tests/hwsim/test_ap_eap.py

   1 # -*- coding: utf-8 -*-
   2 # WPA2-Enterprise tests
   3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
   4 #
   5 # This software may be distributed under the terms of the BSD license.
   6 # See README for more details.
   7
   8 import base64
   9 import binascii
  10 import time
  11 import subprocess
  12 import logging
  13 logger = logging.getLogger()
  14 import os
  15 import socket
  16 import SocketServer
  17
  18 import hwsim_utils
  19 import hostapd
  20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
  21 from wpasupplicant import WpaSupplicant
  22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
  23
  24 try:
  25     import OpenSSL
  26     openssl_imported = True
  27 except ImportError:
  28     openssl_imported = False
  29
  30 def check_hlr_auc_gw_support():
  31     if not os.path.exists("/tmp/hlr_auc_gw.sock"):
  32         raise HwsimSkip("No hlr_auc_gw available")
  33
  34 def check_eap_capa(dev, method):
  35     res = dev.get_capability("eap")
  36     if method not in res:
  37         raise HwsimSkip("EAP method %s not supported in the build" % method)
  38
  39 def check_subject_match_support(dev):
  40     tls = dev.request("GET tls_library")
  41     if not tls.startswith("OpenSSL"):
  42         raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
  43
  44 def check_altsubject_match_support(dev):
  45     tls = dev.request("GET tls_library")
  46     if not tls.startswith("OpenSSL"):
  47         raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
  48
  49 def check_domain_match(dev):
  50     tls = dev.request("GET tls_library")
  51     if tls.startswith("internal"):
  52         raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
  53
  54 def check_domain_suffix_match(dev):
  55     tls = dev.request("GET tls_library")
  56     if tls.startswith("internal"):
  57         raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
  58
  59 def check_domain_match_full(dev):
  60     tls = dev.request("GET tls_library")
  61     if not tls.startswith("OpenSSL"):
  62         raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
  63
  64 def check_cert_probe_support(dev):
  65     tls = dev.request("GET tls_library")
  66     if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
  67         raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
  68
  69 def check_ext_cert_check_support(dev):
  70     tls = dev.request("GET tls_library")
  71     if not tls.startswith("OpenSSL"):
  72         raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
  73
  74 def check_ocsp_support(dev):
  75     tls = dev.request("GET tls_library")
  76     if tls.startswith("internal"):
  77         raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
  78     #if "BoringSSL" in tls:
  79     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
  80
  81 def check_pkcs12_support(dev):
  82     tls = dev.request("GET tls_library")
  83     #if tls.startswith("internal"):
  84     #    raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
  85
  86 def check_dh_dsa_support(dev):
  87     tls = dev.request("GET tls_library")
  88     if tls.startswith("internal"):
  89         raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
  90
  91 def read_pem(fname):
  92     with open(fname, "r") as f:
  93         lines = f.readlines()
  94         copy = False
  95         cert = ""
  96         for l in lines:
  97             if "-----END" in l:
  98                 break
  99             if copy:
 100                 cert = cert + l
 101             if "-----BEGIN" in l:
 102                 copy = True
 103     return base64.b64decode(cert)
 104
 105 def eap_connect(dev, ap, method, identity,
 106                 sha256=False, expect_failure=False, local_error_report=False,
 107                 maybe_local_error=False, **kwargs):
 108     hapd = hostapd.Hostapd(ap['ifname'])
 109     id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
 110                      eap=method, identity=identity,
 111                      wait_connect=False, scan_freq="2412", ieee80211w="1",
 112                      **kwargs)
 113     eap_check_auth(dev, method, True, sha256=sha256,
 114                    expect_failure=expect_failure,
 115                    local_error_report=local_error_report,
 116                    maybe_local_error=maybe_local_error)
 117     if expect_failure:
 118         return id
 119     ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
 120     if ev is None:
 121         raise Exception("No connection event received from hostapd")
 122     return id
 123
 124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
 125                    expect_failure=False, local_error_report=False,
 126                    maybe_local_error=False):
 127     ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
 128     if ev is None:
 129         raise Exception("Association and EAP start timed out")
 130     ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
 131                          "CTRL-EVENT-EAP-FAILURE"], timeout=10)
 132     if ev is None:
 133         raise Exception("EAP method selection timed out")
 134     if "CTRL-EVENT-EAP-FAILURE" in ev:
 135         if maybe_local_error:
 136             return
 137         raise Exception("Could not select EAP method")
 138     if method not in ev:
 139         raise Exception("Unexpected EAP method")
 140     if expect_failure:
 141         ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
 142         if ev is None:
 143             raise Exception("EAP failure timed out")
 144         ev = dev.wait_disconnected(timeout=10)
 145         if maybe_local_error and "locally_generated=1" in ev:
 146             return
 147         if not local_error_report:
 148             if "reason=23" not in ev:
 149                 raise Exception("Proper reason code for disconnection not reported")
 150         return
 151     ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
 152     if ev is None:
 153         raise Exception("EAP success timed out")
 154
 155     if initial:
 156         ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
 157     else:
 158         ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
 159     if ev is None:
 160         raise Exception("Association with the AP timed out")
 161     status = dev.get_status()
 162     if status["wpa_state"] != "COMPLETED":
 163         raise Exception("Connection not completed")
 164
 165     if status["suppPortStatus"] != "Authorized":
 166         raise Exception("Port not authorized")
 167     if method not in status["selectedMethod"]:
 168         raise Exception("Incorrect EAP method status")
 169     if sha256:
 170         e = "WPA2-EAP-SHA256"
 171     elif rsn:
 172         e = "WPA2/IEEE 802.1X/EAP"
 173     else:
 174         e = "WPA/IEEE 802.1X/EAP"
 175     if status["key_mgmt"] != e:
 176         raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
 177     return status
 178
 179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
 180     dev.request("REAUTHENTICATE")
 181     return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
 182                           expect_failure=expect_failure)
 183
 184 def test_ap_wpa2_eap_sim(dev, apdev):
 185     """WPA2-Enterprise connection using EAP-SIM"""
 186     check_hlr_auc_gw_support()
 187     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 188     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 189     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 190                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 191     hwsim_utils.test_connectivity(dev[0], hapd)
 192     eap_reauth(dev[0], "SIM")
 193
 194     eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
 195                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 196     eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
 197                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 198                 expect_failure=True)
 199
 200     logger.info("Negative test with incorrect key")
 201     dev[0].request("REMOVE_NETWORK all")
 202     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 203                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 204                 expect_failure=True)
 205
 206     logger.info("Invalid GSM-Milenage key")
 207     dev[0].request("REMOVE_NETWORK all")
 208     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 209                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
 210                 expect_failure=True)
 211
 212     logger.info("Invalid GSM-Milenage key(2)")
