identity="FAST", password="password",
2366 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2367 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2368 hwsim_utils.test_connectivity(dev[0], hapd)
2369 res = eap_reauth(dev[0], "FAST")
2370 if res['tls_session_reused'] != '1':
2371 raise Exception("EAP-FAST could not use PAC session ticket")
2373 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2374 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2375 check_eap_capa(dev[0], "FAST")
2376 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2377 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2378 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2379 anonymous_identity="FAST", password="password",
2380 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2381 phase1="fast_provisioning=2",
2382 pac_file="blob://fast_pac_auth")
2383 dev[0].set_network_quoted(id, "identity", "user2")
2384 dev[0].wait_disconnected()
2385 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2387 raise Exception("EAP-FAST not started")
2388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2390 raise Exception("EAP failure not reported")
2391 dev[0].wait_disconnected()
2393 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2394 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2395 check_eap_capa(dev[0], "FAST")
2396 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2397 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2398 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2400 identity="user", anonymous_identity="FAST",
2401 password="password", ca_cert="auth_serv/ca.pem",
2403 phase1="fast_provisioning=2",
2404 pac_file="blob://fast_pac_auth",
2405 wait_connect=False, scan_freq="2412")
2406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2408 raise Exception("EAP failure not reported")
2409 dev[0].request("DISCONNECT")
2411 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2412 """EAP-FAST/MSCHAPv2 and server OOM"""
2413 check_eap_capa(dev[0], "FAST")
2415 params = int_eap_server_params()
2416 params['dh_file'] = 'auth_serv/dh.conf'
2417 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2418 params['eap_fast_a_id'] = '1011'
2419 params['eap_fast_a_id_info'] = 'another test server'
2420 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2422 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2423 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2424 anonymous_identity="FAST", password="password",
2425 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2426 phase1="fast_provisioning=1",
2427 pac_file="blob://fast_pac",
2428 expect_failure=True)
2429 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2431 raise Exception("No EAP failure reported")
2432 dev[0].wait_disconnected()
2433 dev[0].request("DISCONNECT")
2435 dev[0].select_network(id, freq="2412")
2437 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2438 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2439 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2440 hostapd.add_ap(apdev[0]['ifname'], params)
2441 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2442 private_key="auth_serv/user.pkcs12",
2443 private_key_passwd="whatever", ocsp=2)
2445 def int_eap_server_params():
2446 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2447 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2448 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2449 "ca_cert": "auth_serv/ca.pem",
2450 "server_cert": "auth_serv/server.pem",
2451 "private_key": "auth_serv/server.key" }
2454 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2455 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2456 params = int_eap_server_params()
2457 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2458 hostapd.add_ap(apdev[0]['ifname'], params)
2459 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2460 identity="tls user", ca_cert="auth_serv/ca.pem",
2461 private_key="auth_serv/user.pkcs12",
2462 private_key_passwd="whatever", ocsp=2,
2463 wait_connect=False, scan_freq="2412")
2466 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2468 raise Exception("Timeout on EAP status")
2469 if 'bad certificate status response' in ev:
2473 raise Exception("Unexpected number of EAP status messages")
2475 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2477 raise Exception("Timeout on EAP failure report")
2479 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2480 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2481 params = int_eap_server_params()
2482 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2483 hostapd.add_ap(apdev[0]['ifname'], params)
2484 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2485 identity="tls user", ca_cert="auth_serv/ca.pem",
2486 private_key="auth_serv/user.pkcs12",
2487 private_key_passwd="whatever", ocsp=2,
2488 wait_connect=False, scan_freq="2412")
2491 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2493 raise Exception("Timeout on EAP status")
2494 if 'bad certificate status response' in ev:
2498 raise Exception("Unexpected number of EAP status messages")
2500 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2502 raise Exception("Timeout on EAP failure report")
2504 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2505 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2506 params = int_eap_server_params()
2507 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2508 hostapd.add_ap(apdev[0]['ifname'], params)
2509 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2510 identity="tls user", ca_cert="auth_serv/ca.pem",
2511 private_key="auth_serv/user.pkcs12",
2512 private_key_passwd="whatever", ocsp=2,
2513 wait_connect=False, scan_freq="2412")
2516 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2518 raise Exception("Timeout on EAP status")
