1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26 openssl_imported = True
28 openssl_imported = False
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 #if tls.startswith("internal"):
77 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
92 with open(fname, "r") as f:
101 if "-----BEGIN" in l:
103 return base64.b64decode(cert)
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
153 raise Exception("EAP success timed out")
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e = "WPA2-EAP-SHA256"
172 e = "WPA2/IEEE 802.1X/EAP"
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
252 logger.info("SIM full auth with pseudonym")
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
258 logger.info("SIM full auth with permanent identity")
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
265 logger.info("SIM reauth with mismatching MK")
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
329 dev[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
341 raise Exception("Network connected timed out")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
566 logger.info("AKA full auth with pseudonym")
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
572 logger.info("AKA full auth with permanent identity")
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
579 logger.info("AKA reauth with mismatching MK")
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
620 dev[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
633 raise Exception("Network connected timed out")
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
653 dev[0].dump_monitor()
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
682 dev[0].dump_monitor()
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
709 dev[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
751 logger.info("AKA' full auth with pseudonym")
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
757 logger.info("AKA' full auth with permanent identity")
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
764 logger.info("AKA' reauth with mismatching k_aut")
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
887 dev[0].request("REMOVE_NETWORK all")
888 dev[0].wait_disconnected()
889 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
890 anonymous_identity="ttls",
891 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
892 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
894 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
895 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
896 skip_with_fips(dev[0])
897 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
898 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
899 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
900 anonymous_identity="ttls", password="wrong",
901 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
903 eap_connect(dev[1], apdev[0], "TTLS", "user",
904 anonymous_identity="ttls", password="password",
905 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
907 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
908 anonymous_identity="ttls", password="password",
909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
912 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
913 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
914 check_domain_suffix_match(dev[0])
915 check_eap_capa(dev[0], "MSCHAPV2")
916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
917 hostapd.add_ap(apdev[0]['ifname'], params)
918 hapd = hostapd.Hostapd(apdev[0]['ifname'])
919 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
920 anonymous_identity="ttls", password="password",
921 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
922 domain_suffix_match="server.w1.fi")
923 hwsim_utils.test_connectivity(dev[0], hapd)
924 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
925 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
926 eap_reauth(dev[0], "TTLS")
927 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
928 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
929 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
930 raise Exception("dot1xAuthEapolFramesRx did not increase")
931 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
932 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
933 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
934 raise Exception("backendAuthSuccesses did not increase")
936 logger.info("Password as hash value")
937 dev[0].request("REMOVE_NETWORK all")
938 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
939 anonymous_identity="ttls",
940 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
941 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
943 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
944 """EAP-TTLS with invalid phase2 parameter values"""
945 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
946 hostapd.add_ap(apdev[0]['ifname'], params)
947 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
948 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
949 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
951 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
952 identity="DOMAIN\mschapv2 user",
953 anonymous_identity="ttls", password="password",
954 ca_cert="auth_serv/ca.pem", phase2=t,
955 wait_connect=False, scan_freq="2412")
956 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
957 if ev is None or "method=21" not in ev:
958 raise Exception("EAP-TTLS not started")
959 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
960 "CTRL-EVENT-CONNECTED"], timeout=5)
961 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
962 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
963 dev[0].request("REMOVE_NETWORK all")
964 dev[0].wait_disconnected()
965 dev[0].dump_monitor()
967 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
968 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
969 check_domain_match_full(dev[0])
970 skip_with_fips(dev[0])
971 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
972 hostapd.add_ap(apdev[0]['ifname'], params)
973 hapd = hostapd.Hostapd(apdev[0]['ifname'])
974 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
975 anonymous_identity="ttls", password="password",
976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
977 domain_suffix_match="w1.fi")
978 hwsim_utils.test_connectivity(dev[0], hapd)
979 eap_reauth(dev[0], "TTLS")
981 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
982 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
983 check_domain_match(dev[0])
984 skip_with_fips(dev[0])
985 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
986 hostapd.add_ap(apdev[0]['ifname'], params)
987 hapd = hostapd.Hostapd(apdev[0]['ifname'])
988 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
989 anonymous_identity="ttls", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
991 domain_match="Server.w1.fi")
992 hwsim_utils.test_connectivity(dev[0], hapd)
993 eap_reauth(dev[0], "TTLS")
995 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
996 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
997 skip_with_fips(dev[0])
998 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
999 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1000 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1001 anonymous_identity="ttls", password="password1",
1002 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1003 expect_failure=True)
1004 eap_connect(dev[1], apdev[0], "TTLS", "user",
1005 anonymous_identity="ttls", password="password",
1006 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1007 expect_failure=True)
1009 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1010 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1011 skip_with_fips(dev[0])
1012 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1013 hostapd.add_ap(apdev[0]['ifname'], params)
1014 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1015 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1016 anonymous_identity="ttls", password="secret-åäö-€-password",
1017 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1018 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1019 anonymous_identity="ttls",
1020 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1021 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1022 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1023 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1024 eap="TTLS", identity="utf8-user-hash",
1025 anonymous_identity="ttls", password_hex=p,
1026 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1027 wait_connect=False, scan_freq="2412")
1028 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1030 raise Exception("No failure reported")
1031 dev[2].request("REMOVE_NETWORK all")
1032 dev[2].wait_disconnected()
1034 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1035 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1036 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1037 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1038 eap_connect(dev[0], apdev[0], "TTLS", "user",
1039 anonymous_identity="ttls", password="password",
1040 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1041 hwsim_utils.test_connectivity(dev[0], hapd)
1042 eap_reauth(dev[0], "TTLS")
1044 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1045 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1046 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1047 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1048 eap_connect(dev[0], apdev[0], "TTLS", "user",
1049 anonymous_identity="ttls", password="wrong",
1050 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1051 expect_failure=True)
1053 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1054 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1055 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1056 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1057 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1058 anonymous_identity="ttls", password="password",
1059 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1060 expect_failure=True)
1062 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1063 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1064 params = int_eap_server_params()
1065 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1066 with alloc_fail(hapd, 1, "eap_gtc_init"):
1067 eap_connect(dev[0], apdev[0], "TTLS", "user",
1068 anonymous_identity="ttls", password="password",
1069 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1070 expect_failure=True)
1071 dev[0].request("REMOVE_NETWORK all")
1073 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1075 eap="TTLS", identity="user",
1076 anonymous_identity="ttls", password="password",
1077 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1078 wait_connect=False, scan_freq="2412")
1079 # This would eventually time out, but we can stop after having reached
1080 # the allocation failure.
1083 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1086 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1087 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1088 check_eap_capa(dev[0], "MD5")
1089 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1090 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1091 eap_connect(dev[0], apdev[0], "TTLS", "user",
1092 anonymous_identity="ttls", password="password",
1093 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1094 hwsim_utils.test_connectivity(dev[0], hapd)
1095 eap_reauth(dev[0], "TTLS")
1097 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1098 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1099 check_eap_capa(dev[0], "MD5")
1100 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1102 eap_connect(dev[0], apdev[0], "TTLS", "user",
1103 anonymous_identity="ttls", password="wrong",
1104 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1105 expect_failure=True)
1107 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1108 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1109 check_eap_capa(dev[0], "MD5")
1110 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1111 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1112 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1113 anonymous_identity="ttls", password="password",
1114 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1115 expect_failure=True)
1117 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1118 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1119 check_eap_capa(dev[0], "MD5")
1120 params = int_eap_server_params()
1121 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1122 with alloc_fail(hapd, 1, "eap_md5_init"):
1123 eap_connect(dev[0], apdev[0], "TTLS", "user",
1124 anonymous_identity="ttls", password="password",
1125 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1126 expect_failure=True)
1127 dev[0].request("REMOVE_NETWORK all")
1129 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1130 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1131 eap="TTLS", identity="user",
1132 anonymous_identity="ttls", password="password",
1133 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1134 wait_connect=False, scan_freq="2412")
1135 # This would eventually time out, but we can stop after having reached
1136 # the allocation failure.
1139 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1142 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1143 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1144 check_eap_capa(dev[0], "MSCHAPV2")
1145 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1146 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1147 eap_connect(dev[0], apdev[0], "TTLS", "user",
1148 anonymous_identity="ttls", password="password",
1149 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1150 hwsim_utils.test_connectivity(dev[0], hapd)
1151 eap_reauth(dev[0], "TTLS")
1153 logger.info("Negative test with incorrect password")
1154 dev[0].request("REMOVE_NETWORK all")
1155 eap_connect(dev[0], apdev[0], "TTLS", "user",
1156 anonymous_identity="ttls", password="password1",
1157 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1158 expect_failure=True)
1160 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1161 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1162 check_eap_capa(dev[0], "MSCHAPV2")
1163 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1165 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1166 anonymous_identity="ttls", password="password",
1167 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1168 expect_failure=True)
1170 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1172 check_eap_capa(dev[0], "MSCHAPV2")
1173 params = int_eap_server_params()
1174 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1175 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1176 eap_connect(dev[0], apdev[0], "TTLS", "user",
1177 anonymous_identity="ttls", password="password",
1178 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1179 expect_failure=True)
1180 dev[0].request("REMOVE_NETWORK all")
1182 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1184 eap="TTLS", identity="user",
1185 anonymous_identity="ttls", password="password",
1186 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1187 wait_connect=False, scan_freq="2412")
1188 # This would eventually time out, but we can stop after having reached
1189 # the allocation failure.
1192 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1194 dev[0].request("REMOVE_NETWORK all")
1196 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1197 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1198 eap="TTLS", identity="user",
1199 anonymous_identity="ttls", password="password",
1200 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1201 wait_connect=False, scan_freq="2412")
1202 # This would eventually time out, but we can stop after having reached
1203 # the allocation failure.
1206 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1208 dev[0].request("REMOVE_NETWORK all")
1210 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1211 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1212 eap="TTLS", identity="user",
1213 anonymous_identity="ttls", password="wrong",
1214 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1215 wait_connect=False, scan_freq="2412")
1216 # This would eventually time out, but we can stop after having reached
1217 # the allocation failure.
1220 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1222 dev[0].request("REMOVE_NETWORK all")
1224 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1225 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1227 hostapd.add_ap(apdev[0]['ifname'], params)
1228 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1229 anonymous_identity="0232010000000000@ttls",
1230 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1231 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1233 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1234 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1235 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1236 hostapd.add_ap(apdev[0]['ifname'], params)
1237 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1238 anonymous_identity="0232010000000000@peap",
1239 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1240 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1242 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1243 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1244 check_eap_capa(dev[0], "FAST")
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1248 anonymous_identity="0232010000000000@fast",
1249 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1250 phase1="fast_provisioning=2",
1251 pac_file="blob://fast_pac_auth_aka",
1252 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1254 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1255 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1256 check_eap_capa(dev[0], "MSCHAPV2")
1257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1259 eap_connect(dev[0], apdev[0], "PEAP", "user",
1260 anonymous_identity="peap", password="password",
1261 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1262 hwsim_utils.test_connectivity(dev[0], hapd)
1263 eap_reauth(dev[0], "PEAP")
1264 dev[0].request("REMOVE_NETWORK all")
1265 eap_connect(dev[0], apdev[0], "PEAP", "user",
1266 anonymous_identity="peap", password="password",
1267 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1268 fragment_size="200")
1270 logger.info("Password as hash value")
1271 dev[0].request("REMOVE_NETWORK all")
1272 eap_connect(dev[0], apdev[0], "PEAP", "user",
1273 anonymous_identity="peap",
1274 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1275 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1277 logger.info("Negative test with incorrect password")
1278 dev[0].request("REMOVE_NETWORK all")
1279 eap_connect(dev[0], apdev[0], "PEAP", "user",
1280 anonymous_identity="peap", password="password1",
1281 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1282 expect_failure=True)
1284 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1285 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1286 check_eap_capa(dev[0], "MSCHAPV2")
1287 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1288 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1289 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1290 anonymous_identity="peap", password="password",
1291 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1292 hwsim_utils.test_connectivity(dev[0], hapd)
1293 eap_reauth(dev[0], "PEAP")
1295 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1296 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1297 check_eap_capa(dev[0], "MSCHAPV2")
1298 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1299 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1300 eap_connect(dev[0], apdev[0], "PEAP", "user",
1301 anonymous_identity="peap", password="wrong",
1302 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1303 expect_failure=True)
1305 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1306 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1307 check_eap_capa(dev[0], "MSCHAPV2")
1308 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1309 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1310 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1311 ca_cert="auth_serv/ca.pem",
1312 phase1="peapver=0 crypto_binding=2",
1313 phase2="auth=MSCHAPV2")
1314 hwsim_utils.test_connectivity(dev[0], hapd)
1315 eap_reauth(dev[0], "PEAP")
1317 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1318 ca_cert="auth_serv/ca.pem",
1319 phase1="peapver=0 crypto_binding=1",
1320 phase2="auth=MSCHAPV2")
1321 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1322 ca_cert="auth_serv/ca.pem",
1323 phase1="peapver=0 crypto_binding=0",
1324 phase2="auth=MSCHAPV2")
1326 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1327 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1328 check_eap_capa(dev[0], "MSCHAPV2")
1329 params = int_eap_server_params()
1330 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1331 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1332 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1333 ca_cert="auth_serv/ca.pem",
1334 phase1="peapver=0 crypto_binding=2",
1335 phase2="auth=MSCHAPV2",
1336 expect_failure=True, local_error_report=True)
1338 def test_ap_wpa2_eap_peap_params(dev, apdev):
1339 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1340 check_eap_capa(dev[0], "MSCHAPV2")
1341 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1342 hostapd.add_ap(apdev[0]['ifname'], params)
1343 eap_connect(dev[0], apdev[0], "PEAP", "user",
1344 anonymous_identity="peap", password="password",
1345 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1346 phase1="peapver=0 peaplabel=1",
1347 expect_failure=True)
1348 dev[0].request("REMOVE_NETWORK all")
1349 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1351 anonymous_identity="peap", password="password",
1352 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1353 phase1="peap_outer_success=0",
1354 wait_connect=False, scan_freq="2412")
1355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1357 raise Exception("No EAP success seen")
1358 # This won't succeed to connect with peap_outer_success=0, so stop here.