 213     dev[0].request("REMOVE_NETWORK all")
 214     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 215                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
 216                 expect_failure=True)
 217
 218     logger.info("Invalid GSM-Milenage key(3)")
 219     dev[0].request("REMOVE_NETWORK all")
 220     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 221                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
 222                 expect_failure=True)
 223
 224     logger.info("Invalid GSM-Milenage key(4)")
 225     dev[0].request("REMOVE_NETWORK all")
 226     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 227                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
 228                 expect_failure=True)
 229
 230     logger.info("Missing key configuration")
 231     dev[0].request("REMOVE_NETWORK all")
 232     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 233                 expect_failure=True)
 234
 235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
 236     """WPA2-Enterprise connection using EAP-SIM (SQL)"""
 237     check_hlr_auc_gw_support()
 238     try:
 239         import sqlite3
 240     except ImportError:
 241         raise HwsimSkip("No sqlite3 module available")
 242     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
 243     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 244     params['auth_server_port'] = "1814"
 245     hostapd.add_ap(apdev[0]['ifname'], params)
 246     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 247                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 248
 249     logger.info("SIM fast re-authentication")
 250     eap_reauth(dev[0], "SIM")
 251
 252     logger.info("SIM full auth with pseudonym")
 253     with con:
 254         cur = con.cursor()
 255         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
 256     eap_reauth(dev[0], "SIM")
 257
 258     logger.info("SIM full auth with permanent identity")
 259     with con:
 260         cur = con.cursor()
 261         cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
 262         cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
 263     eap_reauth(dev[0], "SIM")
 264
 265     logger.info("SIM reauth with mismatching MK")
 266     with con:
 267         cur = con.cursor()
 268         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
 269     eap_reauth(dev[0], "SIM", expect_failure=True)
 270     dev[0].request("REMOVE_NETWORK all")
 271
 272     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 273                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 274     with con:
 275         cur = con.cursor()
 276         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
 277     eap_reauth(dev[0], "SIM")
 278     with con:
 279         cur = con.cursor()
 280         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
 281     logger.info("SIM reauth with mismatching counter")
 282     eap_reauth(dev[0], "SIM")
 283     dev[0].request("REMOVE_NETWORK all")
 284
 285     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 286                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
 287     with con:
 288         cur = con.cursor()
 289         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
 290     logger.info("SIM reauth with max reauth count reached")
 291     eap_reauth(dev[0], "SIM")
 292
 293 def test_ap_wpa2_eap_sim_config(dev, apdev):
 294     """EAP-SIM configuration options"""
 295     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 296     hostapd.add_ap(apdev[0]['ifname'], params)
 297     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
 298                    identity="1232010000000000",
 299                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 300                    phase1="sim_min_num_chal=1",
 301                    wait_connect=False, scan_freq="2412")
 302     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
 303     if ev is None:
 304         raise Exception("No EAP error message seen")
 305     dev[0].request("REMOVE_NETWORK all")
 306
 307     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
 308                    identity="1232010000000000",
 309                    password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 310                    phase1="sim_min_num_chal=4",
 311                    wait_connect=False, scan_freq="2412")
 312     ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
 313     if ev is None:
 314         raise Exception("No EAP error message seen (2)")
 315     dev[0].request("REMOVE_NETWORK all")
 316
 317     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
 318                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 319                 phase1="sim_min_num_chal=2")
 320     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
 321                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 322                 anonymous_identity="345678")
 323
 324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
 325     """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
 326     try:
 327         _test_ap_wpa2_eap_sim_ext(dev, apdev)
 328     finally:
 329         dev[0].request("SET external_sim 0")
 330
 331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
 332     check_hlr_auc_gw_support()
 333     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 334     hostapd.add_ap(apdev[0]['ifname'], params)
 335     dev[0].request("SET external_sim 1")
 336     id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
 337                         identity="1232010000000000",
 338                         wait_connect=False, scan_freq="2412")
 339     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
 340     if ev is None:
 341         raise Exception("Network connected timed out")
 342
 343     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 344     if ev is None:
 345         raise Exception("Wait for external SIM processing request timed out")
 346     p = ev.split(':', 2)
 347     if p[1] != "GSM-AUTH":
 348         raise Exception("Unexpected CTRL-REQ-SIM type")
 349     rid = p[0].split('-')[3]
 350
 351     # IK:CK:RES
 352     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
 353     # This will fail during processing, but the ctrl_iface command succeeds
 354     dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
 355     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 356     if ev is None:
 357         raise Exception("EAP failure not reported")
 358     dev[0].request("DISCONNECT")
 359     dev[0].wait_disconnected()
 360     time.sleep(0.1)
 361
 362     dev[0].select_network(id, freq="2412")
 363     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 364     if ev is None:
 365         raise Exception("Wait for external SIM processing request timed out")
 366     p = ev.split(':', 2)
 367     if p[1] != "GSM-AUTH":
 368         raise Exception("Unexpected CTRL-REQ-SIM type")
 369     rid = p[0].split('-')[3]
 370     # This will fail during GSM auth validation
 371     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
 372         raise Exception("CTRL-RSP-SIM failed")
 373     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 374     if ev is None:
 375         raise Exception("EAP failure not reported")
 376     dev[0].request("DISCONNECT")
 377     dev[0].wait_disconnected()
 378     time.sleep(0.1)
 379
 380     dev[0].select_network(id, freq="2412")
 381     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 382     if ev is None:
 383         raise Exception("Wait for external SIM processing request timed out")
 384     p = ev.split(':', 2)
 385     if p[1] != "GSM-AUTH":
 386         raise Exception("Unexpected CTRL-REQ-SIM type")
 387     rid = p[0].split('-')[3]
 388     # This will fail during GSM auth validation
 389     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
 390         raise Exception("CTRL-RSP-SIM failed")
 391     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 392     if ev is None:
 393         raise Exception("EAP failure not reported")
 394     dev[0].request("DISCONNECT")
 395     dev[0].wait_disconnected()
 396     time.sleep(0.1)
 397
 398     dev[0].select_network(id, freq="2412")
 399     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 400     if ev is None:
 401         raise Exception("Wait for external SIM processing request timed out")
 402     p = ev.split(':', 2)
 403     if p[1] != "GSM-AUTH":
 404         raise Exception("Unexpected CTRL-REQ-SIM type")
 405     rid = p[0].split('-')[3]
 406     # This will fail during GSM auth validation