2519 if 'bad certificate status response' in ev:
2523 raise Exception("Unexpected number of EAP status messages")
2525 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2527 raise Exception("Timeout on EAP failure report")
2529 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2530 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2531 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2532 if not os.path.exists(ocsp):
2533 raise HwsimSkip("No OCSP response available")
2534 params = int_eap_server_params()
2535 params["ocsp_stapling_response"] = ocsp
2536 hostapd.add_ap(apdev[0]['ifname'], params)
2537 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2538 identity="pap user", ca_cert="auth_serv/ca.pem",
2539 anonymous_identity="ttls", password="password",
2540 phase2="auth=PAP", ocsp=2,
2541 wait_connect=False, scan_freq="2412")
2544 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2546 raise Exception("Timeout on EAP status")
2547 if 'bad certificate status response' in ev:
2549 if 'certificate revoked' in ev:
2553 raise Exception("Unexpected number of EAP status messages")
2555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2557 raise Exception("Timeout on EAP failure report")
2559 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2560 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2561 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2562 if not os.path.exists(ocsp):
2563 raise HwsimSkip("No OCSP response available")
2564 params = int_eap_server_params()
2565 params["ocsp_stapling_response"] = ocsp
2566 hostapd.add_ap(apdev[0]['ifname'], params)
2567 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2568 identity="pap user", ca_cert="auth_serv/ca.pem",
2569 anonymous_identity="ttls", password="password",
2570 phase2="auth=PAP", ocsp=2,
2571 wait_connect=False, scan_freq="2412")
2574 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2576 raise Exception("Timeout on EAP status")
2577 if 'bad certificate status response' in ev:
2581 raise Exception("Unexpected number of EAP status messages")
2583 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2585 raise Exception("Timeout on EAP failure report")
2587 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2588 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2589 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2590 if not os.path.exists(ocsp):
2591 raise HwsimSkip("No OCSP response available")
2592 params = int_eap_server_params()
2593 params["ocsp_stapling_response"] = ocsp
2594 hostapd.add_ap(apdev[0]['ifname'], params)
2595 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2596 identity="pap user", ca_cert="auth_serv/ca.pem",
2597 anonymous_identity="ttls", password="password",
2598 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2600 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2601 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2602 params = int_eap_server_params()
2603 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2604 params["private_key"] = "auth_serv/server-no-dnsname.key"
2605 hostapd.add_ap(apdev[0]['ifname'], params)
2606 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2607 identity="tls user", ca_cert="auth_serv/ca.pem",
2608 private_key="auth_serv/user.pkcs12",
2609 private_key_passwd="whatever",
2610 domain_suffix_match="server3.w1.fi",
2613 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2614 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2615 params = int_eap_server_params()
2616 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2617 params["private_key"] = "auth_serv/server-no-dnsname.key"
2618 hostapd.add_ap(apdev[0]['ifname'], params)
2619 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2620 identity="tls user", ca_cert="auth_serv/ca.pem",
2621 private_key="auth_serv/user.pkcs12",
2622 private_key_passwd="whatever",
2623 domain_match="server3.w1.fi",
2626 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2627 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2628 check_domain_match_full(dev[0])
2629 params = int_eap_server_params()
2630 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2631 params["private_key"] = "auth_serv/server-no-dnsname.key"
2632 hostapd.add_ap(apdev[0]['ifname'], params)
2633 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2634 identity="tls user", ca_cert="auth_serv/ca.pem",
2635 private_key="auth_serv/user.pkcs12",
2636 private_key_passwd="whatever",
2637 domain_suffix_match="w1.fi",
2640 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2641 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2642 params = int_eap_server_params()
2643 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2644 params["private_key"] = "auth_serv/server-no-dnsname.key"
2645 hostapd.add_ap(apdev[0]['ifname'], params)
2646 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2647 identity="tls user", ca_cert="auth_serv/ca.pem",
2648 private_key="auth_serv/user.pkcs12",
2649 private_key_passwd="whatever",
2650 domain_suffix_match="example.com",
2653 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2654 identity="tls user", ca_cert="auth_serv/ca.pem",
2655 private_key="auth_serv/user.pkcs12",
2656 private_key_passwd="whatever",
2657 domain_suffix_match="erver3.w1.fi",
2660 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2662 raise Exception("Timeout on EAP failure report")
2663 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2665 raise Exception("Timeout on EAP failure report (2)")
2667 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2668 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2669 params = int_eap_server_params()
2670 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2671 params["private_key"] = "auth_serv/server-no-dnsname.key"
2672 hostapd.add_ap(apdev[0]['ifname'], params)