1359 dev[0].request("REMOVE_NETWORK all")
1360 dev[0].wait_disconnected()
1361 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1362 ca_cert="auth_serv/ca.pem",
1363 phase1="peap_outer_success=1",
1364 phase2="auth=MSCHAPV2")
1365 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1366 ca_cert="auth_serv/ca.pem",
1367 phase1="peap_outer_success=2",
1368 phase2="auth=MSCHAPV2")
1369 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1371 anonymous_identity="peap", password="password",
1372 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1373 phase1="peapver=1 peaplabel=1",
1374 wait_connect=False, scan_freq="2412")
1375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1377 raise Exception("No EAP success seen")
1378 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1380 raise Exception("Unexpected connection")
1382 tests = [ ("peap-ver0", ""),
1384 ("peap-ver0", "peapver=0"),
1385 ("peap-ver1", "peapver=1") ]
1386 for anon,phase1 in tests:
1387 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1388 identity="user", anonymous_identity=anon,
1389 password="password", phase1=phase1,
1390 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1392 dev[0].request("REMOVE_NETWORK all")
1393 dev[0].wait_disconnected()
1395 tests = [ ("peap-ver0", "peapver=1"),
1396 ("peap-ver1", "peapver=0") ]
1397 for anon,phase1 in tests:
1398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1399 identity="user", anonymous_identity=anon,
1400 password="password", phase1=phase1,
1401 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1402 wait_connect=False, scan_freq="2412")
1403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1405 raise Exception("No EAP-Failure seen")
1406 dev[0].request("REMOVE_NETWORK all")
1407 dev[0].wait_disconnected()
1409 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1410 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1411 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1412 hostapd.add_ap(apdev[0]['ifname'], params)
1413 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1414 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1415 ca_cert2="auth_serv/ca.pem",
1416 client_cert2="auth_serv/user.pem",
1417 private_key2="auth_serv/user.key")
1418 eap_reauth(dev[0], "PEAP")
1420 def test_ap_wpa2_eap_tls(dev, apdev):
1421 """WPA2-Enterprise connection using EAP-TLS"""
1422 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1423 hostapd.add_ap(apdev[0]['ifname'], params)
1424 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1425 client_cert="auth_serv/user.pem",
1426 private_key="auth_serv/user.key")
1427 eap_reauth(dev[0], "TLS")
1429 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1430 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1431 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1432 hostapd.add_ap(apdev[0]['ifname'], params)
1433 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1434 client_cert="auth_serv/user.pem",
1435 private_key="auth_serv/user.key.pkcs8",
1436 private_key_passwd="whatever")
1438 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1439 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1440 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1441 hostapd.add_ap(apdev[0]['ifname'], params)
1442 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1443 client_cert="auth_serv/user.pem",
1444 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1445 private_key_passwd="whatever")
1447 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1448 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1450 hostapd.add_ap(apdev[0]['ifname'], params)
1451 cert = read_pem("auth_serv/ca.pem")
1452 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1453 raise Exception("Could not set cacert blob")
1454 cert = read_pem("auth_serv/user.pem")
1455 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1456 raise Exception("Could not set usercert blob")
1457 key = read_pem("auth_serv/user.rsa-key")
1458 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1459 raise Exception("Could not set cacert blob")
1460 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1461 client_cert="blob://usercert",
1462 private_key="blob://userkey")
1464 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1465 """EAP-TLS and config blob missing"""
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hostapd.add_ap(apdev[0]['ifname'], params)
1468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1469 identity="tls user",
1470 ca_cert="blob://testing-blob-does-not-exist",
1471 client_cert="blob://testing-blob-does-not-exist",
1472 private_key="blob://testing-blob-does-not-exist",
1473 wait_connect=False, scan_freq="2412")
1474 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1476 raise Exception("EAP failure not reported")
1477 dev[0].request("REMOVE_NETWORK all")
1478 dev[0].wait_disconnected()
1480 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1481 """EAP-TLS and TLS Message Length in unfragmented packets"""
1482 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1483 hostapd.add_ap(apdev[0]['ifname'], params)
1484 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1485 phase1="include_tls_length=1",
1486 client_cert="auth_serv/user.pem",
1487 private_key="auth_serv/user.key")
1489 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1490 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1491 check_pkcs12_support(dev[0])
1492 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1493 hostapd.add_ap(apdev[0]['ifname'], params)
1494 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1495 private_key="auth_serv/user.pkcs12",
1496 private_key_passwd="whatever")
1497 dev[0].request("REMOVE_NETWORK all")
1498 dev[0].wait_disconnected()
1500 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1501 identity="tls user",
1502 ca_cert="auth_serv/ca.pem",
1503 private_key="auth_serv/user.pkcs12",
1504 wait_connect=False, scan_freq="2412")
1505 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1507 raise Exception("Request for private key passphrase timed out")
1508 id = ev.split(':')[0].split('-')[-1]
1509 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1510 dev[0].wait_connected(timeout=10)
1511 dev[0].request("REMOVE_NETWORK all")
1512 dev[0].wait_disconnected()
1514 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1515 # different files to cover both cases of the extra certificate being the
1516 # one that signed the client certificate and it being unrelated to the
1517 # client certificate.
1518 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1520 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1521 ca_cert="auth_serv/ca.pem",
1523 private_key_passwd="whatever")
1524 dev[0].request("REMOVE_NETWORK all")
1525 dev[0].wait_disconnected()
1527 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1528 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1529 check_pkcs12_support(dev[0])
1530 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1531 hostapd.add_ap(apdev[0]['ifname'], params)
1532 cert = read_pem("auth_serv/ca.pem")
1533 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1534 raise Exception("Could not set cacert blob")
1535 with open("auth_serv/user.pkcs12", "rb") as f:
1536 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1537 raise Exception("Could not set pkcs12 blob")
1538 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1539 private_key="blob://pkcs12",
1540 private_key_passwd="whatever")
1542 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1543 """WPA2-Enterprise negative test - incorrect trust root"""
1544 check_eap_capa(dev[0], "MSCHAPV2")
1545 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1546 hostapd.add_ap(apdev[0]['ifname'], params)
1547 cert = read_pem("auth_serv/ca-incorrect.pem")
1548 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1549 raise Exception("Could not set cacert blob")
1550 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1551 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1552 password="password", phase2="auth=MSCHAPV2",
1553 ca_cert="blob://cacert",
1554 wait_connect=False, scan_freq="2412")
1555 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1556 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1557 password="password", phase2="auth=MSCHAPV2",
1558 ca_cert="auth_serv/ca-incorrect.pem",
1559 wait_connect=False, scan_freq="2412")
1561 for dev in (dev[0], dev[1]):
1562 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1564 raise Exception("Association and EAP start timed out")
1566 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1568 raise Exception("EAP method selection timed out")
1569 if "TTLS" not in ev:
1570 raise Exception("Unexpected EAP method")
1572 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1573 "CTRL-EVENT-EAP-SUCCESS",
1574 "CTRL-EVENT-EAP-FAILURE",
1575 "CTRL-EVENT-CONNECTED",
1576 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1578 raise Exception("EAP result timed out")
1579 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1580 raise Exception("TLS certificate error not reported")
1582 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1583 "CTRL-EVENT-EAP-FAILURE",
1584 "CTRL-EVENT-CONNECTED",
1585 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1587 raise Exception("EAP result(2) timed out")
1588 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1589 raise Exception("EAP failure not reported")
1591 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1592 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1594 raise Exception("EAP result(3) timed out")
1595 if "CTRL-EVENT-DISCONNECTED" not in ev:
1596 raise Exception("Disconnection not reported")
1598 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1600 raise Exception("Network block disabling not reported")
1602 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1603 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1604 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1605 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1606 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1607 identity="pap user", anonymous_identity="ttls",
1608 password="password", phase2="auth=PAP",
1609 ca_cert="auth_serv/ca.pem",
1610 wait_connect=True, scan_freq="2412")
1611 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1612 identity="pap user", anonymous_identity="ttls",
1613 password="password", phase2="auth=PAP",
1614 ca_cert="auth_serv/ca-incorrect.pem",
1615 only_add_network=True, scan_freq="2412")
1617 dev[0].request("DISCONNECT")
1618 dev[0].wait_disconnected()
1619 dev[0].dump_monitor()
1620 dev[0].select_network(id, freq="2412")
1622 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1624 raise Exception("EAP-TTLS not re-started")
1626 ev = dev[0].wait_disconnected(timeout=15)
1627 if "reason=23" not in ev:
1628 raise Exception("Proper reason code for disconnection not reported")
1630 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1631 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1632 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1633 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1634 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1635 identity="pap user", anonymous_identity="ttls",
1636 password="password", phase2="auth=PAP",
1637 wait_connect=True, scan_freq="2412")
1638 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1639 identity="pap user", anonymous_identity="ttls",
1640 password="password", phase2="auth=PAP",
1641 ca_cert="auth_serv/ca-incorrect.pem",
1642 only_add_network=True, scan_freq="2412")
1644 dev[0].request("DISCONNECT")
1645 dev[0].wait_disconnected()
1646 dev[0].dump_monitor()
1647 dev[0].select_network(id, freq="2412")
1649 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1651 raise Exception("EAP-TTLS not re-started")
1653 ev = dev[0].wait_disconnected(timeout=15)
1654 if "reason=23" not in ev:
1655 raise Exception("Proper reason code for disconnection not reported")
1657 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1658 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1659 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1660 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1661 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1662 identity="pap user", anonymous_identity="ttls",
1663 password="password", phase2="auth=PAP",
1664 ca_cert="auth_serv/ca.pem",
1665 wait_connect=True, scan_freq="2412")
1666 dev[0].request("DISCONNECT")
1667 dev[0].wait_disconnected()
1668 dev[0].dump_monitor()
1669 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1670 dev[0].select_network(id, freq="2412")
1672 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1674 raise Exception("EAP-TTLS not re-started")
1676 ev = dev[0].wait_disconnected(timeout=15)
1677 if "reason=23" not in ev:
1678 raise Exception("Proper reason code for disconnection not reported")
1680 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1681 """WPA2-Enterprise negative test - domain suffix mismatch"""
1682 check_domain_suffix_match(dev[0])
1683 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1684 hostapd.add_ap(apdev[0]['ifname'], params)
1685 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1686 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1687 password="password", phase2="auth=MSCHAPV2",
1688 ca_cert="auth_serv/ca.pem",
1689 domain_suffix_match="incorrect.example.com",
1690 wait_connect=False, scan_freq="2412")
1692 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1694 raise Exception("Association and EAP start timed out")
1696 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1698 raise Exception("EAP method selection timed out")
1699 if "TTLS" not in ev:
1700 raise Exception("Unexpected EAP method")
1702 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1703 "CTRL-EVENT-EAP-SUCCESS",
1704 "CTRL-EVENT-EAP-FAILURE",
1705 "CTRL-EVENT-CONNECTED",
1706 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1708 raise Exception("EAP result timed out")
1709 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1710 raise Exception("TLS certificate error not reported")
1711 if "Domain suffix mismatch" not in ev:
1712 raise Exception("Domain suffix mismatch not reported")
1714 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1715 "CTRL-EVENT-EAP-FAILURE",
1716 "CTRL-EVENT-CONNECTED",
1717 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1719 raise Exception("EAP result(2) timed out")
1720 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1721 raise Exception("EAP failure not reported")
1723 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1724 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1726 raise Exception("EAP result(3) timed out")
1727 if "CTRL-EVENT-DISCONNECTED" not in ev:
1728 raise Exception("Disconnection not reported")
1730 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1732 raise Exception("Network block disabling not reported")
1734 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1735 """WPA2-Enterprise negative test - domain mismatch"""
1736 check_domain_match(dev[0])
1737 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1738 hostapd.add_ap(apdev[0]['ifname'], params)
1739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1740 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1741 password="password", phase2="auth=MSCHAPV2",
1742 ca_cert="auth_serv/ca.pem",
1743 domain_match="w1.fi",
1744 wait_connect=False, scan_freq="2412")
1746 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1748 raise Exception("Association and EAP start timed out")
1750 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1752 raise Exception("EAP method selection timed out")
1753 if "TTLS" not in ev:
1754 raise Exception("Unexpected EAP method")
1756 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1757 "CTRL-EVENT-EAP-SUCCESS",
1758 "CTRL-EVENT-EAP-FAILURE",
1759 "CTRL-EVENT-CONNECTED",
1760 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1762 raise Exception("EAP result timed out")
1763 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1764 raise Exception("TLS certificate error not reported")
1765 if "Domain mismatch" not in ev:
1766 raise Exception("Domain mismatch not reported")
1768 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1769 "CTRL-EVENT-EAP-FAILURE",
1770 "CTRL-EVENT-CONNECTED",
1771 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1773 raise Exception("EAP result(2) timed out")
1774 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1775 raise Exception("EAP failure not reported")
1777 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1778 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1780 raise Exception("EAP result(3) timed out")
1781 if "CTRL-EVENT-DISCONNECTED" not in ev:
1782 raise Exception("Disconnection not reported")
1784 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1786 raise Exception("Network block disabling not reported")
1788 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1789 """WPA2-Enterprise negative test - subject mismatch"""
1790 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1791 hostapd.add_ap(apdev[0]['ifname'], params)