 407     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
 408         raise Exception("CTRL-RSP-SIM failed")
 409     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 410     if ev is None:
 411         raise Exception("EAP failure not reported")
 412     dev[0].request("DISCONNECT")
 413     dev[0].wait_disconnected()
 414     time.sleep(0.1)
 415
 416     dev[0].select_network(id, freq="2412")
 417     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 418     if ev is None:
 419         raise Exception("Wait for external SIM processing request timed out")
 420     p = ev.split(':', 2)
 421     if p[1] != "GSM-AUTH":
 422         raise Exception("Unexpected CTRL-REQ-SIM type")
 423     rid = p[0].split('-')[3]
 424     # This will fail during GSM auth validation
 425     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
 426         raise Exception("CTRL-RSP-SIM failed")
 427     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 428     if ev is None:
 429         raise Exception("EAP failure not reported")
 430     dev[0].request("DISCONNECT")
 431     dev[0].wait_disconnected()
 432     time.sleep(0.1)
 433
 434     dev[0].select_network(id, freq="2412")
 435     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 436     if ev is None:
 437         raise Exception("Wait for external SIM processing request timed out")
 438     p = ev.split(':', 2)
 439     if p[1] != "GSM-AUTH":
 440         raise Exception("Unexpected CTRL-REQ-SIM type")
 441     rid = p[0].split('-')[3]
 442     # This will fail during GSM auth validation
 443     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
 444         raise Exception("CTRL-RSP-SIM failed")
 445     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 446     if ev is None:
 447         raise Exception("EAP failure not reported")
 448     dev[0].request("DISCONNECT")
 449     dev[0].wait_disconnected()
 450     time.sleep(0.1)
 451
 452     dev[0].select_network(id, freq="2412")
 453     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 454     if ev is None:
 455         raise Exception("Wait for external SIM processing request timed out")
 456     p = ev.split(':', 2)
 457     if p[1] != "GSM-AUTH":
 458         raise Exception("Unexpected CTRL-REQ-SIM type")
 459     rid = p[0].split('-')[3]
 460     # This will fail during GSM auth validation
 461     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
 462         raise Exception("CTRL-RSP-SIM failed")
 463     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 464     if ev is None:
 465         raise Exception("EAP failure not reported")
 466
 467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
 468     """EAP-SIM and OOM"""
 469     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 470     hostapd.add_ap(apdev[0]['ifname'], params)
 471     tests = [ (1, "milenage_f2345"),
 472               (2, "milenage_f2345"),
 473               (3, "milenage_f2345"),
 474               (4, "milenage_f2345"),
 475               (5, "milenage_f2345"),
 476               (6, "milenage_f2345"),
 477               (7, "milenage_f2345"),
 478               (8, "milenage_f2345"),
 479               (9, "milenage_f2345"),
 480               (10, "milenage_f2345"),
 481               (11, "milenage_f2345"),
 482               (12, "milenage_f2345") ]
 483     for count, func in tests:
 484         with alloc_fail(dev[0], count, func):
 485             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
 486                            identity="1232010000000000",
 487                            password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
 488                            wait_connect=False, scan_freq="2412")
 489             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
 490             if ev is None:
 491                 raise Exception("EAP method not selected")
 492             dev[0].wait_disconnected()
 493             dev[0].request("REMOVE_NETWORK all")
 494
 495 def test_ap_wpa2_eap_aka(dev, apdev):
 496     """WPA2-Enterprise connection using EAP-AKA"""
 497     check_hlr_auc_gw_support()
 498     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 499     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 500     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 501                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 502     hwsim_utils.test_connectivity(dev[0], hapd)
 503     eap_reauth(dev[0], "AKA")
 504
 505     logger.info("Negative test with incorrect key")
 506     dev[0].request("REMOVE_NETWORK all")
 507     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 508                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 509                 expect_failure=True)
 510
 511     logger.info("Invalid Milenage key")
 512     dev[0].request("REMOVE_NETWORK all")
 513     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 514                 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
 515                 expect_failure=True)
 516
 517     logger.info("Invalid Milenage key(2)")
 518     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 519                 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 520                 expect_failure=True)
 521
 522     logger.info("Invalid Milenage key(3)")
 523     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 524                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
 525                 expect_failure=True)
 526
 527     logger.info("Invalid Milenage key(4)")
 528     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 529                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
 530                 expect_failure=True)
 531
 532     logger.info("Invalid Milenage key(5)")
 533     dev[0].request("REMOVE_NETWORK all")
 534     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 535                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
 536                 expect_failure=True)
 537
 538     logger.info("Invalid Milenage key(6)")
 539     dev[0].request("REMOVE_NETWORK all")
 540     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 541                 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
 542                 expect_failure=True)
 543
 544     logger.info("Missing key configuration")
 545     dev[0].request("REMOVE_NETWORK all")
 546     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 547                 expect_failure=True)
 548
 549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
 550     """WPA2-Enterprise connection using EAP-AKA (SQL)"""
 551     check_hlr_auc_gw_support()
 552     try:
 553         import sqlite3
 554     except ImportError:
 555         raise HwsimSkip("No sqlite3 module available")
 556     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
 557     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 558     params['auth_server_port'] = "1814"
 559     hostapd.add_ap(apdev[0]['ifname'], params)
 560     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 561                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 562
 563     logger.info("AKA fast re-authentication")
 564     eap_reauth(dev[0], "AKA")
 565
 566     logger.info("AKA full auth with pseudonym")
 567     with con:
 568         cur = con.cursor()
 569         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
 570     eap_reauth(dev[0], "AKA")
 571
 572     logger.info("AKA full auth with permanent identity")
 573     with con:
 574         cur = con.cursor()
 575         cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
 576         cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
 577     eap_reauth(dev[0], "AKA")
 578
 579     logger.info("AKA reauth with mismatching MK")
 580     with con:
 581         cur = con.cursor()
 582         cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
 583     eap_reauth(dev[0], "AKA", expect_failure=True)
 584     dev[0].request("REMOVE_NETWORK all")
 585
 586     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 587                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 588     with con:
 589         cur = con.cursor()
 590         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
 591     eap_reauth(dev[0], "AKA")
 592     with con:
 593         cur = con.cursor()
 594         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
 595     logger.info("AKA reauth with mismatching counter")
 596     eap_reauth(dev[0], "AKA")
 597     dev[0].request("REMOVE_NETWORK all")
 598
 599     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 600                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