2673 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2674 identity="tls user", ca_cert="auth_serv/ca.pem",
2675 private_key="auth_serv/user.pkcs12",
2676 private_key_passwd="whatever",
2677 domain_match="example.com",
2680 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2681 identity="tls user", ca_cert="auth_serv/ca.pem",
2682 private_key="auth_serv/user.pkcs12",
2683 private_key_passwd="whatever",
2684 domain_match="w1.fi",
2687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2689 raise Exception("Timeout on EAP failure report")
2690 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2692 raise Exception("Timeout on EAP failure report (2)")
2694 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2695 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2696 skip_with_fips(dev[0])
2697 params = int_eap_server_params()
2698 params["server_cert"] = "auth_serv/server-expired.pem"
2699 params["private_key"] = "auth_serv/server-expired.key"
2700 hostapd.add_ap(apdev[0]['ifname'], params)
2701 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2702 identity="mschap user", password="password",
2703 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2708 raise Exception("Timeout on EAP certificate error report")
2709 if "reason=4" not in ev or "certificate has expired" not in ev:
2710 raise Exception("Unexpected failure reason: " + ev)
2711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2713 raise Exception("Timeout on EAP failure report")
2715 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2716 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2717 skip_with_fips(dev[0])
2718 params = int_eap_server_params()
2719 params["server_cert"] = "auth_serv/server-expired.pem"
2720 params["private_key"] = "auth_serv/server-expired.key"
2721 hostapd.add_ap(apdev[0]['ifname'], params)
2722 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2723 identity="mschap user", password="password",
2724 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2725 phase1="tls_disable_time_checks=1",
2728 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2729 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2730 skip_with_fips(dev[0])
2731 params = int_eap_server_params()
2732 params["server_cert"] = "auth_serv/server-long-duration.pem"
2733 params["private_key"] = "auth_serv/server-long-duration.key"
2734 hostapd.add_ap(apdev[0]['ifname'], params)
2735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2736 identity="mschap user", password="password",
2737 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2740 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2741 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2742 skip_with_fips(dev[0])
2743 params = int_eap_server_params()
2744 params["server_cert"] = "auth_serv/server-eku-client.pem"
2745 params["private_key"] = "auth_serv/server-eku-client.key"
2746 hostapd.add_ap(apdev[0]['ifname'], params)
2747 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2748 identity="mschap user", password="password",
2749 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2752 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2754 raise Exception("Timeout on EAP failure report")
2756 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2757 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2758 skip_with_fips(dev[0])
2759 params = int_eap_server_params()
2760 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2761 params["private_key"] = "auth_serv/server-eku-client-server.key"
2762 hostapd.add_ap(apdev[0]['ifname'], params)
2763 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2764 identity="mschap user", password="password",
2765 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2768 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2769 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2770 skip_with_fips(dev[0])
2771 params = int_eap_server_params()
2772 del params["server_cert"]
2773 params["private_key"] = "auth_serv/server.pkcs12"
2774 hostapd.add_ap(apdev[0]['ifname'], params)
2775 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2776 identity="mschap user", password="password",
2777 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2780 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2781 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2782 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2783 hostapd.add_ap(apdev[0]['ifname'], params)
2784 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2785 anonymous_identity="ttls", password="password",
2786 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2787 dh_file="auth_serv/dh.conf")
2789 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2790 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2791 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2792 hostapd.add_ap(apdev[0]['ifname'], params)
2793 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2794 anonymous_identity="ttls", password="password",
2795 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2796 dh_file="auth_serv/dsaparam.pem")
2798 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2799 """EAP-TTLS and DH params file not found"""
2800 skip_with_fips(dev[0])
2801 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2802 hostapd.add_ap(apdev[0]['ifname'], params)
2803 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2804 identity="mschap user", password="password",
2805 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2806 dh_file="auth_serv/dh-no-such-file.conf",
2807 scan_freq="2412", wait_connect=False)
2808 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2810 raise Exception("EAP failure timed out")
2811 dev[0].request("REMOVE_NETWORK all")
2812 dev[0].wait_disconnected()
2814 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2815 """EAP-TTLS and invalid DH params file"""
2816 skip_with_fips(dev[0])