1792 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1793 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1794 password="password", phase2="auth=MSCHAPV2",
1795 ca_cert="auth_serv/ca.pem",
1796 subject_match="/C=FI/O=w1.fi/CN=example.com",
1797 wait_connect=False, scan_freq="2412")
1799 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1801 raise Exception("Association and EAP start timed out")
1803 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1804 "EAP: Failed to initialize EAP method"], timeout=10)
1806 raise Exception("EAP method selection timed out")
1807 if "EAP: Failed to initialize EAP method" in ev:
1808 tls = dev[0].request("GET tls_library")
1809 if tls.startswith("OpenSSL"):
1810 raise Exception("Failed to select EAP method")
1811 logger.info("subject_match not supported - connection failed, so test succeeded")
1813 if "TTLS" not in ev:
1814 raise Exception("Unexpected EAP method")
1816 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1817 "CTRL-EVENT-EAP-SUCCESS",
1818 "CTRL-EVENT-EAP-FAILURE",
1819 "CTRL-EVENT-CONNECTED",
1820 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1822 raise Exception("EAP result timed out")
1823 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1824 raise Exception("TLS certificate error not reported")
1825 if "Subject mismatch" not in ev:
1826 raise Exception("Subject mismatch not reported")
1828 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1829 "CTRL-EVENT-EAP-FAILURE",
1830 "CTRL-EVENT-CONNECTED",
1831 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1833 raise Exception("EAP result(2) timed out")
1834 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1835 raise Exception("EAP failure not reported")
1837 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1838 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1840 raise Exception("EAP result(3) timed out")
1841 if "CTRL-EVENT-DISCONNECTED" not in ev:
1842 raise Exception("Disconnection not reported")
1844 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1846 raise Exception("Network block disabling not reported")
1848 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1849 """WPA2-Enterprise negative test - altsubject mismatch"""
1850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1851 hostapd.add_ap(apdev[0]['ifname'], params)
1853 tests = [ "incorrect.example.com",
1854 "DNS:incorrect.example.com",
1858 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1860 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1861 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1862 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1863 password="password", phase2="auth=MSCHAPV2",
1864 ca_cert="auth_serv/ca.pem",
1865 altsubject_match=match,
1866 wait_connect=False, scan_freq="2412")
1868 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1870 raise Exception("Association and EAP start timed out")
1872 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1873 "EAP: Failed to initialize EAP method"], timeout=10)
1875 raise Exception("EAP method selection timed out")
1876 if "EAP: Failed to initialize EAP method" in ev:
1877 tls = dev[0].request("GET tls_library")
1878 if tls.startswith("OpenSSL"):
1879 raise Exception("Failed to select EAP method")
1880 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1882 if "TTLS" not in ev:
1883 raise Exception("Unexpected EAP method")
1885 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1886 "CTRL-EVENT-EAP-SUCCESS",
1887 "CTRL-EVENT-EAP-FAILURE",
1888 "CTRL-EVENT-CONNECTED",
1889 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1891 raise Exception("EAP result timed out")
1892 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1893 raise Exception("TLS certificate error not reported")
1894 if "AltSubject mismatch" not in ev:
1895 raise Exception("altsubject mismatch not reported")
1897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1898 "CTRL-EVENT-EAP-FAILURE",
1899 "CTRL-EVENT-CONNECTED",
1900 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1902 raise Exception("EAP result(2) timed out")
1903 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1904 raise Exception("EAP failure not reported")
1906 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1907 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1909 raise Exception("EAP result(3) timed out")
1910 if "CTRL-EVENT-DISCONNECTED" not in ev:
1911 raise Exception("Disconnection not reported")
1913 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1915 raise Exception("Network block disabling not reported")
1917 dev[0].request("REMOVE_NETWORK all")
1919 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1920 """WPA2-Enterprise connection using UNAUTH-TLS"""
1921 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1922 hostapd.add_ap(apdev[0]['ifname'], params)
1923 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1924 ca_cert="auth_serv/ca.pem")
1925 eap_reauth(dev[0], "UNAUTH-TLS")
1927 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1928 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1929 check_cert_probe_support(dev[0])
1930 skip_with_fips(dev[0])
1931 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1932 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1933 hostapd.add_ap(apdev[0]['ifname'], params)
1934 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1935 identity="probe", ca_cert="probe://",
1936 wait_connect=False, scan_freq="2412")
1937 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1939 raise Exception("Association and EAP start timed out")
1940 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1942 raise Exception("No peer server certificate event seen")
1943 if "hash=" + srv_cert_hash not in ev:
1944 raise Exception("Expected server certificate hash not reported")
1945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1947 raise Exception("EAP result timed out")
1948 if "Server certificate chain probe" not in ev:
1949 raise Exception("Server certificate probe not reported")
1950 dev[0].wait_disconnected(timeout=10)
1951 dev[0].request("REMOVE_NETWORK all")
1953 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1954 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1955 password="password", phase2="auth=MSCHAPV2",
1956 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1957 wait_connect=False, scan_freq="2412")
1958 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1960 raise Exception("Association and EAP start timed out")
1961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1963 raise Exception("EAP result timed out")
1964 if "Server certificate mismatch" not in ev:
1965 raise Exception("Server certificate mismatch not reported")
1966 dev[0].wait_disconnected(timeout=10)
1967 dev[0].request("REMOVE_NETWORK all")
1969 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1970 anonymous_identity="ttls", password="password",
1971 ca_cert="hash://server/sha256/" + srv_cert_hash,
1972 phase2="auth=MSCHAPV2")
1974 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1975 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1976 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1977 hostapd.add_ap(apdev[0]['ifname'], params)
1978 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1979 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1980 password="password", phase2="auth=MSCHAPV2",
1981 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1982 wait_connect=False, scan_freq="2412")
1983 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1984 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1985 password="password", phase2="auth=MSCHAPV2",
1986 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1987 wait_connect=False, scan_freq="2412")
1988 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1989 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1990 password="password", phase2="auth=MSCHAPV2",
1991 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1992 wait_connect=False, scan_freq="2412")
1993 for i in range(0, 3):
1994 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1996 raise Exception("Association and EAP start timed out")
1997 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1999 raise Exception("Did not report EAP method initialization failure")
2001 def test_ap_wpa2_eap_pwd(dev, apdev):
2002 """WPA2-Enterprise connection using EAP-pwd"""
2003 check_eap_capa(dev[0], "PWD")
2004 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2005 hostapd.add_ap(apdev[0]['ifname'], params)
2006 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2007 eap_reauth(dev[0], "PWD")
2008 dev[0].request("REMOVE_NETWORK all")
2010 eap_connect(dev[1], apdev[0], "PWD",
2011 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2012 password="secret password",
2015 logger.info("Negative test with incorrect password")
2016 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2017 expect_failure=True, local_error_report=True)
2019 eap_connect(dev[0], apdev[0], "PWD",
2020 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2021 password="secret password",
2024 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2025 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2026 check_eap_capa(dev[0], "PWD")
2027 skip_with_fips(dev[0])
2028 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2029 hostapd.add_ap(apdev[0]['ifname'], params)
2030 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2031 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2032 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2033 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2034 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2035 expect_failure=True, local_error_report=True)
2037 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2038 """WPA2-Enterprise connection using various EAP-pwd groups"""
2039 check_eap_capa(dev[0], "PWD")
2040 tls = dev[0].request("GET tls_library")
2041 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2042 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2043 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2044 groups = [ 19, 20, 21, 25, 26 ]
2045 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2046 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2047 groups += [ 27, 28, 29, 30 ]
2049 logger.info("Group %d" % i)
2050 params['pwd_group'] = str(i)
2051 hostapd.add_ap(apdev[0]['ifname'], params)
2053 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2054 password="secret password")
2055 dev[0].request("REMOVE_NETWORK all")
2056 dev[0].wait_disconnected()
2057 dev[0].dump_monitor()
2059 if "BoringSSL" in tls and i in [ 25 ]:
2060 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2061 dev[0].request("DISCONNECT")
2063 dev[0].request("REMOVE_NETWORK all")
2064 dev[0].dump_monitor()
2068 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2069 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2070 check_eap_capa(dev[0], "PWD")
2071 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2072 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2073 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2074 params['pwd_group'] = "0"
2075 hostapd.add_ap(apdev[0]['ifname'], params)
2076 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2077 identity="pwd user", password="secret password",
2078 scan_freq="2412", wait_connect=False)
2079 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2081 raise Exception("Timeout on EAP failure report")
2083 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2084 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2085 check_eap_capa(dev[0], "PWD")
2086 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2087 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2088 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2089 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2090 "pwd_group": "19", "fragment_size": "40" }
2091 hostapd.add_ap(apdev[0]['ifname'], params)
2092 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2094 def test_ap_wpa2_eap_gpsk(dev, apdev):
2095 """WPA2-Enterprise connection using EAP-GPSK"""
2096 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2097 hostapd.add_ap(apdev[0]['ifname'], params)
2098 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2099 password="abcdefghijklmnop0123456789abcdef")
2100 eap_reauth(dev[0], "GPSK")
2102 logger.info("Test forced algorithm selection")
2103 for phase1 in [ "cipher=1", "cipher=2" ]:
2104 dev[0].set_network_quoted(id, "phase1", phase1)
2105 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2107 raise Exception("EAP success timed out")
2108 dev[0].wait_connected(timeout=10)
2110 logger.info("Test failed algorithm negotiation")
2111 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2112 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2114 raise Exception("EAP failure timed out")
2116 logger.info("Negative test with incorrect password")
2117 dev[0].request("REMOVE_NETWORK all")
2118 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2119 password="ffcdefghijklmnop0123456789abcdef",
2120 expect_failure=True)
2122 def test_ap_wpa2_eap_sake(dev, apdev):
2123 """WPA2-Enterprise connection using EAP-SAKE"""
2124 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2125 hostapd.add_ap(apdev[0]['ifname'], params)
2126 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2127 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2128 eap_reauth(dev[0], "SAKE")
2130 logger.info("Negative test with incorrect password")
2131 dev[0].request("REMOVE_NETWORK all")
2132 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2133 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2134 expect_failure=True)
2136 def test_ap_wpa2_eap_eke(dev, apdev):
2137 """WPA2-Enterprise connection using EAP-EKE"""
2138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2139 hostapd.add_ap(apdev[0]['ifname'], params)
2140 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2141 eap_reauth(dev[0], "EKE")
2143 logger.info("Test forced algorithm selection")
2144 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2145 "dhgroup=4 encr=1 prf=2 mac=2",
2146 "dhgroup=3 encr=1 prf=2 mac=2",
2147 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2148 dev[0].set_network_quoted(id, "phase1", phase1)
2149 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2151 raise Exception("EAP success timed out")
2152 dev[0].wait_connected(timeout=10)
2154 logger.info("Test failed algorithm negotiation")
2155 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2156 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2158 raise Exception("EAP failure timed out")
2160 logger.info("Negative test with incorrect password")
2161 dev[0].request("REMOVE_NETWORK all")
2162 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2163 expect_failure=True)
2165 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2166 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2167 params = int_eap_server_params()
2168 params['server_id'] = 'example.server@w1.fi'
2169 hostapd.add_ap(apdev[0]['ifname'], params)
2170 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2172 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2173 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2174 params = int_eap_server_params()
2175 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2176 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2178 for count,func in [ (1, "eap_eke_build_commit"),
2179 (2, "eap_eke_build_commit"),
2180 (3, "eap_eke_build_commit"),
2181 (1, "eap_eke_build_confirm"),
2182 (2, "eap_eke_build_confirm"),
2183 (1, "eap_eke_process_commit"),
2184 (2, "eap_eke_process_commit"),
2185 (1, "eap_eke_process_confirm"),
2186 (1, "eap_eke_process_identity"),
2187 (2, "eap_eke_process_identity"),
2188 (3, "eap_eke_process_identity"),
2189 (4, "eap_eke_process_identity") ]:
2190 with alloc_fail(hapd, count, func):
2191 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2192 expect_failure=True)
2193 dev[0].request("REMOVE_NETWORK all")
2195 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2196 (1, "eap_eke_get_session_id", "hello"),
2197 (1, "eap_eke_getKey", "hello"),
2198 (1, "eap_eke_build_msg", "hello"),
2199 (1, "eap_eke_build_failure", "wrong"),
2200 (1, "eap_eke_build_identity", "hello"),
2201 (2, "eap_eke_build_identity", "hello") ]:
2202 with alloc_fail(hapd, count, func):
2203 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2204 eap="EKE", identity="eke user", password=pw,
2205 wait_connect=False, scan_freq="2412")
2206 # This would eventually time out, but we can stop after having
2207 # reached the allocation failure.
2210 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2212 dev[0].request("REMOVE_NETWORK all")
2214 for count in range(1, 1000):
2216 with alloc_fail(hapd, count, "eap_server_sm_step"):
2217 dev[0].connect("test-wpa2-eap",
2218 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2219 eap="EKE", identity="eke user", password=pw,
2220 wait_connect=False, scan_freq="2412")
2221 # This would eventually time out, but we can stop after having
2222 # reached the allocation failure.