 601     with con:
 602         cur = con.cursor()
 603         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
 604     logger.info("AKA reauth with max reauth count reached")
 605     eap_reauth(dev[0], "AKA")
 606
 607 def test_ap_wpa2_eap_aka_config(dev, apdev):
 608     """EAP-AKA configuration options"""
 609     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 610     hostapd.add_ap(apdev[0]['ifname'], params)
 611     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
 612                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 613                 anonymous_identity="2345678")
 614
 615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
 616     """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
 617     try:
 618         _test_ap_wpa2_eap_aka_ext(dev, apdev)
 619     finally:
 620         dev[0].request("SET external_sim 0")
 621
 622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
 623     check_hlr_auc_gw_support()
 624     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 625     hostapd.add_ap(apdev[0]['ifname'], params)
 626     dev[0].request("SET external_sim 1")
 627     id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
 628                         identity="0232010000000000",
 629                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
 630                         wait_connect=False, scan_freq="2412")
 631     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
 632     if ev is None:
 633         raise Exception("Network connected timed out")
 634
 635     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 636     if ev is None:
 637         raise Exception("Wait for external SIM processing request timed out")
 638     p = ev.split(':', 2)
 639     if p[1] != "UMTS-AUTH":
 640         raise Exception("Unexpected CTRL-REQ-SIM type")
 641     rid = p[0].split('-')[3]
 642
 643     # IK:CK:RES
 644     resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
 645     # This will fail during processing, but the ctrl_iface command succeeds
 646     dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
 647     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 648     if ev is None:
 649         raise Exception("EAP failure not reported")
 650     dev[0].request("DISCONNECT")
 651     dev[0].wait_disconnected()
 652     time.sleep(0.1)
 653     dev[0].dump_monitor()
 654
 655     dev[0].select_network(id, freq="2412")
 656     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 657     if ev is None:
 658         raise Exception("Wait for external SIM processing request timed out")
 659     p = ev.split(':', 2)
 660     if p[1] != "UMTS-AUTH":
 661         raise Exception("Unexpected CTRL-REQ-SIM type")
 662     rid = p[0].split('-')[3]
 663     # This will fail during UMTS auth validation
 664     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
 665         raise Exception("CTRL-RSP-SIM failed")
 666     ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 667     if ev is None:
 668         raise Exception("Wait for external SIM processing request timed out")
 669     p = ev.split(':', 2)
 670     if p[1] != "UMTS-AUTH":
 671         raise Exception("Unexpected CTRL-REQ-SIM type")
 672     rid = p[0].split('-')[3]
 673     # This will fail during UMTS auth validation
 674     if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
 675         raise Exception("CTRL-RSP-SIM failed")
 676     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 677     if ev is None:
 678         raise Exception("EAP failure not reported")
 679     dev[0].request("DISCONNECT")
 680     dev[0].wait_disconnected()
 681     time.sleep(0.1)
 682     dev[0].dump_monitor()
 683
 684     tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
 685               ":UMTS-AUTH:34",
 686               ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
 687               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
 688               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
 689               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
 690               ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
 691     for t in tests:
 692         dev[0].select_network(id, freq="2412")
 693         ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
 694         if ev is None:
 695             raise Exception("Wait for external SIM processing request timed out")
 696         p = ev.split(':', 2)
 697         if p[1] != "UMTS-AUTH":
 698             raise Exception("Unexpected CTRL-REQ-SIM type")
 699         rid = p[0].split('-')[3]
 700         # This will fail during UMTS auth validation
 701         if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
 702             raise Exception("CTRL-RSP-SIM failed")
 703         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
 704         if ev is None:
 705             raise Exception("EAP failure not reported")
 706         dev[0].request("DISCONNECT")
 707         dev[0].wait_disconnected()
 708         time.sleep(0.1)
 709         dev[0].dump_monitor()
 710
 711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
 712     """WPA2-Enterprise connection using EAP-AKA'"""
 713     check_hlr_auc_gw_support()
 714     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 715     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 716     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 717                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 718     hwsim_utils.test_connectivity(dev[0], hapd)
 719     eap_reauth(dev[0], "AKA'")
 720
 721     logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
 722     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
 723                    identity="6555444333222111@both",
 724                    password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
 725                    wait_connect=False, scan_freq="2412")
 726     dev[1].wait_connected(timeout=15)
 727
 728     logger.info("Negative test with incorrect key")
 729     dev[0].request("REMOVE_NETWORK all")
 730     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 731                 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
 732                 expect_failure=True)
 733
 734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
 735     """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
 736     check_hlr_auc_gw_support()
 737     try:
 738         import sqlite3
 739     except ImportError:
 740         raise HwsimSkip("No sqlite3 module available")
 741     con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
 742     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 743     params['auth_server_port'] = "1814"
 744     hostapd.add_ap(apdev[0]['ifname'], params)
 745     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 746                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 747
 748     logger.info("AKA' fast re-authentication")
 749     eap_reauth(dev[0], "AKA'")
 750
 751     logger.info("AKA' full auth with pseudonym")
 752     with con:
 753         cur = con.cursor()
 754         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
 755     eap_reauth(dev[0], "AKA'")
 756
 757     logger.info("AKA' full auth with permanent identity")
 758     with con:
 759         cur = con.cursor()
 760         cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
 761         cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
 762     eap_reauth(dev[0], "AKA'")
 763
 764     logger.info("AKA' reauth with mismatching k_aut")
 765     with con:
 766         cur = con.cursor()
 767         cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
 768     eap_reauth(dev[0], "AKA'", expect_failure=True)
 769     dev[0].request("REMOVE_NETWORK all")
 770
 771     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 772                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 773     with con:
 774         cur = con.cursor()
 775         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
 776     eap_reauth(dev[0], "AKA'")
 777     with con:
 778         cur = con.cursor()
 779         cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
 780     logger.info("AKA' reauth with mismatching counter")
 781     eap_reauth(dev[0], "AKA'")
 782     dev[0].request("REMOVE_NETWORK all")
 783
 784     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
 785                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
 786     with con:
 787         cur = con.cursor()
 788         cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
 789     logger.info("AKA' reauth with max reauth count reached")