2817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2818 hostapd.add_ap(apdev[0]['ifname'], params)
2819 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2820 identity="mschap user", password="password",
2821 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2822 dh_file="auth_serv/ca.pem",
2823 scan_freq="2412", wait_connect=False)
2824 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2826 raise Exception("EAP failure timed out")
2827 dev[0].request("REMOVE_NETWORK all")
2828 dev[0].wait_disconnected()
2830 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2831 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2832 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2833 hostapd.add_ap(apdev[0]['ifname'], params)
2834 dh = read_pem("auth_serv/dh2.conf")
2835 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2836 raise Exception("Could not set dhparams blob")
2837 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2838 anonymous_identity="ttls", password="password",
2839 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
2840 dh_file="blob://dhparams")
2842 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2843 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2844 params = int_eap_server_params()
2845 params["dh_file"] = "auth_serv/dh2.conf"
2846 hostapd.add_ap(apdev[0]['ifname'], params)
2847 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2848 anonymous_identity="ttls", password="password",
2849 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2851 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2852 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2853 params = int_eap_server_params()
2854 params["dh_file"] = "auth_serv/dsaparam.pem"
2855 hostapd.add_ap(apdev[0]['ifname'], params)
2856 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2857 anonymous_identity="ttls", password="password",
2858 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
2860 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2861 """EAP-TLS server and dhparams file not found"""
2862 params = int_eap_server_params()
2863 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2864 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2865 if "FAIL" not in hapd.request("ENABLE"):
2866 raise Exception("Invalid configuration accepted")
2868 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2869 """EAP-TLS server and invalid dhparams file"""
2870 params = int_eap_server_params()
2871 params["dh_file"] = "auth_serv/ca.pem"
2872 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2873 if "FAIL" not in hapd.request("ENABLE"):
2874 raise Exception("Invalid configuration accepted")
2876 def test_ap_wpa2_eap_reauth(dev, apdev):
2877 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2878 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2879 params['eap_reauth_period'] = '2'
2880 hostapd.add_ap(apdev[0]['ifname'], params)
2881 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2882 password_hex="0123456789abcdef0123456789abcdef")
2883 logger.info("Wait for reauthentication")
2884 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2886 raise Exception("Timeout on reauthentication")
2887 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2889 raise Exception("Timeout on reauthentication")
2890 for i in range(0, 20):
2891 state = dev[0].get_status_field("wpa_state")
2892 if state == "COMPLETED":
2895 if state != "COMPLETED":
2896 raise Exception("Reauthentication did not complete")
2898 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2899 """Optional displayable message in EAP Request-Identity"""
2900 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2901 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2902 hostapd.add_ap(apdev[0]['ifname'], params)
2903 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2904 password_hex="0123456789abcdef0123456789abcdef")
2906 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2907 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2908 check_hlr_auc_gw_support()
2909 params = int_eap_server_params()
2910 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2911 params['eap_sim_aka_result_ind'] = "1"
2912 hostapd.add_ap(apdev[0]['ifname'], params)
2914 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2915 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2916 phase1="result_ind=1")
2917 eap_reauth(dev[0], "SIM")
2918 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2919 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2921 dev[0].request("REMOVE_NETWORK all")
2922 dev[1].request("REMOVE_NETWORK all")
2924 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2925 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2926 phase1="result_ind=1")
2927 eap_reauth(dev[0], "AKA")
2928 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2929 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2931 dev[0].request("REMOVE_NETWORK all")
2932 dev[1].request("REMOVE_NETWORK all")
2934 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2935 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2936 phase1="result_ind=1")
2937 eap_reauth(dev[0], "AKA'")
2938 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2939 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2941 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2942 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2943 skip_with_fips(dev[0])
2944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2945 hostapd.add_ap(apdev[0]['ifname'], params)
2946 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2947 eap="TTLS", identity="mschap user",
2948 wait_connect=False, scan_freq="2412", ieee80211w="1",
2949 anonymous_identity="ttls", password="password",
2950 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2952 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2954 raise Exception("EAP roundtrip limit not reached")