2225 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2227 dev[0].request("REMOVE_NETWORK all")
2228 except Exception, e:
2229 if str(e) == "Allocation failure did not trigger":
2231 raise Exception("Too few allocation failures")
2232 logger.info("%d allocation failures tested" % (count - 1))
2236 def test_ap_wpa2_eap_ikev2(dev, apdev):
2237 """WPA2-Enterprise connection using EAP-IKEv2"""
2238 check_eap_capa(dev[0], "IKEV2")
2239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2240 hostapd.add_ap(apdev[0]['ifname'], params)
2241 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2242 password="ike password")
2243 eap_reauth(dev[0], "IKEV2")
2244 dev[0].request("REMOVE_NETWORK all")
2245 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2246 password="ike password", fragment_size="50")
2248 logger.info("Negative test with incorrect password")
2249 dev[0].request("REMOVE_NETWORK all")
2250 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2251 password="ike-password", expect_failure=True)
2253 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2254 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2255 check_eap_capa(dev[0], "IKEV2")
2256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2257 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2258 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2259 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2260 "fragment_size": "50" }
2261 hostapd.add_ap(apdev[0]['ifname'], params)
2262 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2263 password="ike password")
2264 eap_reauth(dev[0], "IKEV2")
2266 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2267 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2268 check_eap_capa(dev[0], "IKEV2")
2269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2270 hostapd.add_ap(apdev[0]['ifname'], params)
2272 tests = [ (1, "dh_init"),
2274 (1, "dh_derive_shared") ]
2275 for count, func in tests:
2276 with alloc_fail(dev[0], count, func):
2277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2278 identity="ikev2 user", password="ike password",
2279 wait_connect=False, scan_freq="2412")
2280 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2282 raise Exception("EAP method not selected")
2284 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2287 dev[0].request("REMOVE_NETWORK all")
2289 tests = [ (1, "os_get_random;dh_init") ]
2290 for count, func in tests:
2291 with fail_test(dev[0], count, func):
2292 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2293 identity="ikev2 user", password="ike password",
2294 wait_connect=False, scan_freq="2412")
2295 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2297 raise Exception("EAP method not selected")
2299 if "0:" in dev[0].request("GET_FAIL"):
2302 dev[0].request("REMOVE_NETWORK all")
2304 def test_ap_wpa2_eap_pax(dev, apdev):
2305 """WPA2-Enterprise connection using EAP-PAX"""
2306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2307 hostapd.add_ap(apdev[0]['ifname'], params)
2308 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2309 password_hex="0123456789abcdef0123456789abcdef")
2310 eap_reauth(dev[0], "PAX")
2312 logger.info("Negative test with incorrect password")
2313 dev[0].request("REMOVE_NETWORK all")
2314 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2315 password_hex="ff23456789abcdef0123456789abcdef",
2316 expect_failure=True)
2318 def test_ap_wpa2_eap_psk(dev, apdev):
2319 """WPA2-Enterprise connection using EAP-PSK"""
2320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2321 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2322 params["ieee80211w"] = "2"
2323 hostapd.add_ap(apdev[0]['ifname'], params)
2324 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2325 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2326 eap_reauth(dev[0], "PSK", sha256=True)
2327 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2328 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2330 bss = dev[0].get_bss(apdev[0]['bssid'])
2331 if 'flags' not in bss:
2332 raise Exception("Could not get BSS flags from BSS table")
2333 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2334 raise Exception("Unexpected BSS flags: " + bss['flags'])
2336 logger.info("Negative test with incorrect password")
2337 dev[0].request("REMOVE_NETWORK all")
2338 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2339 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2340 expect_failure=True)
2342 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2343 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2344 skip_with_fips(dev[0])
2345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2346 hostapd.add_ap(apdev[0]['ifname'], params)
2347 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2348 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2349 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2350 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2351 (1, "=aes_128_eax_encrypt"),
2352 (1, "omac1_aes_vector"),
2353 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2354 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2355 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2356 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2357 (1, "=aes_128_eax_decrypt") ]
2358 for count, func in tests:
2359 with alloc_fail(dev[0], count, func):
2360 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2361 identity="psk.user@example.com",
2362 password_hex="0123456789abcdef0123456789abcdef",
2363 wait_connect=False, scan_freq="2412")
2364 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2366 raise Exception("EAP method not selected")
2368 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2371 dev[0].request("REMOVE_NETWORK all")
2373 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2374 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2375 identity="psk.user@example.com",
2376 password_hex="0123456789abcdef0123456789abcdef",
2377 wait_connect=False, scan_freq="2412")
2378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2380 raise Exception("EAP method failure not reported")
2381 dev[0].request("REMOVE_NETWORK all")
2383 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2384 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2385 check_eap_capa(dev[0], "MSCHAPV2")
2386 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2387 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2388 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2389 identity="user", password="password", phase2="auth=MSCHAPV2",
2390 ca_cert="auth_serv/ca.pem", wait_connect=False,
2392 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2393 hwsim_utils.test_connectivity(dev[0], hapd)
2394 eap_reauth(dev[0], "PEAP", rsn=False)
2395 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2396 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2397 status = dev[0].get_status(extra="VERBOSE")
2398 if 'portControl' not in status:
2399 raise Exception("portControl missing from STATUS-VERBOSE")
2400 if status['portControl'] != 'Auto':
2401 raise Exception("Unexpected portControl value: " + status['portControl'])
2402 if 'eap_session_id' not in status:
2403 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2404 if not status['eap_session_id'].startswith("19"):
2405 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2407 def test_ap_wpa2_eap_interactive(dev, apdev):
2408 """WPA2-Enterprise connection using interactive identity/password entry"""
2409 check_eap_capa(dev[0], "MSCHAPV2")
2410 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2411 hostapd.add_ap(apdev[0]['ifname'], params)
2412 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2414 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2415 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2417 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2418 "TTLS", "ttls", None, "auth=MSCHAPV2",
2419 "DOMAIN\mschapv2 user", "password"),
2420 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2421 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2422 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2423 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2424 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2425 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2426 ("Connection with dynamic PEAP/EAP-GTC password entry",
2427 "PEAP", None, "user", "auth=GTC", None, "password") ]
2428 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2430 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2431 anonymous_identity=anon, identity=identity,
2432 ca_cert="auth_serv/ca.pem", phase2=phase2,
2433 wait_connect=False, scan_freq="2412")
2435 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2437 raise Exception("Request for identity timed out")
2438 id = ev.split(':')[0].split('-')[-1]
2439 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2440 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2442 raise Exception("Request for password timed out")
2443 id = ev.split(':')[0].split('-')[-1]
2444 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2445 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2446 dev[0].wait_connected(timeout=10)
2447 dev[0].request("REMOVE_NETWORK all")
2449 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2450 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2451 check_eap_capa(dev[0], "MSCHAPV2")
2452 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2453 hostapd.add_ap(apdev[0]['ifname'], params)
2454 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2456 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2457 only_add_network=True)
2459 req_id = "DOMAIN\mschapv2 user"
2460 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2461 anonymous_identity="ttls", identity=None,
2462 password="password",
2463 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2464 wait_connect=False, scan_freq="2412")
2465 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2467 raise Exception("Request for identity timed out")
2468 id = ev.split(':')[0].split('-')[-1]
2469 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2470 dev[0].wait_connected(timeout=10)
2472 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2473 raise Exception("Failed to enable network")
2474 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2476 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2477 dev[0].request("REMOVE_NETWORK all")
2479 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2480 """WPA2-Enterprise connection using EAP vendor test"""
2481 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2482 hostapd.add_ap(apdev[0]['ifname'], params)
2483 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2484 eap_reauth(dev[0], "VENDOR-TEST")
2485 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2488 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2489 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2490 check_eap_capa(dev[0], "FAST")
2491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2492 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2493 eap_connect(dev[0], apdev[0], "FAST", "user",
2494 anonymous_identity="FAST", password="password",
2495 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2496 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2497 hwsim_utils.test_connectivity(dev[0], hapd)
2498 res = eap_reauth(dev[0], "FAST")
2499 if res['tls_session_reused'] != '1':
2500 raise Exception("EAP-FAST could not use PAC session ticket")
2502 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2503 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2504 check_eap_capa(dev[0], "FAST")
2505 pac_file = os.path.join(params['logdir'], "fast.pac")
2506 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2507 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2508 hostapd.add_ap(apdev[0]['ifname'], params)
2511 eap_connect(dev[0], apdev[0], "FAST", "user",
2512 anonymous_identity="FAST", password="password",
2513 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2514 phase1="fast_provisioning=1", pac_file=pac_file)
2515 with open(pac_file, "r") as f:
2517 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2518 raise Exception("PAC file header missing")
2519 if "PAC-Key=" not in data:
2520 raise Exception("PAC-Key missing from PAC file")
2521 dev[0].request("REMOVE_NETWORK all")
2522 eap_connect(dev[0], apdev[0], "FAST", "user",
2523 anonymous_identity="FAST", password="password",
2524 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2527 eap_connect(dev[1], apdev[0], "FAST", "user",
2528 anonymous_identity="FAST", password="password",
2529 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2530 phase1="fast_provisioning=1 fast_pac_format=binary",
2532 dev[1].request("REMOVE_NETWORK all")
2533 eap_connect(dev[1], apdev[0], "FAST", "user",
2534 anonymous_identity="FAST", password="password",
2535 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2536 phase1="fast_pac_format=binary",
2544 os.remove(pac_file2)
2548 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2549 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2550 check_eap_capa(dev[0], "FAST")
2551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2552 hostapd.add_ap(apdev[0]['ifname'], params)
2553 eap_connect(dev[0], apdev[0], "FAST", "user",
2554 anonymous_identity="FAST", password="password",
2555 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2556 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2557 pac_file="blob://fast_pac_bin")
2558 res = eap_reauth(dev[0], "FAST")
2559 if res['tls_session_reused'] != '1':
2560 raise Exception("EAP-FAST could not use PAC session ticket")
2562 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2563 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2564 check_eap_capa(dev[0], "FAST")
2565 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2566 hostapd.add_ap(apdev[0]['ifname'], params)
2568 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2569 identity="user", anonymous_identity="FAST",
2570 password="password",
2571 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2572 pac_file="blob://fast_pac_not_in_use",
2573 wait_connect=False, scan_freq="2412")
2574 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2576 raise Exception("Timeout on EAP failure report")
2577 dev[0].request("REMOVE_NETWORK all")
2579 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2580 identity="user", anonymous_identity="FAST",
2581 password="password",
2582 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2583 wait_connect=False, scan_freq="2412")
2584 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2586 raise Exception("Timeout on EAP failure report")
2588 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2589 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2590 check_eap_capa(dev[0], "FAST")
2591 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2592 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2593 eap_connect(dev[0], apdev[0], "FAST", "user",
2594 anonymous_identity="FAST", password="password",
2595 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2596 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2597 hwsim_utils.test_connectivity(dev[0], hapd)
2598 res = eap_reauth(dev[0], "FAST")
2599 if res['tls_session_reused'] != '1':
2600 raise Exception("EAP-FAST could not use PAC session ticket")
2602 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2603 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2604 check_eap_capa(dev[0], "FAST")
2605 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2606 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2607 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2608 anonymous_identity="FAST", password="password",
2609 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2610 phase1="fast_provisioning=2",
2611 pac_file="blob://fast_pac_auth")
2612 dev[0].set_network_quoted(id, "identity", "user2")
2613 dev[0].wait_disconnected()
2614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2616 raise Exception("EAP-FAST not started")
2617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2619 raise Exception("EAP failure not reported")
2620 dev[0].wait_disconnected()
2622 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2623 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2624 check_eap_capa(dev[0], "FAST")
2625 tls = dev[0].request("GET tls_library")
2626 if tls.startswith("OpenSSL"):
2627 func = "openssl_tls_prf"
2629 elif tls.startswith("internal"):
2630 func = "tls_connection_prf"
2633 raise HwsimSkip("Unsupported TLS library")
2634 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2635 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2636 with alloc_fail(dev[0], count, func):
2637 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2638 identity="user", anonymous_identity="FAST",
2639 password="password", ca_cert="auth_serv/ca.pem",
2641 phase1="fast_provisioning=2",
2642 pac_file="blob://fast_pac_auth",
2643 wait_connect=False, scan_freq="2412")
2644 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2646 raise Exception("EAP failure not reported")
2647 dev[0].request("DISCONNECT")
2649 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2650 """EAP-FAST/MSCHAPv2 and server OOM"""
2651 check_eap_capa(dev[0], "FAST")
2653 params = int_eap_server_params()
2654 params['dh_file'] = 'auth_serv/dh.conf'
2655 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2656 params['eap_fast_a_id'] = '1011'
2657 params['eap_fast_a_id_info'] = 'another test server'
2658 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2660 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2661 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2662 anonymous_identity="FAST", password="password",
2663 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2664 phase1="fast_provisioning=1",
2665 pac_file="blob://fast_pac",
2666 expect_failure=True)
2667 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2669 raise Exception("No EAP failure reported")
2670 dev[0].wait_disconnected()
2671 dev[0].request("DISCONNECT")
2673 dev[0].select_network(id, freq="2412")
2675 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2676 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2677 check_ocsp_support(dev[0])
2678 check_pkcs12_support(dev[0])
2679 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2680 hostapd.add_ap(apdev[0]['ifname'], params)
2681 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2682 private_key="auth_serv/user.pkcs12",
2683 private_key_passwd="whatever", ocsp=2)
2685 def int_eap_server_params():
2686 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2687 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2688 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2689 "ca_cert": "auth_serv/ca.pem",
2690 "server_cert": "auth_serv/server.pem",
2691 "private_key": "auth_serv/server.key" }
2694 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2695 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2696 check_ocsp_support(dev[0])