 790     eap_reauth(dev[0], "AKA'")
 791
 792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
 793     """WPA2-Enterprise connection using EAP-TTLS/PAP"""
 794     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 795     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 796     key_mgmt = hapd.get_config()['key_mgmt']
 797     if key_mgmt.split(' ')[0] != "WPA-EAP":
 798         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
 799     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 800                 anonymous_identity="ttls", password="password",
 801                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
 802     hwsim_utils.test_connectivity(dev[0], hapd)
 803     eap_reauth(dev[0], "TTLS")
 804     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
 805                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
 806
 807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
 808     """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
 809     check_subject_match_support(dev[0])
 810     check_altsubject_match_support(dev[0])
 811     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 812     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 813     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 814                 anonymous_identity="ttls", password="password",
 815                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 816                 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
 817                 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
 818     eap_reauth(dev[0], "TTLS")
 819
 820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
 821     """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
 822     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 823     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 824     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 825                 anonymous_identity="ttls", password="wrong",
 826                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 827                 expect_failure=True)
 828     eap_connect(dev[1], apdev[0], "TTLS", "user",
 829                 anonymous_identity="ttls", password="password",
 830                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 831                 expect_failure=True)
 832
 833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
 834     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
 835     skip_with_fips(dev[0])
 836     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 837     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 838     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 839                 anonymous_identity="ttls", password="password",
 840                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
 841     hwsim_utils.test_connectivity(dev[0], hapd)
 842     eap_reauth(dev[0], "TTLS")
 843
 844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
 845     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
 846     skip_with_fips(dev[0])
 847     check_altsubject_match_support(dev[0])
 848     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 849     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 850     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 851                 anonymous_identity="ttls", password="password",
 852                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
 853                 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
 854     eap_reauth(dev[0], "TTLS")
 855
 856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
 857     """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
 858     skip_with_fips(dev[0])
 859     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 860     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 861     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 862                 anonymous_identity="ttls", password="wrong",
 863                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
 864                 expect_failure=True)
 865     eap_connect(dev[1], apdev[0], "TTLS", "user",
 866                 anonymous_identity="ttls", password="password",
 867                 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
 868                 expect_failure=True)
 869
 870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
 871     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
 872     skip_with_fips(dev[0])
 873     check_domain_suffix_match(dev[0])
 874     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 875     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 876     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 877                 anonymous_identity="ttls", password="password",
 878                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 879                 domain_suffix_match="server.w1.fi")
 880     hwsim_utils.test_connectivity(dev[0], hapd)
 881     eap_reauth(dev[0], "TTLS")
 882     dev[0].request("REMOVE_NETWORK all")
 883     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 884                 anonymous_identity="ttls", password="password",
 885                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 886                 fragment_size="200")
 887
 888 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
 889     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
 890     skip_with_fips(dev[0])
 891     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 892     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 893     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 894                 anonymous_identity="ttls", password="wrong",
 895                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 896                 expect_failure=True)
 897     eap_connect(dev[1], apdev[0], "TTLS", "user",
 898                 anonymous_identity="ttls", password="password",
 899                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 900                 expect_failure=True)
 901     eap_connect(dev[2], apdev[0], "TTLS", "no such user",
 902                 anonymous_identity="ttls", password="password",
 903                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 904                 expect_failure=True)
 905
 906 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
 907     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
 908     check_domain_suffix_match(dev[0])
 909     check_eap_capa(dev[0], "MSCHAPV2")
 910     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 911     hostapd.add_ap(apdev[0]['ifname'], params)
 912     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 913     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 914                 anonymous_identity="ttls", password="password",
 915                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 916                 domain_suffix_match="server.w1.fi")
 917     hwsim_utils.test_connectivity(dev[0], hapd)
 918     sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
 919     eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
 920     eap_reauth(dev[0], "TTLS")
 921     sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
 922     eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
 923     if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
 924         raise Exception("dot1xAuthEapolFramesRx did not increase")
 925     if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
 926         raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
 927     if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
 928         raise Exception("backendAuthSuccesses did not increase")
 929
 930     logger.info("Password as hash value")
 931     dev[0].request("REMOVE_NETWORK all")
 932     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 933                 anonymous_identity="ttls",
 934                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
 935                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
 936
 937 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
 938     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
 939     check_domain_match_full(dev[0])
 940     skip_with_fips(dev[0])
 941     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 942     hostapd.add_ap(apdev[0]['ifname'], params)
 943     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 944     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 945                 anonymous_identity="ttls", password="password",
 946                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 947                 domain_suffix_match="w1.fi")