2956 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2957 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2958 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2959 hostapd.add_ap(apdev[0]['ifname'], params)
2960 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2961 eap="PSK", identity="vendor-test",
2962 password_hex="ff23456789abcdef0123456789abcdef",
2966 for i in range(0, 5):
2967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2969 raise Exception("Association and EAP start timed out")
2970 if "refuse proposed method" in ev:
2974 raise Exception("Unexpected EAP status: " + ev)
2976 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2978 raise Exception("EAP failure timed out")
2980 def test_ap_wpa2_eap_sql(dev, apdev, params):
2981 """WPA2-Enterprise connection using SQLite for user DB"""
2982 skip_with_fips(dev[0])
2986 raise HwsimSkip("No sqlite3 module available")
2987 dbfile = os.path.join(params['logdir'], "eap-user.db")
2992 con = sqlite3.connect(dbfile)
2995 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2996 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2997 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2998 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2999 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3000 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3001 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3002 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3005 params = int_eap_server_params()
3006 params["eap_user_file"] = "sqlite:" + dbfile
3007 hostapd.add_ap(apdev[0]['ifname'], params)
3008 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3009 anonymous_identity="ttls", password="password",
3010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3011 dev[0].request("REMOVE_NETWORK all")
3012 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3013 anonymous_identity="ttls", password="password",
3014 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3015 dev[1].request("REMOVE_NETWORK all")
3016 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3017 anonymous_identity="ttls", password="password",
3018 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3019 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3020 anonymous_identity="ttls", password="password",
3021 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3025 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3026 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3027 params = int_eap_server_params()
3028 hostapd.add_ap(apdev[0]['ifname'], params)
3029 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3030 identity="\x80", password="password", wait_connect=False)
3031 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3032 identity="a\x80", password="password", wait_connect=False)
3033 for i in range(0, 2):
3034 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3036 raise Exception("Association and EAP start timed out")
3037 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3039 raise Exception("EAP method selection timed out")
3041 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3042 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3043 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3044 hostapd.add_ap(apdev[0]['ifname'], params)
3045 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3046 identity="\x80", password="password", wait_connect=False)
3047 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3048 identity="a\x80", password="password", wait_connect=False)
3049 for i in range(0, 2):
3050 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3052 raise Exception("Association and EAP start timed out")
3053 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3055 raise Exception("EAP method selection timed out")
3057 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3058 """OpenSSL cipher suite configuration on wpa_supplicant"""
3059 tls = dev[0].request("GET tls_library")
3060 if not tls.startswith("OpenSSL"):
3061 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3062 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3063 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3064 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3065 anonymous_identity="ttls", password="password",
3066 openssl_ciphers="AES128",
3067 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3068 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3069 anonymous_identity="ttls", password="password",
3070 openssl_ciphers="EXPORT",
3071 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3072 expect_failure=True, maybe_local_error=True)
3073 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3074 identity="pap user", anonymous_identity="ttls",
3075 password="password",
3076 openssl_ciphers="FOO",
3077 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3079 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3081 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3082 dev[2].request("DISCONNECT")
3084 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3085 """OpenSSL cipher suite configuration on hostapd"""
3086 tls = dev[0].request("GET tls_library")
3087 if not tls.startswith("OpenSSL"):
3088 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3089 params = int_eap_server_params()
3090 params['openssl_ciphers'] = "AES256"
3091 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3092 tls = hapd.request("GET tls_library")
3093 if not tls.startswith("OpenSSL"):
3094 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3095 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3096 anonymous_identity="ttls", password="password",
3097 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3098 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3099 anonymous_identity="ttls", password="password",