2697 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2698 if not os.path.exists(ocsp):
2699 raise HwsimSkip("No OCSP response available")
2700 params = int_eap_server_params()
2701 params["ocsp_stapling_response"] = ocsp
2702 hostapd.add_ap(apdev[0]['ifname'], params)
2703 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2704 identity="tls user", ca_cert="auth_serv/ca.pem",
2705 private_key="auth_serv/user.pkcs12",
2706 private_key_passwd="whatever", ocsp=2,
2709 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2710 """EAP-TLS and CA signed OCSP response (good)"""
2711 check_ocsp_support(dev[0])
2712 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2713 if not os.path.exists(ocsp):
2714 raise HwsimSkip("No OCSP response available")
2715 params = int_eap_server_params()
2716 params["ocsp_stapling_response"] = ocsp
2717 hostapd.add_ap(apdev[0]['ifname'], params)
2718 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2719 identity="tls user", ca_cert="auth_serv/ca.pem",
2720 private_key="auth_serv/user.pkcs12",
2721 private_key_passwd="whatever", ocsp=2,
2724 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2725 """EAP-TLS and CA signed OCSP response (revoked)"""
2726 check_ocsp_support(dev[0])
2727 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2728 if not os.path.exists(ocsp):
2729 raise HwsimSkip("No OCSP response available")
2730 params = int_eap_server_params()
2731 params["ocsp_stapling_response"] = ocsp
2732 hostapd.add_ap(apdev[0]['ifname'], params)
2733 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2734 identity="tls user", ca_cert="auth_serv/ca.pem",
2735 private_key="auth_serv/user.pkcs12",
2736 private_key_passwd="whatever", ocsp=2,
2737 wait_connect=False, scan_freq="2412")
2740 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2742 raise Exception("Timeout on EAP status")
2743 if 'bad certificate status response' in ev:
2745 if 'certificate revoked' in ev:
2749 raise Exception("Unexpected number of EAP status messages")
2751 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2753 raise Exception("Timeout on EAP failure report")
2755 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2756 """EAP-TLS and CA signed OCSP response (unknown)"""
2757 check_ocsp_support(dev[0])
2758 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2759 if not os.path.exists(ocsp):
2760 raise HwsimSkip("No OCSP response available")
2761 params = int_eap_server_params()
2762 params["ocsp_stapling_response"] = ocsp
2763 hostapd.add_ap(apdev[0]['ifname'], params)
2764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2765 identity="tls user", ca_cert="auth_serv/ca.pem",
2766 private_key="auth_serv/user.pkcs12",
2767 private_key_passwd="whatever", ocsp=2,
2768 wait_connect=False, scan_freq="2412")
2771 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2773 raise Exception("Timeout on EAP status")
2774 if 'bad certificate status response' in ev:
2778 raise Exception("Unexpected number of EAP status messages")
2780 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2782 raise Exception("Timeout on EAP failure report")
2784 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2785 """EAP-TLS and server signed OCSP response"""
2786 check_ocsp_support(dev[0])
2787 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2788 if not os.path.exists(ocsp):
2789 raise HwsimSkip("No OCSP response available")
2790 params = int_eap_server_params()
2791 params["ocsp_stapling_response"] = ocsp
2792 hostapd.add_ap(apdev[0]['ifname'], params)
2793 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2794 identity="tls user", ca_cert="auth_serv/ca.pem",
2795 private_key="auth_serv/user.pkcs12",
2796 private_key_passwd="whatever", ocsp=2,
2797 wait_connect=False, scan_freq="2412")
2800 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2802 raise Exception("Timeout on EAP status")
2803 if 'bad certificate status response' in ev:
2807 raise Exception("Unexpected number of EAP status messages")
2809 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2811 raise Exception("Timeout on EAP failure report")
2813 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2814 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2815 check_ocsp_support(dev[0])
2816 params = int_eap_server_params()
2817 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2818 hostapd.add_ap(apdev[0]['ifname'], params)
2819 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2820 identity="tls user", ca_cert="auth_serv/ca.pem",
2821 private_key="auth_serv/user.pkcs12",
2822 private_key_passwd="whatever", ocsp=2,
2823 wait_connect=False, scan_freq="2412")
2826 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2828 raise Exception("Timeout on EAP status")
2829 if 'bad certificate status response' in ev:
2833 raise Exception("Unexpected number of EAP status messages")
2835 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2837 raise Exception("Timeout on EAP failure report")
2839 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2840 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2841 check_ocsp_support(dev[0])
2842 params = int_eap_server_params()
2843 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2844 hostapd.add_ap(apdev[0]['ifname'], params)
2845 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2846 identity="tls user", ca_cert="auth_serv/ca.pem",
2847 private_key="auth_serv/user.pkcs12",
2848 private_key_passwd="whatever", ocsp=2,
2849 wait_connect=False, scan_freq="2412")
2852 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2854 raise Exception("Timeout on EAP status")
2855 if 'bad certificate status response' in ev:
2859 raise Exception("Unexpected number of EAP status messages")
2861 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2863 raise Exception("Timeout on EAP failure report")
2865 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2866 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2867 check_ocsp_support(dev[0])
2868 params = int_eap_server_params()
2869 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2870 hostapd.add_ap(apdev[0]['ifname'], params)
2871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2872 identity="tls user", ca_cert="auth_serv/ca.pem",
2873 private_key="auth_serv/user.pkcs12",
2874 private_key_passwd="whatever", ocsp=2,
2875 wait_connect=False, scan_freq="2412")
2878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2880 raise Exception("Timeout on EAP status")
2881 if 'bad certificate status response' in ev:
2885 raise Exception("Unexpected number of EAP status messages")
2887 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2889 raise Exception("Timeout on EAP failure report")
2891 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2892 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2893 check_ocsp_support(dev[0])
2894 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2895 if not os.path.exists(ocsp):
2896 raise HwsimSkip("No OCSP response available")
2897 params = int_eap_server_params()
2898 params["ocsp_stapling_response"] = ocsp
2899 hostapd.add_ap(apdev[0]['ifname'], params)
2900 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2901 identity="pap user", ca_cert="auth_serv/ca.pem",
2902 anonymous_identity="ttls", password="password",
2903 phase2="auth=PAP", ocsp=2,
2904 wait_connect=False, scan_freq="2412")
2907 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2909 raise Exception("Timeout on EAP status")
2910 if 'bad certificate status response' in ev:
2912 if 'certificate revoked' in ev:
2916 raise Exception("Unexpected number of EAP status messages")
2918 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2920 raise Exception("Timeout on EAP failure report")
2922 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2923 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2924 check_ocsp_support(dev[0])
2925 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2926 if not os.path.exists(ocsp):
2927 raise HwsimSkip("No OCSP response available")
2928 params = int_eap_server_params()
2929 params["ocsp_stapling_response"] = ocsp
2930 hostapd.add_ap(apdev[0]['ifname'], params)
2931 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2932 identity="pap user", ca_cert="auth_serv/ca.pem",
2933 anonymous_identity="ttls", password="password",
2934 phase2="auth=PAP", ocsp=2,
2935 wait_connect=False, scan_freq="2412")
2938 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2940 raise Exception("Timeout on EAP status")
2941 if 'bad certificate status response' in ev:
2945 raise Exception("Unexpected number of EAP status messages")
2947 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2949 raise Exception("Timeout on EAP failure report")
2951 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2952 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2953 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2954 if not os.path.exists(ocsp):
2955 raise HwsimSkip("No OCSP response available")
2956 params = int_eap_server_params()
2957 params["ocsp_stapling_response"] = ocsp
2958 hostapd.add_ap(apdev[0]['ifname'], params)
2959 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2960 identity="pap user", ca_cert="auth_serv/ca.pem",
2961 anonymous_identity="ttls", password="password",
2962 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2964 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2965 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2966 check_domain_match_full(dev[0])
2967 params = int_eap_server_params()
2968 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2969 params["private_key"] = "auth_serv/server-no-dnsname.key"
2970 hostapd.add_ap(apdev[0]['ifname'], params)
2971 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2972 identity="tls user", ca_cert="auth_serv/ca.pem",
2973 private_key="auth_serv/user.pkcs12",
2974 private_key_passwd="whatever",
2975 domain_suffix_match="server3.w1.fi",
2978 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2979 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2980 check_domain_match(dev[0])
2981 params = int_eap_server_params()
2982 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2983 params["private_key"] = "auth_serv/server-no-dnsname.key"
2984 hostapd.add_ap(apdev[0]['ifname'], params)
2985 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2986 identity="tls user", ca_cert="auth_serv/ca.pem",
2987 private_key="auth_serv/user.pkcs12",
2988 private_key_passwd="whatever",
2989 domain_match="server3.w1.fi",
2992 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2993 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2994 check_domain_match_full(dev[0])
2995 params = int_eap_server_params()
2996 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2997 params["private_key"] = "auth_serv/server-no-dnsname.key"
2998 hostapd.add_ap(apdev[0]['ifname'], params)
2999 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3000 identity="tls user", ca_cert="auth_serv/ca.pem",
3001 private_key="auth_serv/user.pkcs12",
3002 private_key_passwd="whatever",
3003 domain_suffix_match="w1.fi",
3006 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
3007 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
3008 check_domain_suffix_match(dev[0])
3009 params = int_eap_server_params()
3010 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3011 params["private_key"] = "auth_serv/server-no-dnsname.key"
3012 hostapd.add_ap(apdev[0]['ifname'], params)
3013 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3014 identity="tls user", ca_cert="auth_serv/ca.pem",
3015 private_key="auth_serv/user.pkcs12",
3016 private_key_passwd="whatever",
3017 domain_suffix_match="example.com",
3020 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3021 identity="tls user", ca_cert="auth_serv/ca.pem",
3022 private_key="auth_serv/user.pkcs12",
3023 private_key_passwd="whatever",
3024 domain_suffix_match="erver3.w1.fi",
3027 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3029 raise Exception("Timeout on EAP failure report")
3030 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3032 raise Exception("Timeout on EAP failure report (2)")
3034 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
3035 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
3036 check_domain_match(dev[0])
3037 params = int_eap_server_params()
3038 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
3039 params["private_key"] = "auth_serv/server-no-dnsname.key"
3040 hostapd.add_ap(apdev[0]['ifname'], params)
3041 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3042 identity="tls user", ca_cert="auth_serv/ca.pem",
3043 private_key="auth_serv/user.pkcs12",
3044 private_key_passwd="whatever",
3045 domain_match="example.com",
3048 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3049 identity="tls user", ca_cert="auth_serv/ca.pem",
3050 private_key="auth_serv/user.pkcs12",
3051 private_key_passwd="whatever",
3052 domain_match="w1.fi",
3055 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3057 raise Exception("Timeout on EAP failure report")
3058 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3060 raise Exception("Timeout on EAP failure report (2)")
3062 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
3063 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
3064 skip_with_fips(dev[0])
3065 params = int_eap_server_params()
3066 params["server_cert"] = "auth_serv/server-expired.pem"
3067 params["private_key"] = "auth_serv/server-expired.key"
3068 hostapd.add_ap(apdev[0]['ifname'], params)
3069 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3070 identity="mschap user", password="password",
3071 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3074 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
3076 raise Exception("Timeout on EAP certificate error report")
3077 if "reason=4" not in ev or "certificate has expired" not in ev:
3078 raise Exception("Unexpected failure reason: " + ev)
3079 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3081 raise Exception("Timeout on EAP failure report")
3083 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
3084 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
3085 skip_with_fips(dev[0])
3086 params = int_eap_server_params()
3087 params["server_cert"] = "auth_serv/server-expired.pem"
3088 params["private_key"] = "auth_serv/server-expired.key"
3089 hostapd.add_ap(apdev[0]['ifname'], params)
3090 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3091 identity="mschap user", password="password",
3092 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3093 phase1="tls_disable_time_checks=1",
3096 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3097 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3098 skip_with_fips(dev[0])
3099 params = int_eap_server_params()
3100 params["server_cert"] = "auth_serv/server-long-duration.pem"
3101 params["private_key"] = "auth_serv/server-long-duration.key"
3102 hostapd.add_ap(apdev[0]['ifname'], params)
3103 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3104 identity="mschap user", password="password",
3105 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3108 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3109 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3110 skip_with_fips(dev[0])
3111 params = int_eap_server_params()
3112 params["server_cert"] = "auth_serv/server-eku-client.pem"
3113 params["private_key"] = "auth_serv/server-eku-client.key"
3114 hostapd.add_ap(apdev[0]['ifname'], params)
3115 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3116 identity="mschap user", password="password",
3117 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3120 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3122 raise Exception("Timeout on EAP failure report")
3124 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3125 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3126 skip_with_fips(dev[0])
3127 params = int_eap_server_params()
3128 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3129 params["private_key"] = "auth_serv/server-eku-client-server.key"
3130 hostapd.add_ap(apdev[0]['ifname'], params)
3131 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3132 identity="mschap user", password="password",
3133 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3136 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3137 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3138 skip_with_fips(dev[0])
3139 params = int_eap_server_params()
3140 del params["server_cert"]
3141 params["private_key"] = "auth_serv/server.pkcs12"
3142 hostapd.add_ap(apdev[0]['ifname'], params)
3143 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3144 identity="mschap user", password="password",
3145 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3148 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3149 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3150 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3151 hostapd.add_ap(apdev[0]['ifname'], params)
3152 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3153 anonymous_identity="ttls", password="password",
3154 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3155 dh_file="auth_serv/dh.conf")
3157 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3158 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3159 check_dh_dsa_support(dev[0])
3160 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3161 hostapd.add_ap(apdev[0]['ifname'], params)
3162 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3163 anonymous_identity="ttls", password="password",
3164 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3165 dh_file="auth_serv/dsaparam.pem")
3167 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3168 """EAP-TTLS and DH params file not found"""
3169 skip_with_fips(dev[0])
3170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3171 hostapd.add_ap(apdev[0]['ifname'], params)
3172 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3173 identity="mschap user", password="password",
3174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3175 dh_file="auth_serv/dh-no-such-file.conf",
3176 scan_freq="2412", wait_connect=False)
3177 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3179 raise Exception("EAP failure timed out")
3180 dev[0].request("REMOVE_NETWORK all")
3181 dev[0].wait_disconnected()
3183 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3184 """EAP-TTLS and invalid DH params file"""
3185 skip_with_fips(dev[0])
3186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3187 hostapd.add_ap(apdev[0]['ifname'], params)
3188 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3189 identity="mschap user", password="password",
3190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3191 dh_file="auth_serv/ca.pem",
3192 scan_freq="2412", wait_connect=False)
3193 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3195 raise Exception("EAP failure timed out")
3196 dev[0].request("REMOVE_NETWORK all")
3197 dev[0].wait_disconnected()
3199 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3200 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3201 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3202 hostapd.add_ap(apdev[0]['ifname'], params)