 948     hwsim_utils.test_connectivity(dev[0], hapd)
 949     eap_reauth(dev[0], "TTLS")
 950
 951 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
 952     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
 953     check_domain_match(dev[0])
 954     skip_with_fips(dev[0])
 955     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 956     hostapd.add_ap(apdev[0]['ifname'], params)
 957     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 958     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 959                 anonymous_identity="ttls", password="password",
 960                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 961                 domain_match="Server.w1.fi")
 962     hwsim_utils.test_connectivity(dev[0], hapd)
 963     eap_reauth(dev[0], "TTLS")
 964
 965 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
 966     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
 967     skip_with_fips(dev[0])
 968     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 969     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 970     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 971                 anonymous_identity="ttls", password="password1",
 972                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 973                 expect_failure=True)
 974     eap_connect(dev[1], apdev[0], "TTLS", "user",
 975                 anonymous_identity="ttls", password="password",
 976                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 977                 expect_failure=True)
 978
 979 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
 980     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
 981     skip_with_fips(dev[0])
 982     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 983     hostapd.add_ap(apdev[0]['ifname'], params)
 984     hapd = hostapd.Hostapd(apdev[0]['ifname'])
 985     eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
 986                 anonymous_identity="ttls", password="secret-åäö-€-password",
 987                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
 988     eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
 989                 anonymous_identity="ttls",
 990                 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
 991                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
 992     for p in [ "80", "41c041e04141e041", 257*"41" ]:
 993         dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
 994                        eap="TTLS", identity="utf8-user-hash",
 995                        anonymous_identity="ttls", password_hex=p,
 996                        ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 997                        wait_connect=False, scan_freq="2412")
 998         ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
 999         if ev is None:
1000             raise Exception("No failure reported")
1001         dev[2].request("REMOVE_NETWORK all")
1002         dev[2].wait_disconnected()
1003
1004 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1005     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1006     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1007     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1008     eap_connect(dev[0], apdev[0], "TTLS", "user",
1009                 anonymous_identity="ttls", password="password",
1010                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1011     hwsim_utils.test_connectivity(dev[0], hapd)
1012     eap_reauth(dev[0], "TTLS")
1013
1014 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1015     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1016     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1017     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1018     eap_connect(dev[0], apdev[0], "TTLS", "user",
1019                 anonymous_identity="ttls", password="wrong",
1020                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1021                 expect_failure=True)
1022
1023 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1024     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1025     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1026     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1027     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1028                 anonymous_identity="ttls", password="password",
1029                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1030                 expect_failure=True)
1031
1032 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1033     """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1034     params = int_eap_server_params()
1035     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1036     with alloc_fail(hapd, 1, "eap_gtc_init"):
1037         eap_connect(dev[0], apdev[0], "TTLS", "user",
1038                     anonymous_identity="ttls", password="password",
1039                     ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1040                     expect_failure=True)
1041         dev[0].request("REMOVE_NETWORK all")
1042
1043     with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1044         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1045                        eap="TTLS", identity="user",
1046                        anonymous_identity="ttls", password="password",
1047                        ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1048                        wait_connect=False, scan_freq="2412")
1049         # This would eventually time out, but we can stop after having reached
1050         # the allocation failure.
1051         for i in range(20):
1052             time.sleep(0.1)
1053             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1054                 break
1055
1056 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1057     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1058     check_eap_capa(dev[0], "MD5")
1059     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1060     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1061     eap_connect(dev[0], apdev[0], "TTLS", "user",
1062                 anonymous_identity="ttls", password="password",
1063                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1064     hwsim_utils.test_connectivity(dev[0], hapd)
1065     eap_reauth(dev[0], "TTLS")
1066
1067 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1068     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1069     check_eap_capa(dev[0], "MD5")
1070     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1071     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1072     eap_connect(dev[0], apdev[0], "TTLS", "user",
1073                 anonymous_identity="ttls", password="wrong",
1074                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1075                 expect_failure=True)
1076
1077 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1078     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1079     check_eap_capa(dev[0], "MD5")
1080     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1081     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1082     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1083                 anonymous_identity="ttls", password="password",
1084                 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1085                 expect_failure=True)
1086
1087 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1088     """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1089     check_eap_capa(dev[0], "MD5")
1090     params = int_eap_server_params()
1091     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1092     with alloc_fail(hapd, 1, "eap_md5_init"):
1093         eap_connect(dev[0], apdev[0], "TTLS", "user",
1094                     anonymous_identity="ttls", password="password",
1095                     ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1096                     expect_failure=True)
1097         dev[0].request("REMOVE_NETWORK all")
1098
1099     with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1100         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1101                        eap="TTLS", identity="user",
1102                        anonymous_identity="ttls", password="password",
1103                        ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1104                        wait_connect=False, scan_freq="2412")
1105         # This would eventually time out, but we can stop after having reached
1106         # the allocation failure.