3100 openssl_ciphers="AES128",
3101 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3102 expect_failure=True)
3103 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3104 anonymous_identity="ttls", password="password",
3105 openssl_ciphers="HIGH:!ADH",
3106 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3108 params['openssl_ciphers'] = "FOO"
3109 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3110 if "FAIL" not in hapd2.request("ENABLE"):
3111 raise Exception("Invalid openssl_ciphers value accepted")
3113 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3114 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3115 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3116 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3117 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3118 pid = find_wpas_process(dev[0])
3119 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3120 anonymous_identity="ttls", password=password,
3121 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3123 buf = read_process_memory(pid, password)
3125 dev[0].request("DISCONNECT")
3126 dev[0].wait_disconnected()
3134 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3135 for l in f.readlines():
3136 if "EAP-TTLS: Derived key - hexdump" in l:
3137 val = l.strip().split(':')[3].replace(' ', '')
3138 msk = binascii.unhexlify(val)
3139 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3140 val = l.strip().split(':')[3].replace(' ', '')
3141 emsk = binascii.unhexlify(val)
3142 if "WPA: PMK - hexdump" in l:
3143 val = l.strip().split(':')[3].replace(' ', '')
3144 pmk = binascii.unhexlify(val)
3145 if "WPA: PTK - hexdump" in l:
3146 val = l.strip().split(':')[3].replace(' ', '')
3147 ptk = binascii.unhexlify(val)
3148 if "WPA: Group Key - hexdump" in l:
3149 val = l.strip().split(':')[3].replace(' ', '')
3150 gtk = binascii.unhexlify(val)
3151 if not msk or not emsk or not pmk or not ptk or not gtk:
3152 raise Exception("Could not find keys from debug log")
3154 raise Exception("Unexpected GTK length")
3160 fname = os.path.join(params['logdir'],
3161 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3163 logger.info("Checking keys in memory while associated")
3164 get_key_locations(buf, password, "Password")
3165 get_key_locations(buf, pmk, "PMK")
3166 get_key_locations(buf, msk, "MSK")
3167 get_key_locations(buf, emsk, "EMSK")
3168 if password not in buf:
3169 raise HwsimSkip("Password not found while associated")
3171 raise HwsimSkip("PMK not found while associated")
3173 raise Exception("KCK not found while associated")
3175 raise Exception("KEK not found while associated")
3177 raise Exception("TK found from memory")
3179 raise Exception("GTK found from memory")
3181 logger.info("Checking keys in memory after disassociation")
3182 buf = read_process_memory(pid, password)
3184 # Note: Password is still present in network configuration
3185 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3187 get_key_locations(buf, password, "Password")
3188 get_key_locations(buf, pmk, "PMK")
3189 get_key_locations(buf, msk, "MSK")
3190 get_key_locations(buf, emsk, "EMSK")
3191 verify_not_present(buf, kck, fname, "KCK")
3192 verify_not_present(buf, kek, fname, "KEK")
3193 verify_not_present(buf, tk, fname, "TK")
3194 verify_not_present(buf, gtk, fname, "GTK")
3196 dev[0].request("PMKSA_FLUSH")
3197 dev[0].set_network_quoted(id, "identity", "foo")
3198 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3199 buf = read_process_memory(pid, password)
3200 get_key_locations(buf, password, "Password")
3201 get_key_locations(buf, pmk, "PMK")
3202 get_key_locations(buf, msk, "MSK")
3203 get_key_locations(buf, emsk, "EMSK")
3204 verify_not_present(buf, pmk, fname, "PMK")
3206 dev[0].request("REMOVE_NETWORK all")
3208 logger.info("Checking keys in memory after network profile removal")
3209 buf = read_process_memory(pid, password)
3211 get_key_locations(buf, password, "Password")
3212 get_key_locations(buf, pmk, "PMK")
3213 get_key_locations(buf, msk, "MSK")
3214 get_key_locations(buf, emsk, "EMSK")
3215 verify_not_present(buf, password, fname, "password")
3216 verify_not_present(buf, pmk, fname, "PMK")
3217 verify_not_present(buf, kck, fname, "KCK")
3218 verify_not_present(buf, kek, fname, "KEK")
3219 verify_not_present(buf, tk, fname, "TK")
3220 verify_not_present(buf, gtk, fname, "GTK")
3221 verify_not_present(buf, msk, fname, "MSK")
3222 verify_not_present(buf, emsk, fname, "EMSK")
3224 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3225 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3227 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3228 bssid = apdev[0]['bssid']
3229 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3230 anonymous_identity="ttls", password="password",
3231 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3233 # Send unexpected WEP EAPOL-Key; this gets dropped
3234 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3236 raise Exception("EAPOL_RX to wpa_supplicant failed")
3238 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3239 """WPA2-EAP and wpas interface in a bridge"""
3243 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3245 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3246 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3247 subprocess.call(['brctl', 'delbr', br_ifname])
3248 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3250 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3252 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3256 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3257 subprocess.call(['brctl', 'addbr', br_ifname])
3258 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3259 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3260 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3261 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3262 wpas.interface_add(ifname, br_ifname=br_ifname)