3203 dh = read_pem("auth_serv/dh2.conf")
3204 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3205 raise Exception("Could not set dhparams blob")
3206 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3207 anonymous_identity="ttls", password="password",
3208 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3209 dh_file="blob://dhparams")
3211 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3212 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3213 params = int_eap_server_params()
3214 params["dh_file"] = "auth_serv/dh2.conf"
3215 hostapd.add_ap(apdev[0]['ifname'], params)
3216 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3217 anonymous_identity="ttls", password="password",
3218 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3220 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3221 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3222 params = int_eap_server_params()
3223 params["dh_file"] = "auth_serv/dsaparam.pem"
3224 hostapd.add_ap(apdev[0]['ifname'], params)
3225 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3226 anonymous_identity="ttls", password="password",
3227 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3229 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3230 """EAP-TLS server and dhparams file not found"""
3231 params = int_eap_server_params()
3232 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3233 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3234 if "FAIL" not in hapd.request("ENABLE"):
3235 raise Exception("Invalid configuration accepted")
3237 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3238 """EAP-TLS server and invalid dhparams file"""
3239 params = int_eap_server_params()
3240 params["dh_file"] = "auth_serv/ca.pem"
3241 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3242 if "FAIL" not in hapd.request("ENABLE"):
3243 raise Exception("Invalid configuration accepted")
3245 def test_ap_wpa2_eap_reauth(dev, apdev):
3246 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3247 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3248 params['eap_reauth_period'] = '2'
3249 hostapd.add_ap(apdev[0]['ifname'], params)
3250 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3251 password_hex="0123456789abcdef0123456789abcdef")
3252 logger.info("Wait for reauthentication")
3253 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3255 raise Exception("Timeout on reauthentication")
3256 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3258 raise Exception("Timeout on reauthentication")
3259 for i in range(0, 20):
3260 state = dev[0].get_status_field("wpa_state")
3261 if state == "COMPLETED":
3264 if state != "COMPLETED":
3265 raise Exception("Reauthentication did not complete")
3267 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3268 """Optional displayable message in EAP Request-Identity"""
3269 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3270 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3271 hostapd.add_ap(apdev[0]['ifname'], params)
3272 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3273 password_hex="0123456789abcdef0123456789abcdef")
3275 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3276 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3277 check_hlr_auc_gw_support()
3278 params = int_eap_server_params()
3279 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3280 params['eap_sim_aka_result_ind'] = "1"
3281 hostapd.add_ap(apdev[0]['ifname'], params)
3283 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3284 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3285 phase1="result_ind=1")
3286 eap_reauth(dev[0], "SIM")
3287 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3290 dev[0].request("REMOVE_NETWORK all")
3291 dev[1].request("REMOVE_NETWORK all")
3293 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3294 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3295 phase1="result_ind=1")
3296 eap_reauth(dev[0], "AKA")
3297 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3298 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3300 dev[0].request("REMOVE_NETWORK all")
3301 dev[1].request("REMOVE_NETWORK all")
3303 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3304 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3305 phase1="result_ind=1")
3306 eap_reauth(dev[0], "AKA'")
3307 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3308 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3310 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3311 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3312 skip_with_fips(dev[0])
3313 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3314 hostapd.add_ap(apdev[0]['ifname'], params)
3315 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3316 eap="TTLS", identity="mschap user",
3317 wait_connect=False, scan_freq="2412", ieee80211w="1",
3318 anonymous_identity="ttls", password="password",
3319 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3321 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3323 raise Exception("EAP roundtrip limit not reached")
3325 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3326 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3327 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3328 hostapd.add_ap(apdev[0]['ifname'], params)
3329 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3330 eap="PSK", identity="vendor-test",
3331 password_hex="ff23456789abcdef0123456789abcdef",
3335 for i in range(0, 5):
3336 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3338 raise Exception("Association and EAP start timed out")
3339 if "refuse proposed method" in ev:
3343 raise Exception("Unexpected EAP status: " + ev)
3345 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3347 raise Exception("EAP failure timed out")
3349 def test_ap_wpa2_eap_sql(dev, apdev, params):
3350 """WPA2-Enterprise connection using SQLite for user DB"""
3351 skip_with_fips(dev[0])
3355 raise HwsimSkip("No sqlite3 module available")
3356 dbfile = os.path.join(params['logdir'], "eap-user.db")
3361 con = sqlite3.connect(dbfile)
3364 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3365 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3366 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3367 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3368 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3369 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3370 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3371 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3374 params = int_eap_server_params()
3375 params["eap_user_file"] = "sqlite:" + dbfile
3376 hostapd.add_ap(apdev[0]['ifname'], params)
3377 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3378 anonymous_identity="ttls", password="password",
3379 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3380 dev[0].request("REMOVE_NETWORK all")
3381 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3382 anonymous_identity="ttls", password="password",
3383 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3384 dev[1].request("REMOVE_NETWORK all")
3385 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3386 anonymous_identity="ttls", password="password",
3387 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3388 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3389 anonymous_identity="ttls", password="password",
3390 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3394 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3395 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3396 params = int_eap_server_params()
3397 hostapd.add_ap(apdev[0]['ifname'], params)
3398 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3399 identity="\x80", password="password", wait_connect=False)
3400 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3401 identity="a\x80", password="password", wait_connect=False)
3402 for i in range(0, 2):
3403 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3405 raise Exception("Association and EAP start timed out")
3406 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3408 raise Exception("EAP method selection timed out")
3410 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3411 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3412 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3413 hostapd.add_ap(apdev[0]['ifname'], params)
3414 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3415 identity="\x80", password="password", wait_connect=False)
3416 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3417 identity="a\x80", password="password", wait_connect=False)
3418 for i in range(0, 2):
3419 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3421 raise Exception("Association and EAP start timed out")
3422 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3424 raise Exception("EAP method selection timed out")
3426 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3427 """OpenSSL cipher suite configuration on wpa_supplicant"""
3428 tls = dev[0].request("GET tls_library")
3429 if not tls.startswith("OpenSSL"):
3430 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3431 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3432 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3433 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3434 anonymous_identity="ttls", password="password",
3435 openssl_ciphers="AES128",
3436 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3437 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3438 anonymous_identity="ttls", password="password",
3439 openssl_ciphers="EXPORT",
3440 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3441 expect_failure=True, maybe_local_error=True)
3442 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3443 identity="pap user", anonymous_identity="ttls",
3444 password="password",
3445 openssl_ciphers="FOO",
3446 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3448 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3450 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3451 dev[2].request("DISCONNECT")
3453 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3454 """OpenSSL cipher suite configuration on hostapd"""
3455 tls = dev[0].request("GET tls_library")
3456 if not tls.startswith("OpenSSL"):
3457 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3458 params = int_eap_server_params()
3459 params['openssl_ciphers'] = "AES256"
3460 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3461 tls = hapd.request("GET tls_library")
3462 if not tls.startswith("OpenSSL"):
3463 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3464 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3465 anonymous_identity="ttls", password="password",
3466 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3467 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3468 anonymous_identity="ttls", password="password",
3469 openssl_ciphers="AES128",
3470 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3471 expect_failure=True)
3472 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3473 anonymous_identity="ttls", password="password",
3474 openssl_ciphers="HIGH:!ADH",
3475 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3477 params['openssl_ciphers'] = "FOO"
3478 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3479 if "FAIL" not in hapd2.request("ENABLE"):
3480 raise Exception("Invalid openssl_ciphers value accepted")
3482 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3483 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3484 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3485 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3486 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3487 pid = find_wpas_process(dev[0])
3488 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3489 anonymous_identity="ttls", password=password,
3490 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3491 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3492 # event has been delivered, so verify that wpa_supplicant has returned to
3493 # eloop before reading process memory.
3496 buf = read_process_memory(pid, password)
3498 dev[0].request("DISCONNECT")
3499 dev[0].wait_disconnected()
3507 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3508 for l in f.readlines():
3509 if "EAP-TTLS: Derived key - hexdump" in l:
3510 val = l.strip().split(':')[3].replace(' ', '')
3511 msk = binascii.unhexlify(val)
3512 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3513 val = l.strip().split(':')[3].replace(' ', '')
3514 emsk = binascii.unhexlify(val)
3515 if "WPA: PMK - hexdump" in l:
3516 val = l.strip().split(':')[3].replace(' ', '')
3517 pmk = binascii.unhexlify(val)
3518 if "WPA: PTK - hexdump" in l:
3519 val = l.strip().split(':')[3].replace(' ', '')
3520 ptk = binascii.unhexlify(val)
3521 if "WPA: Group Key - hexdump" in l:
3522 val = l.strip().split(':')[3].replace(' ', '')
3523 gtk = binascii.unhexlify(val)
3524 if not msk or not emsk or not pmk or not ptk or not gtk:
3525 raise Exception("Could not find keys from debug log")
3527 raise Exception("Unexpected GTK length")
3533 fname = os.path.join(params['logdir'],
3534 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3536 logger.info("Checking keys in memory while associated")
3537 get_key_locations(buf, password, "Password")
3538 get_key_locations(buf, pmk, "PMK")
3539 get_key_locations(buf, msk, "MSK")
3540 get_key_locations(buf, emsk, "EMSK")
3541 if password not in buf:
3542 raise HwsimSkip("Password not found while associated")
3544 raise HwsimSkip("PMK not found while associated")
3546 raise Exception("KCK not found while associated")
3548 raise Exception("KEK not found while associated")
3550 raise Exception("TK found from memory")
3552 get_key_locations(buf, gtk, "GTK")
3553 raise Exception("GTK found from memory")
3555 logger.info("Checking keys in memory after disassociation")
3556 buf = read_process_memory(pid, password)
3558 # Note: Password is still present in network configuration
3559 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3561 get_key_locations(buf, password, "Password")
3562 get_key_locations(buf, pmk, "PMK")
3563 get_key_locations(buf, msk, "MSK")
3564 get_key_locations(buf, emsk, "EMSK")
3565 verify_not_present(buf, kck, fname, "KCK")
3566 verify_not_present(buf, kek, fname, "KEK")
3567 verify_not_present(buf, tk, fname, "TK")
3568 verify_not_present(buf, gtk, fname, "GTK")
3570 dev[0].request("PMKSA_FLUSH")
3571 dev[0].set_network_quoted(id, "identity", "foo")
3572 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3573 buf = read_process_memory(pid, password)
3574 get_key_locations(buf, password, "Password")
3575 get_key_locations(buf, pmk, "PMK")
3576 get_key_locations(buf, msk, "MSK")
3577 get_key_locations(buf, emsk, "EMSK")
3578 verify_not_present(buf, pmk, fname, "PMK")
3580 dev[0].request("REMOVE_NETWORK all")
3582 logger.info("Checking keys in memory after network profile removal")
3583 buf = read_process_memory(pid, password)
3585 get_key_locations(buf, password, "Password")
3586 get_key_locations(buf, pmk, "PMK")
3587 get_key_locations(buf, msk, "MSK")
3588 get_key_locations(buf, emsk, "EMSK")
3589 verify_not_present(buf, password, fname, "password")
3590 verify_not_present(buf, pmk, fname, "PMK")
3591 verify_not_present(buf, kck, fname, "KCK")
3592 verify_not_present(buf, kek, fname, "KEK")
3593 verify_not_present(buf, tk, fname, "TK")
3594 verify_not_present(buf, gtk, fname, "GTK")
3595 verify_not_present(buf, msk, fname, "MSK")
3596 verify_not_present(buf, emsk, fname, "EMSK")
3598 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3599 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3600 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3601 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3602 bssid = apdev[0]['bssid']
3603 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3604 anonymous_identity="ttls", password="password",
3605 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3607 # Send unexpected WEP EAPOL-Key; this gets dropped
3608 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3610 raise Exception("EAPOL_RX to wpa_supplicant failed")
3612 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3613 """WPA2-EAP and wpas interface in a bridge"""
3617 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3619 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3620 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3621 subprocess.call(['brctl', 'delbr', br_ifname])
3622 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3624 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3625 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3626 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3630 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3631 subprocess.call(['brctl', 'addbr', br_ifname])
3632 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3633 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3634 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3635 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3636 wpas.interface_add(ifname, br_ifname=br_ifname)
3639 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3640 password_hex="0123456789abcdef0123456789abcdef")
3642 eap_reauth(wpas, "PAX")
3644 # Try again as a regression test for packet socket workaround
3645 eap_reauth(wpas, "PAX")
3647 wpas.request("DISCONNECT")
3648 wpas.wait_disconnected()
3650 wpas.request("RECONNECT")
3651 wpas.wait_connected()
3654 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3655 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3656 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3657 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3658 key_mgmt = hapd.get_config()['key_mgmt']
3659 if key_mgmt.split(' ')[0] != "WPA-EAP":
3660 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3661 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3662 anonymous_identity="ttls", password="password",
3663 ca_cert="auth_serv/ca.pem",
3664 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3665 eap_reauth(dev[0], "TTLS")
3667 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3668 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3669 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3670 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3671 key_mgmt = hapd.get_config()['key_mgmt']
3672 if key_mgmt.split(' ')[0] != "WPA-EAP":
3673 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3674 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3675 anonymous_identity="ttls", password="password",
3676 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3678 eap_reauth(dev[0], "TTLS")
3680 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3681 """EAP-TLS and server checking CRL"""
3682 params = int_eap_server_params()
3683 params['check_crl'] = '1'
3684 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3686 # check_crl=1 and no CRL available --> reject connection