1107         for i in range(20):
1108             time.sleep(0.1)
1109             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1110                 break
1111
1112 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1113     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1114     check_eap_capa(dev[0], "MSCHAPV2")
1115     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1116     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1117     eap_connect(dev[0], apdev[0], "TTLS", "user",
1118                 anonymous_identity="ttls", password="password",
1119                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1120     hwsim_utils.test_connectivity(dev[0], hapd)
1121     eap_reauth(dev[0], "TTLS")
1122
1123     logger.info("Negative test with incorrect password")
1124     dev[0].request("REMOVE_NETWORK all")
1125     eap_connect(dev[0], apdev[0], "TTLS", "user",
1126                 anonymous_identity="ttls", password="password1",
1127                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1128                 expect_failure=True)
1129
1130 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1131     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1132     check_eap_capa(dev[0], "MSCHAPV2")
1133     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1134     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1135     eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1136                 anonymous_identity="ttls", password="password",
1137                 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1138                 expect_failure=True)
1139
1140 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1141     """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1142     check_eap_capa(dev[0], "MSCHAPV2")
1143     params = int_eap_server_params()
1144     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145     with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1146         eap_connect(dev[0], apdev[0], "TTLS", "user",
1147                     anonymous_identity="ttls", password="password",
1148                     ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1149                     expect_failure=True)
1150         dev[0].request("REMOVE_NETWORK all")
1151
1152     with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1153         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1154                        eap="TTLS", identity="user",
1155                        anonymous_identity="ttls", password="password",
1156                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1157                        wait_connect=False, scan_freq="2412")
1158         # This would eventually time out, but we can stop after having reached
1159         # the allocation failure.
1160         for i in range(20):
1161             time.sleep(0.1)
1162             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1163                 break
1164         dev[0].request("REMOVE_NETWORK all")
1165
1166     with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1167         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1168                        eap="TTLS", identity="user",
1169                        anonymous_identity="ttls", password="password",
1170                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1171                        wait_connect=False, scan_freq="2412")
1172         # This would eventually time out, but we can stop after having reached
1173         # the allocation failure.
1174         for i in range(20):
1175             time.sleep(0.1)
1176             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1177                 break
1178         dev[0].request("REMOVE_NETWORK all")
1179
1180     with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1181         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1182                        eap="TTLS", identity="user",
1183                        anonymous_identity="ttls", password="wrong",
1184                        ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1185                        wait_connect=False, scan_freq="2412")
1186         # This would eventually time out, but we can stop after having reached
1187         # the allocation failure.
1188         for i in range(20):
1189             time.sleep(0.1)
1190             if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1191                 break
1192         dev[0].request("REMOVE_NETWORK all")
1193
1194 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1195     """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1196     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1197     hostapd.add_ap(apdev[0]['ifname'], params)
1198     eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1199                 anonymous_identity="0232010000000000@ttls",
1200                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1201                 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1202
1203 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1204     """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1205     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206     hostapd.add_ap(apdev[0]['ifname'], params)
1207     eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1208                 anonymous_identity="0232010000000000@peap",
1209                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1210                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1211
1212 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1213     """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1214     check_eap_capa(dev[0], "FAST")
1215     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1216     hostapd.add_ap(apdev[0]['ifname'], params)
1217     eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1218                 anonymous_identity="0232010000000000@fast",
1219                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1220                 phase1="fast_provisioning=2",
1221                 pac_file="blob://fast_pac_auth_aka",
1222                 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1223
1224 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1225     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1226     check_eap_capa(dev[0], "MSCHAPV2")
1227     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1228     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1229     eap_connect(dev[0], apdev[0], "PEAP", "user",
1230                 anonymous_identity="peap", password="password",
1231                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1232     hwsim_utils.test_connectivity(dev[0], hapd)
1233     eap_reauth(dev[0], "PEAP")
1234     dev[0].request("REMOVE_NETWORK all")
1235     eap_connect(dev[0], apdev[0], "PEAP", "user",
1236                 anonymous_identity="peap", password="password",
1237                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1238                 fragment_size="200")
1239
1240     logger.info("Password as hash value")
1241     dev[0].request("REMOVE_NETWORK all")
1242     eap_connect(dev[0], apdev[0], "PEAP", "user",
1243                 anonymous_identity="peap",
1244                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1245                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1246
1247     logger.info("Negative test with incorrect password")
1248     dev[0].request("REMOVE_NETWORK all")
1249     eap_connect(dev[0], apdev[0], "PEAP", "user",
1250                 anonymous_identity="peap", password="password1",
1251                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1252                 expect_failure=True)
1253
1254 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1255     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1256     check_eap_capa(dev[0], "MSCHAPV2")
1257     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1259     eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1260                 anonymous_identity="peap", password="password",
1261                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1262     hwsim_utils.test_connectivity(dev[0], hapd)
1263     eap_reauth(dev[0], "PEAP")
1264
1265 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1266     """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1267     check_eap_capa(dev[0], "MSCHAPV2")
1268     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1269     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1270     eap_connect(dev[0], apdev[0], "PEAP", "user",
1271                 anonymous_identity="peap", password="wrong",
1272                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1273                 expect_failure=True)
1274