3264 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3265 password_hex="0123456789abcdef0123456789abcdef")
3266 eap_reauth(wpas, "PAX")
3267 # Try again as a regression test for packet socket workaround
3268 eap_reauth(wpas, "PAX")
3269 wpas.request("DISCONNECT")
3270 wpas.wait_disconnected()
3271 wpas.request("RECONNECT")
3272 wpas.wait_connected()
3274 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3275 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3276 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3277 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3278 key_mgmt = hapd.get_config()['key_mgmt']
3279 if key_mgmt.split(' ')[0] != "WPA-EAP":
3280 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3281 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3282 anonymous_identity="ttls", password="password",
3283 ca_cert="auth_serv/ca.pem",
3284 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3285 eap_reauth(dev[0], "TTLS")
3287 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3288 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3289 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3290 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3291 key_mgmt = hapd.get_config()['key_mgmt']
3292 if key_mgmt.split(' ')[0] != "WPA-EAP":
3293 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3294 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3295 anonymous_identity="ttls", password="password",
3296 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3298 eap_reauth(dev[0], "TTLS")
3300 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3301 """EAP-TLS and server checking CRL"""
3302 params = int_eap_server_params()
3303 params['check_crl'] = '1'
3304 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3306 # check_crl=1 and no CRL available --> reject connection
3307 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3308 client_cert="auth_serv/user.pem",
3309 private_key="auth_serv/user.key", expect_failure=True)
3310 dev[0].request("REMOVE_NETWORK all")
3313 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3316 # check_crl=1 and valid CRL --> accept
3317 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3318 client_cert="auth_serv/user.pem",
3319 private_key="auth_serv/user.key")
3320 dev[0].request("REMOVE_NETWORK all")
3323 hapd.set("check_crl", "2")
3326 # check_crl=2 and valid CRL --> accept
3327 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3328 client_cert="auth_serv/user.pem",
3329 private_key="auth_serv/user.key")
3330 dev[0].request("REMOVE_NETWORK all")
3332 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3333 """EAP-TLS and OOM"""
3334 check_subject_match_support(dev[0])
3335 check_altsubject_match_support(dev[0])
3336 check_domain_match_full(dev[0])
3338 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3339 hostapd.add_ap(apdev[0]['ifname'], params)
3341 tests = [ (1, "tls_connection_set_subject_match"),
3342 (2, "tls_connection_set_subject_match"),
3343 (3, "tls_connection_set_subject_match"),
3344 (4, "tls_connection_set_subject_match") ]
3345 for count, func in tests:
3346 with alloc_fail(dev[0], count, func):
3347 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3348 identity="tls user", ca_cert="auth_serv/ca.pem",
3349 client_cert="auth_serv/user.pem",
3350 private_key="auth_serv/user.key",
3351 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3352 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3353 domain_suffix_match="server.w1.fi",
3354 domain_match="server.w1.fi",
3355 wait_connect=False, scan_freq="2412")
3356 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3357 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3359 raise Exception("No passphrase request")
3360 dev[0].request("REMOVE_NETWORK all")
3361 dev[0].wait_disconnected()
3363 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3364 """WPA2-Enterprise connection using MAC ACL"""
3365 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3366 params["macaddr_acl"] = "2"
3367 hostapd.add_ap(apdev[0]['ifname'], params)
3368 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3369 client_cert="auth_serv/user.pem",
3370 private_key="auth_serv/user.key")
3372 def test_ap_wpa2_eap_oom(dev, apdev):
3373 """EAP server and OOM"""
3374 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3375 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3376 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3378 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3379 # The first attempt fails, but STA will send EAPOL-Start to retry and
3381 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3382 identity="tls user", ca_cert="auth_serv/ca.pem",
3383 client_cert="auth_serv/user.pem",
3384 private_key="auth_serv/user.key",
3387 def check_tls_ver(dev, ap, phase1, expected):
3388 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3389 client_cert="auth_serv/user.pem",
3390 private_key="auth_serv/user.key",
3392 ver = dev.get_status_field("eap_tls_version")
3394 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3396 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3397 """EAP-TLS and TLS version configuration"""
3398 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3399 hostapd.add_ap(apdev[0]['ifname'], params)
3401 tls = dev[0].request("GET tls_library")
3402 if tls.startswith("OpenSSL"):
3403 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3404 check_tls_ver(dev[0], apdev[0],
3405 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3407 check_tls_ver(dev[1], apdev[0],
3408 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3409 check_tls_ver(dev[2], apdev[0],
3410 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")