3687 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3688 client_cert="auth_serv/user.pem",
3689 private_key="auth_serv/user.key", expect_failure=True)
3690 dev[0].request("REMOVE_NETWORK all")
3693 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3696 # check_crl=1 and valid CRL --> accept
3697 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3698 client_cert="auth_serv/user.pem",
3699 private_key="auth_serv/user.key")
3700 dev[0].request("REMOVE_NETWORK all")
3703 hapd.set("check_crl", "2")
3706 # check_crl=2 and valid CRL --> accept
3707 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3708 client_cert="auth_serv/user.pem",
3709 private_key="auth_serv/user.key")
3710 dev[0].request("REMOVE_NETWORK all")
3712 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3713 """EAP-TLS and OOM"""
3714 check_subject_match_support(dev[0])
3715 check_altsubject_match_support(dev[0])
3716 check_domain_match(dev[0])
3717 check_domain_match_full(dev[0])
3719 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3720 hostapd.add_ap(apdev[0]['ifname'], params)
3722 tests = [ (1, "tls_connection_set_subject_match"),
3723 (2, "tls_connection_set_subject_match"),
3724 (3, "tls_connection_set_subject_match"),
3725 (4, "tls_connection_set_subject_match") ]
3726 for count, func in tests:
3727 with alloc_fail(dev[0], count, func):
3728 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3729 identity="tls user", ca_cert="auth_serv/ca.pem",
3730 client_cert="auth_serv/user.pem",
3731 private_key="auth_serv/user.key",
3732 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3733 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3734 domain_suffix_match="server.w1.fi",
3735 domain_match="server.w1.fi",
3736 wait_connect=False, scan_freq="2412")
3737 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3738 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3740 raise Exception("No passphrase request")
3741 dev[0].request("REMOVE_NETWORK all")
3742 dev[0].wait_disconnected()
3744 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3745 """WPA2-Enterprise connection using MAC ACL"""
3746 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3747 params["macaddr_acl"] = "2"
3748 hostapd.add_ap(apdev[0]['ifname'], params)
3749 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3750 client_cert="auth_serv/user.pem",
3751 private_key="auth_serv/user.key")
3753 def test_ap_wpa2_eap_oom(dev, apdev):
3754 """EAP server and OOM"""
3755 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3756 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3757 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3759 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3760 # The first attempt fails, but STA will send EAPOL-Start to retry and
3762 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3763 identity="tls user", ca_cert="auth_serv/ca.pem",
3764 client_cert="auth_serv/user.pem",
3765 private_key="auth_serv/user.key",
3768 def check_tls_ver(dev, ap, phase1, expected):
3769 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3770 client_cert="auth_serv/user.pem",
3771 private_key="auth_serv/user.key",
3773 ver = dev.get_status_field("eap_tls_version")
3775 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3777 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3778 """EAP-TLS and TLS version configuration"""
3779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3780 hostapd.add_ap(apdev[0]['ifname'], params)
3782 tls = dev[0].request("GET tls_library")
3783 if tls.startswith("OpenSSL"):
3784 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3785 check_tls_ver(dev[0], apdev[0],
3786 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3788 elif tls.startswith("internal"):
3789 check_tls_ver(dev[0], apdev[0],
3790 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3791 check_tls_ver(dev[1], apdev[0],
3792 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3793 check_tls_ver(dev[2], apdev[0],
3794 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3796 def test_rsn_ie_proto_eap_sta(dev, apdev):
3797 """RSN element protocol testing for EAP cases on STA side"""
3798 bssid = apdev[0]['bssid']
3799 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3800 # This is the RSN element used normally by hostapd
3801 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3802 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3803 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3804 identity="gpsk user",
3805 password="abcdefghijklmnop0123456789abcdef",
3808 tests = [ ('No RSN Capabilities field',
3809 '30120100000fac040100000fac040100000fac01'),
3810 ('No AKM Suite fields',
3811 '300c0100000fac040100000fac04'),
3812 ('No Pairwise Cipher Suite fields',
3813 '30060100000fac04'),
3814 ('No Group Data Cipher Suite field',
3816 for txt,ie in tests:
3817 dev[0].request("DISCONNECT")
3818 dev[0].wait_disconnected()
3821 hapd.set('own_ie_override', ie)
3823 dev[0].request("BSS_FLUSH 0")
3824 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3825 dev[0].select_network(id, freq=2412)
3826 dev[0].wait_connected()
3828 def check_tls_session_resumption_capa(dev, hapd):
3829 tls = hapd.request("GET tls_library")
3830 if not tls.startswith("OpenSSL"):
3831 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3833 tls = dev.request("GET tls_library")
3834 if not tls.startswith("OpenSSL"):
3835 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3837 def test_eap_ttls_pap_session_resumption(dev, apdev):
3838 """EAP-TTLS/PAP session resumption"""
3839 params = int_eap_server_params()
3840 params['tls_session_lifetime'] = '60'
3841 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3842 check_tls_session_resumption_capa(dev[0], hapd)
3843 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3844 anonymous_identity="ttls", password="password",
3845 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3847 if dev[0].get_status_field("tls_session_reused") != '0':
3848 raise Exception("Unexpected session resumption on the first connection")
3850 dev[0].request("REAUTHENTICATE")
3851 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3853 raise Exception("EAP success timed out")
3854 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3856 raise Exception("Key handshake with the AP timed out")
3857 if dev[0].get_status_field("tls_session_reused") != '1':
3858 raise Exception("Session resumption not used on the second connection")
3860 def test_eap_ttls_chap_session_resumption(dev, apdev):
3861 """EAP-TTLS/CHAP session resumption"""
3862 params = int_eap_server_params()
3863 params['tls_session_lifetime'] = '60'
3864 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3865 check_tls_session_resumption_capa(dev[0], hapd)
3866 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3867 anonymous_identity="ttls", password="password",
3868 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3869 if dev[0].get_status_field("tls_session_reused") != '0':
3870 raise Exception("Unexpected session resumption on the first connection")
3872 dev[0].request("REAUTHENTICATE")
3873 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3875 raise Exception("EAP success timed out")
3876 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3878 raise Exception("Key handshake with the AP timed out")
3879 if dev[0].get_status_field("tls_session_reused") != '1':
3880 raise Exception("Session resumption not used on the second connection")
3882 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3883 """EAP-TTLS/MSCHAP session resumption"""
3884 check_domain_suffix_match(dev[0])
3885 params = int_eap_server_params()
3886 params['tls_session_lifetime'] = '60'
3887 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3888 check_tls_session_resumption_capa(dev[0], hapd)
3889 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3890 anonymous_identity="ttls", password="password",
3891 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3892 domain_suffix_match="server.w1.fi")
3893 if dev[0].get_status_field("tls_session_reused") != '0':
3894 raise Exception("Unexpected session resumption on the first connection")
3896 dev[0].request("REAUTHENTICATE")
3897 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3899 raise Exception("EAP success timed out")
3900 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3902 raise Exception("Key handshake with the AP timed out")
3903 if dev[0].get_status_field("tls_session_reused") != '1':
3904 raise Exception("Session resumption not used on the second connection")
3906 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3907 """EAP-TTLS/MSCHAPv2 session resumption"""
3908 check_domain_suffix_match(dev[0])
3909 check_eap_capa(dev[0], "MSCHAPV2")
3910 params = int_eap_server_params()
3911 params['tls_session_lifetime'] = '60'
3912 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3913 check_tls_session_resumption_capa(dev[0], hapd)
3914 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3915 anonymous_identity="ttls", password="password",
3916 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3917 domain_suffix_match="server.w1.fi")
3918 if dev[0].get_status_field("tls_session_reused") != '0':
3919 raise Exception("Unexpected session resumption on the first connection")
3921 dev[0].request("REAUTHENTICATE")
3922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3924 raise Exception("EAP success timed out")
3925 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3927 raise Exception("Key handshake with the AP timed out")
3928 if dev[0].get_status_field("tls_session_reused") != '1':
3929 raise Exception("Session resumption not used on the second connection")
3931 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3932 """EAP-TTLS/EAP-GTC session resumption"""
3933 params = int_eap_server_params()
3934 params['tls_session_lifetime'] = '60'
3935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3936 check_tls_session_resumption_capa(dev[0], hapd)
3937 eap_connect(dev[0], apdev[0], "TTLS", "user",
3938 anonymous_identity="ttls", password="password",
3939 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3940 if dev[0].get_status_field("tls_session_reused") != '0':
3941 raise Exception("Unexpected session resumption on the first connection")
3943 dev[0].request("REAUTHENTICATE")
3944 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3946 raise Exception("EAP success timed out")
3947 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3949 raise Exception("Key handshake with the AP timed out")
3950 if dev[0].get_status_field("tls_session_reused") != '1':
3951 raise Exception("Session resumption not used on the second connection")
3953 def test_eap_ttls_no_session_resumption(dev, apdev):
3954 """EAP-TTLS session resumption disabled on server"""
3955 params = int_eap_server_params()
3956 params['tls_session_lifetime'] = '0'
3957 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3958 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3959 anonymous_identity="ttls", password="password",
3960 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3962 if dev[0].get_status_field("tls_session_reused") != '0':
3963 raise Exception("Unexpected session resumption on the first connection")
3965 dev[0].request("REAUTHENTICATE")
3966 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3968 raise Exception("EAP success timed out")
3969 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3971 raise Exception("Key handshake with the AP timed out")
3972 if dev[0].get_status_field("tls_session_reused") != '0':
3973 raise Exception("Unexpected session resumption on the second connection")
3975 def test_eap_peap_session_resumption(dev, apdev):
3976 """EAP-PEAP session resumption"""
3977 params = int_eap_server_params()
3978 params['tls_session_lifetime'] = '60'
3979 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3980 check_tls_session_resumption_capa(dev[0], hapd)
3981 eap_connect(dev[0], apdev[0], "PEAP", "user",
3982 anonymous_identity="peap", password="password",
3983 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3984 if dev[0].get_status_field("tls_session_reused") != '0':
3985 raise Exception("Unexpected session resumption on the first connection")
3987 dev[0].request("REAUTHENTICATE")
3988 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3990 raise Exception("EAP success timed out")
3991 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3993 raise Exception("Key handshake with the AP timed out")
3994 if dev[0].get_status_field("tls_session_reused") != '1':
3995 raise Exception("Session resumption not used on the second connection")
3997 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
3998 """EAP-PEAP session resumption with crypto binding"""
3999 params = int_eap_server_params()
4000 params['tls_session_lifetime'] = '60'
4001 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4002 check_tls_session_resumption_capa(dev[0], hapd)
4003 eap_connect(dev[0], apdev[0], "PEAP", "user",
4004 anonymous_identity="peap", password="password",
4005 phase1="peapver=0 crypto_binding=2",
4006 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4007 if dev[0].get_status_field("tls_session_reused") != '0':
4008 raise Exception("Unexpected session resumption on the first connection")
4010 dev[0].request("REAUTHENTICATE")
4011 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4013 raise Exception("EAP success timed out")
4014 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4016 raise Exception("Key handshake with the AP timed out")
4017 if dev[0].get_status_field("tls_session_reused") != '1':
4018 raise Exception("Session resumption not used on the second connection")
4020 def test_eap_peap_no_session_resumption(dev, apdev):
4021 """EAP-PEAP session resumption disabled on server"""
4022 params = int_eap_server_params()
4023 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4024 eap_connect(dev[0], apdev[0], "PEAP", "user",
4025 anonymous_identity="peap", password="password",
4026 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4027 if dev[0].get_status_field("tls_session_reused") != '0':
4028 raise Exception("Unexpected session resumption on the first connection")
4030 dev[0].request("REAUTHENTICATE")
4031 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4033 raise Exception("EAP success timed out")
4034 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4036 raise Exception("Key handshake with the AP timed out")
4037 if dev[0].get_status_field("tls_session_reused") != '0':
4038 raise Exception("Unexpected session resumption on the second connection")
4040 def test_eap_tls_session_resumption(dev, apdev):
4041 """EAP-TLS session resumption"""
4042 params = int_eap_server_params()
4043 params['tls_session_lifetime'] = '60'
4044 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4045 check_tls_session_resumption_capa(dev[0], hapd)
4046 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4047 client_cert="auth_serv/user.pem",
4048 private_key="auth_serv/user.key")
4049 if dev[0].get_status_field("tls_session_reused") != '0':
4050 raise Exception("Unexpected session resumption on the first connection")
4052 dev[0].request("REAUTHENTICATE")
4053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4055 raise Exception("EAP success timed out")
4056 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4058 raise Exception("Key handshake with the AP timed out")
4059 if dev[0].get_status_field("tls_session_reused") != '1':
4060 raise Exception("Session resumption not used on the second connection")
4062 dev[0].request("REAUTHENTICATE")
4063 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4065 raise Exception("EAP success timed out")
4066 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4068 raise Exception("Key handshake with the AP timed out")
4069 if dev[0].get_status_field("tls_session_reused") != '1':
4070 raise Exception("Session resumption not used on the third connection")
4072 def test_eap_tls_session_resumption_expiration(dev, apdev):
4073 """EAP-TLS session resumption"""
4074 params = int_eap_server_params()
4075 params['tls_session_lifetime'] = '1'
4076 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4077 check_tls_session_resumption_capa(dev[0], hapd)
4078 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4079 client_cert="auth_serv/user.pem",
4080 private_key="auth_serv/user.key")
4081 if dev[0].get_status_field("tls_session_reused") != '0':
4082 raise Exception("Unexpected session resumption on the first connection")
4084 # Allow multiple attempts since OpenSSL may not expire the cached entry
4089 dev[0].request("REAUTHENTICATE")
4090 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4092 raise Exception("EAP success timed out")
4093 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4095 raise Exception("Key handshake with the AP timed out")
4096 if dev[0].get_status_field("tls_session_reused") == '0':
4098 if dev[0].get_status_field("tls_session_reused") != '0':
4099 raise Exception("Session resumption used after lifetime expiration")
4101 def test_eap_tls_no_session_resumption(dev, apdev):
4102 """EAP-TLS session resumption disabled on server"""
4103 params = int_eap_server_params()
4104 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4105 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4106 client_cert="auth_serv/user.pem",
4107 private_key="auth_serv/user.key")
4108 if dev[0].get_status_field("tls_session_reused") != '0':
4109 raise Exception("Unexpected session resumption on the first connection")
4111 dev[0].request("REAUTHENTICATE")
4112 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4114 raise Exception("EAP success timed out")
4115 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4117 raise Exception("Key handshake with the AP timed out")
4118 if dev[0].get_status_field("tls_session_reused") != '0':
4119 raise Exception("Unexpected session resumption on the second connection")
4121 def test_eap_tls_session_resumption_radius(dev, apdev):
4122 """EAP-TLS session resumption (RADIUS)"""
4123 params = { "ssid": "as", "beacon_int": "2000",
4124 "radius_server_clients": "auth_serv/radius_clients.conf",
4125 "radius_server_auth_port": '18128',
4127 "eap_user_file": "auth_serv/eap_user.conf",
4128 "ca_cert": "auth_serv/ca.pem",
4129 "server_cert": "auth_serv/server.pem",
4130 "private_key": "auth_serv/server.key",
4131 "tls_session_lifetime": "60" }
4132 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4133 check_tls_session_resumption_capa(dev[0], authsrv)
4135 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4136 params['auth_server_port'] = "18128"
4137 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4138 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4139 client_cert="auth_serv/user.pem",
4140 private_key="auth_serv/user.key")
4141 if dev[0].get_status_field("tls_session_reused") != '0':
4142 raise Exception("Unexpected session resumption on the first connection")
4144 dev[0].request("REAUTHENTICATE")
4145 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4147 raise Exception("EAP success timed out")
4148 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4150 raise Exception("Key handshake with the AP timed out")
4151 if dev[0].get_status_field("tls_session_reused") != '1':
4152 raise Exception("Session resumption not used on the second connection")
4154 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4155 """EAP-TLS session resumption disabled (RADIUS)"""
4156 params = { "ssid": "as", "beacon_int": "2000",
4157 "radius_server_clients": "auth_serv/radius_clients.conf",
4158 "radius_server_auth_port": '18128',
4160 "eap_user_file": "auth_serv/eap_user.conf",
4161 "ca_cert": "auth_serv/ca.pem",
4162 "server_cert": "auth_serv/server.pem",
4163 "private_key": "auth_serv/server.key",
4164 "tls_session_lifetime": "0" }
4165 hostapd.add_ap(apdev[1]['ifname'], params)
4167 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4168 params['auth_server_port'] = "18128"
4169 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4170 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4171 client_cert="auth_serv/user.pem",
4172 private_key="auth_serv/user.key")
4173 if dev[0].get_status_field("tls_session_reused") != '0':
4174 raise Exception("Unexpected session resumption on the first connection")
4176 dev[0].request("REAUTHENTICATE")
4177 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4179 raise Exception("EAP success timed out")
4180 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4182 raise Exception("Key handshake with the AP timed out")
4183 if dev[0].get_status_field("tls_session_reused") != '0':
4184 raise Exception("Unexpected session resumption on the second connection")
4186 def test_eap_mschapv2_errors(dev, apdev):
4187 """EAP-MSCHAPv2 error cases"""
4188 check_eap_capa(dev[0], "MSCHAPV2")
4189 check_eap_capa(dev[0], "FAST")
4191 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4192 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4193 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4194 identity="phase1-user", password="password",
4196 dev[0].request("REMOVE_NETWORK all")
4197 dev[0].wait_disconnected()
4199 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4200 (1, "nt_password_hash;mschapv2_derive_response"),
4201 (1, "nt_password_hash;=mschapv2_derive_response"),
4202 (1, "generate_nt_response;mschapv2_derive_response"),
4203 (1, "generate_authenticator_response;mschapv2_derive_response"),
4204 (1, "nt_password_hash;=mschapv2_derive_response"),
4205 (1, "get_master_key;mschapv2_derive_response"),
4206 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4207 for count, func in tests:
4208 with fail_test(dev[0], count, func):
4209 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4210 identity="phase1-user", password="password",
4211 wait_connect=False, scan_freq="2412")
4212 wait_fail_trigger(dev[0], "GET_FAIL")
4213 dev[0].request("REMOVE_NETWORK all")
4214 dev[0].wait_disconnected()
4216 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4217 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4218 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4219 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4220 for count, func in tests:
4221 with fail_test(dev[0], count, func):
4222 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4223 identity="phase1-user",
4224 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4225 wait_connect=False, scan_freq="2412")
4226 wait_fail_trigger(dev[0], "GET_FAIL")
4227 dev[0].request("REMOVE_NETWORK all")
4228 dev[0].wait_disconnected()
4230 tests = [ (1, "eap_mschapv2_init"),
4231 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4232 (1, "eap_msg_alloc;eap_mschapv2_success"),
4233 (1, "eap_mschapv2_getKey") ]
4234 for count, func in tests:
4235 with alloc_fail(dev[0], count, func):
4236 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4237 identity="phase1-user", password="password",
4238 wait_connect=False, scan_freq="2412")
4239 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4240 dev[0].request("REMOVE_NETWORK all")
4241 dev[0].wait_disconnected()
4243 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4244 for count, func in tests:
4245 with alloc_fail(dev[0], count, func):
4246 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4247 identity="phase1-user", password="wrong password",
4248 wait_connect=False, scan_freq="2412")
4249 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4250 dev[0].request("REMOVE_NETWORK all")
4251 dev[0].wait_disconnected()
4253 tests = [ (2, "eap_mschapv2_init"),
4254 (3, "eap_mschapv2_init") ]
4255 for count, func in tests:
4256 with alloc_fail(dev[0], count, func):
4257 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4258 anonymous_identity="FAST", identity="user",
4259 password="password",
4260 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4261 phase1="fast_provisioning=1",
4262 pac_file="blob://fast_pac",
4263 wait_connect=False, scan_freq="2412")
4264 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4265 dev[0].request("REMOVE_NETWORK all")
4266 dev[0].wait_disconnected()
4268 def test_eap_gpsk_errors(dev, apdev):
4269 """EAP-GPSK error cases"""
4270 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4271 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4272 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4273 identity="gpsk user",
4274 password="abcdefghijklmnop0123456789abcdef",
4276 dev[0].request("REMOVE_NETWORK all")
4277 dev[0].wait_disconnected()
4279 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4280 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4282 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4284 (1, "eap_gpsk_derive_keys_helper", None),
4285 (2, "eap_gpsk_derive_keys_helper", None),
4286 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4288 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4290 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4291 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4292 (1, "eap_gpsk_derive_mid_helper", None) ]
4293 for count, func, phase1 in tests:
4294 with fail_test(dev[0], count, func):
4295 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4296 identity="gpsk user",
4297 password="abcdefghijklmnop0123456789abcdef",
4299 wait_connect=False, scan_freq="2412")
4300 wait_fail_trigger(dev[0], "GET_FAIL")
4301 dev[0].request("REMOVE_NETWORK all")
4302 dev[0].wait_disconnected()
4304 tests = [ (1, "eap_gpsk_init"),
4305 (2, "eap_gpsk_init"),
4306 (3, "eap_gpsk_init"),
4307 (1, "eap_gpsk_process_id_server"),
4308 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4309 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4310 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4311 (1, "eap_gpsk_derive_keys"),
4312 (1, "eap_gpsk_derive_keys_helper"),
4313 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4314 (1, "eap_gpsk_getKey"),
4315 (1, "eap_gpsk_get_emsk"),
4316 (1, "eap_gpsk_get_session_id") ]
4317 for count, func in tests:
4318 with alloc_fail(dev[0], count, func):
4319 dev[0].request("ERP_FLUSH")
4320 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4321 identity="gpsk user", erp="1",
4322 password="abcdefghijklmnop0123456789abcdef",
4323 wait_connect=False, scan_freq="2412")
4324 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4325 dev[0].request("REMOVE_NETWORK all")
4326 dev[0].wait_disconnected()
4328 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4329 """EAP-SIM DB error cases"""
4330 sockpath = '/tmp/hlr_auc_gw.sock-test'
4335 hparams = int_eap_server_params()
4336 hparams['eap_sim_db'] = 'unix:' + sockpath
4337 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4339 # Initial test with hlr_auc_gw socket not available
4340 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4341 eap="SIM", identity="1232010000000000",
4342 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4343 scan_freq="2412", wait_connect=False)
4344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4346 raise Exception("EAP-Failure not reported")
4347 dev[0].wait_disconnected()
4348 dev[0].request("DISCONNECT")
4350 # Test with invalid responses and response timeout
4352 class test_handler(SocketServer.DatagramRequestHandler):
4354 data = self.request[0].strip()
4355 socket = self.request[1]
4356 logger.debug("Received hlr_auc_gw request: " + data)
4357 # EAP-SIM DB: Failed to parse response string
4358 socket.sendto("FOO", self.client_address)
4359 # EAP-SIM DB: Failed to parse response string
4360 socket.sendto("FOO 1", self.client_address)
4361 # EAP-SIM DB: Unknown external response
4362 socket.sendto("FOO 1 2", self.client_address)
4363 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4365 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4368 dev[0].select_network(id)
4369 server.handle_request()
4370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4372 raise Exception("EAP-Failure not reported")
4373 dev[0].wait_disconnected()
4374 dev[0].request("DISCONNECT")
4376 # Test with a valid response
4378 class test_handler2(SocketServer.DatagramRequestHandler):
4380 data = self.request[0].strip()
4381 socket = self.request[1]
4382 logger.debug("Received hlr_auc_gw request: " + data)
4383 fname = os.path.join(params['logdir'],
4384 'hlr_auc_gw.milenage_db')
4385 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4387 stdout=subprocess.PIPE)
4388 res = cmd.stdout.read().strip()
4390 logger.debug("hlr_auc_gw response: " + res)
4391 socket.sendto(res, self.client_address)
4393 server.RequestHandlerClass = test_handler2
4395 dev[0].select_network(id)
4396 server.handle_request()
4397 dev[0].wait_connected()
4398 dev[0].request("DISCONNECT")
4399 dev[0].wait_disconnected()
4401 def test_eap_tls_sha512(dev, apdev, params):
4402 """EAP-TLS with SHA512 signature"""
4403 params = int_eap_server_params()
4404 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4405 params["server_cert"] = "auth_serv/sha512-server.pem"
4406 params["private_key"] = "auth_serv/sha512-server.key"
4407 hostapd.add_ap(apdev[0]['ifname'], params)
4409 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4410 identity="tls user sha512",
4411 ca_cert="auth_serv/sha512-ca.pem",
4412 client_cert="auth_serv/sha512-user.pem",
4413 private_key="auth_serv/sha512-user.key",
4415 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4416 identity="tls user sha512",
4417 ca_cert="auth_serv/sha512-ca.pem",
4418 client_cert="auth_serv/sha384-user.pem",
4419 private_key="auth_serv/sha384-user.key",
4422 def test_eap_tls_sha384(dev, apdev, params):
4423 """EAP-TLS with SHA384 signature"""
4424 params = int_eap_server_params()
4425 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4426 params["server_cert"] = "auth_serv/sha384-server.pem"
4427 params["private_key"] = "auth_serv/sha384-server.key"
4428 hostapd.add_ap(apdev[0]['ifname'], params)
4430 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4431 identity="tls user sha512",
4432 ca_cert="auth_serv/sha512-ca.pem",
4433 client_cert="auth_serv/sha512-user.pem",
4434 private_key="auth_serv/sha512-user.key",
4436 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4437 identity="tls user sha512",
4438 ca_cert="auth_serv/sha512-ca.pem",
4439 client_cert="auth_serv/sha384-user.pem",
4440 private_key="auth_serv/sha384-user.key",
4443 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4444 """WPA2-Enterprise AP and association request RSN IE differences"""
4445 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4446 hostapd.add_ap(apdev[0]['ifname'], params)
4448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4449 params["ieee80211w"] = "2"
4450 hostapd.add_ap(apdev[1]['ifname'], params)
4452 # Success cases with optional RSN IE fields removed one by one
4453 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4454 "30140100000fac040100000fac040100000fac010000"),
4455 ("Extra PMKIDCount field in RSN IE",
4456 "30160100000fac040100000fac040100000fac0100000000"),
4457 ("Extra Group Management Cipher Suite in RSN IE",
4458 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4459 ("Extra undefined extension field in RSN IE",
4460 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4461 ("RSN IE without RSN Capabilities",
4462 "30120100000fac040100000fac040100000fac01"),
4463 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4464 ("RSN IE without pairwise", "30060100000fac04"),
4465 ("RSN IE without group", "30020100") ]
4466 for title, ie in tests:
4468 set_test_assoc_ie(dev[0], ie)
4469 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4470 identity="gpsk user",
4471 password="abcdefghijklmnop0123456789abcdef",
4473 dev[0].request("REMOVE_NETWORK all")
4474 dev[0].wait_disconnected()
4476 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4477 "30140100000fac040100000fac040100000fac01cc00"),
4478 ("Group management cipher included in assoc req RSN IE",
4479 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4480 for title, ie in tests:
4482 set_test_assoc_ie(dev[0], ie)
4483 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4484 eap="GPSK", identity="gpsk user",
4485 password="abcdefghijklmnop0123456789abcdef",
4487 dev[0].request("REMOVE_NETWORK all")
4488 dev[0].wait_disconnected()
4490 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4491 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4492 for title, ie, status in tests:
4494 set_test_assoc_ie(dev[0], ie)
4495 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4496 identity="gpsk user",
4497 password="abcdefghijklmnop0123456789abcdef",
4498 scan_freq="2412", wait_connect=False)
4499 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4501 raise Exception("Association rejection not reported")
4502 if "status_code=" + str(status) not in ev:
4503 raise Exception("Unexpected status code: " + ev)
4504 dev[0].request("REMOVE_NETWORK all")
4505 dev[0].dump_monitor()
4507 tests = [ ("Management frame protection not enabled",
4508 "30140100000fac040100000fac040100000fac010000", 31),
4509 ("Unsupported management group cipher",
4510 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4511 for title, ie, status in tests:
4513 set_test_assoc_ie(dev[0], ie)
4514 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4515 eap="GPSK", identity="gpsk user",
4516 password="abcdefghijklmnop0123456789abcdef",
4517 scan_freq="2412", wait_connect=False)
4518 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4520 raise Exception("Association rejection not reported")
4521 if "status_code=" + str(status) not in ev:
4522 raise Exception("Unexpected status code: " + ev)
4523 dev[0].request("REMOVE_NETWORK all")
4524 dev[0].dump_monitor()
4526 def test_eap_tls_ext_cert_check(dev, apdev):
4527 """EAP-TLS and external server certification validation"""
4528 # With internal server certificate chain validation
4529 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4530 identity="tls user",
4531 ca_cert="auth_serv/ca.pem",
4532 client_cert="auth_serv/user.pem",
4533 private_key="auth_serv/user.key",
4534 phase1="tls_ext_cert_check=1", scan_freq="2412",
4535 only_add_network=True)
4536 run_ext_cert_check(dev, apdev, id)
4538 def test_eap_ttls_ext_cert_check(dev, apdev):
4539 """EAP-TTLS and external server certification validation"""
4540 # Without internal server certificate chain validation
4541 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4542 identity="pap user", anonymous_identity="ttls",
4543 password="password", phase2="auth=PAP",
4544 phase1="tls_ext_cert_check=1", scan_freq="2412",
4545 only_add_network=True)
4546 run_ext_cert_check(dev, apdev, id)
4548 def test_eap_peap_ext_cert_check(dev, apdev):
4549 """EAP-PEAP and external server certification validation"""
4550 # With internal server certificate chain validation
4551 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4552 identity="user", anonymous_identity="peap",
4553 ca_cert="auth_serv/ca.pem",
4554 password="password", phase2="auth=MSCHAPV2",
4555 phase1="tls_ext_cert_check=1", scan_freq="2412",
4556 only_add_network=True)
4557 run_ext_cert_check(dev, apdev, id)
4559 def test_eap_fast_ext_cert_check(dev, apdev):
4560 """EAP-FAST and external server certification validation"""
4561 check_eap_capa(dev[0], "FAST")
4562 # With internal server certificate chain validation
4563 dev[0].request("SET blob fast_pac_auth_ext ")
4564 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4565 identity="user", anonymous_identity="FAST",
4566 ca_cert="auth_serv/ca.pem",
4567 password="password", phase2="auth=GTC",
4568 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4569 pac_file="blob://fast_pac_auth_ext",
4571 only_add_network=True)
4572 run_ext_cert_check(dev, apdev, id)
4574 def run_ext_cert_check(dev, apdev, net_id):
4575 check_ext_cert_check_support(dev[0])
4576 if not openssl_imported:
4577 raise HwsimSkip("OpenSSL python method not available")
4579 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4580 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4582 dev[0].select_network(net_id)
4585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4586 "CTRL-REQ-EXT_CERT_CHECK",
4587 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4589 raise Exception("No peer server certificate event seen")
4590 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4593 vals = ev.split(' ')
4595 if v.startswith("depth="):
4596 depth = int(v.split('=')[1])
4597 elif v.startswith("cert="):
4598 cert = v.split('=')[1]
4599 if depth is not None and cert:
4600 certs[depth] = binascii.unhexlify(cert)
4601 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4602 raise Exception("Unexpected EAP-Success")
4603 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4604 id = ev.split(':')[0].split('-')[-1]
4607 raise Exception("Server certificate not received")
4609 raise Exception("Server certificate issuer not received")
4611 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4613 cn = cert.get_subject().commonName
4614 logger.info("Server certificate CN=" + cn)
4616 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4618 icn = issuer.get_subject().commonName
4619 logger.info("Issuer certificate CN=" + icn)
4621 if cn != "server.w1.fi":
4622 raise Exception("Unexpected server certificate CN: " + cn)
4623 if icn != "Root CA":
4624 raise Exception("Unexpected server certificate issuer CN: " + icn)
4626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4628 raise Exception("Unexpected EAP-Success before external check result indication")
4630 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4631 dev[0].wait_connected()
4633 dev[0].request("DISCONNECT")
4634 dev[0].wait_disconnected()
4635 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4636 raise Exception("PMKSA_FLUSH failed")
4637 dev[0].request("SET blob fast_pac_auth_ext ")
4638 dev[0].request("RECONNECT")
4640 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4642 raise Exception("No peer server certificate event seen (2)")
4643 id = ev.split(':')[0].split('-')[-1]
4644 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4645 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4647 raise Exception("EAP-Failure not reported")
4648 dev[0].request("REMOVE_NETWORK all")
4649 dev[0].wait_disconnected()