1275 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1276     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1277     check_eap_capa(dev[0], "MSCHAPV2")
1278     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1279     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1280     eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1281                 ca_cert="auth_serv/ca.pem",
1282                 phase1="peapver=0 crypto_binding=2",
1283                 phase2="auth=MSCHAPV2")
1284     hwsim_utils.test_connectivity(dev[0], hapd)
1285     eap_reauth(dev[0], "PEAP")
1286
1287     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1288                 ca_cert="auth_serv/ca.pem",
1289                 phase1="peapver=0 crypto_binding=1",
1290                 phase2="auth=MSCHAPV2")
1291     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1292                 ca_cert="auth_serv/ca.pem",
1293                 phase1="peapver=0 crypto_binding=0",
1294                 phase2="auth=MSCHAPV2")
1295
1296 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1297     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1298     check_eap_capa(dev[0], "MSCHAPV2")
1299     params = int_eap_server_params()
1300     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1301     with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1302         eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1303                     ca_cert="auth_serv/ca.pem",
1304                     phase1="peapver=0 crypto_binding=2",
1305                     phase2="auth=MSCHAPV2",
1306                     expect_failure=True, local_error_report=True)
1307
1308 def test_ap_wpa2_eap_peap_params(dev, apdev):
1309     """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1310     check_eap_capa(dev[0], "MSCHAPV2")
1311     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1312     hostapd.add_ap(apdev[0]['ifname'], params)
1313     eap_connect(dev[0], apdev[0], "PEAP", "user",
1314                 anonymous_identity="peap", password="password",
1315                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1316                 phase1="peapver=0 peaplabel=1",
1317                 expect_failure=True)
1318     dev[0].request("REMOVE_NETWORK all")
1319     eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1320                 ca_cert="auth_serv/ca.pem",
1321                 phase1="peap_outer_success=1",
1322                 phase2="auth=MSCHAPV2")
1323     eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1324                 ca_cert="auth_serv/ca.pem",
1325                 phase1="peap_outer_success=2",
1326                 phase2="auth=MSCHAPV2")
1327     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1328                    identity="user",
1329                    anonymous_identity="peap", password="password",
1330                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1331                    phase1="peapver=1 peaplabel=1",
1332                    wait_connect=False, scan_freq="2412")
1333     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1334     if ev is None:
1335         raise Exception("No EAP success seen")
1336     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1337     if ev is not None:
1338         raise Exception("Unexpected connection")
1339
1340 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1341     """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1342     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1343     hostapd.add_ap(apdev[0]['ifname'], params)
1344     eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1345                 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1346                 ca_cert2="auth_serv/ca.pem",
1347                 client_cert2="auth_serv/user.pem",
1348                 private_key2="auth_serv/user.key")
1349     eap_reauth(dev[0], "PEAP")
1350
1351 def test_ap_wpa2_eap_tls(dev, apdev):
1352     """WPA2-Enterprise connection using EAP-TLS"""
1353     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1354     hostapd.add_ap(apdev[0]['ifname'], params)
1355     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1356                 client_cert="auth_serv/user.pem",
1357                 private_key="auth_serv/user.key")
1358     eap_reauth(dev[0], "TLS")
1359
1360 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1361     """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1362     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1363     hostapd.add_ap(apdev[0]['ifname'], params)
1364     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1365                 client_cert="auth_serv/user.pem",
1366                 private_key="auth_serv/user.key.pkcs8",
1367                 private_key_passwd="whatever")
1368
1369 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1370     """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1371     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1372     hostapd.add_ap(apdev[0]['ifname'], params)
1373     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1374                 client_cert="auth_serv/user.pem",
1375                 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1376                 private_key_passwd="whatever")
1377
1378 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1379     """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1380     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1381     hostapd.add_ap(apdev[0]['ifname'], params)
1382     cert = read_pem("auth_serv/ca.pem")
1383     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1384         raise Exception("Could not set cacert blob")
1385     cert = read_pem("auth_serv/user.pem")
1386     if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1387         raise Exception("Could not set usercert blob")
1388     key = read_pem("auth_serv/user.rsa-key")
1389     if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1390         raise Exception("Could not set cacert blob")
1391     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1392                 client_cert="blob://usercert",
1393                 private_key="blob://userkey")
1394
1395 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1396     """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1397     check_pkcs12_support(dev[0])
1398     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1399     hostapd.add_ap(apdev[0]['ifname'], params)
1400     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1401                 private_key="auth_serv/user.pkcs12",
1402                 private_key_passwd="whatever")
1403     dev[0].request("REMOVE_NETWORK all")
1404     dev[0].wait_disconnected()
1405
1406     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1407                    identity="tls user",
1408                    ca_cert="auth_serv/ca.pem",
1409                    private_key="auth_serv/user.pkcs12",
1410                    wait_connect=False, scan_freq="2412")
1411     ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1412     if ev is None:
1413         raise Exception("Request for private key passphrase timed out")
1414     id = ev.split(':')[0].split('-')[-1]
1415     dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1416     dev[0].wait_connected(timeout=10)
1417     dev[0].request("REMOVE_NETWORK all")
1418     dev[0].wait_disconnected()
1419
1420     # Run this twice to verify certificate chain handling with OpenSSL. Use two
1421     # different files to cover both cases of the extra certificate being the
1422     # one that signed the client certificate and it being unrelated to the
1423     # client certificate.
1424     for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1425         for i in range(2):
1426             eap_connect(dev[0], apdev[0], "TLS", "tls user",
1427                         ca_cert="auth_serv/ca.pem",
1428                         private_key=pkcs12,
1429                         private_key_passwd="whatever")
1430             dev[0].request("REMOVE_NETWORK all")
1431             dev[0].wait_disconnected()
1432
1433 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1434     """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1435     check_pkcs12_support(dev[0])
1436     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1437     hostapd.add_ap(apdev[0]['ifname'], params)
1438     cert = read_pem("auth_serv/ca.pem")
1439     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1440         raise Exception("Could not set cacert blob")
1441     with open("auth_serv/user.pkcs12", "rb") as f:
1442         if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1443             raise Exception("Could not set pkcs12 blob")
1444     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1445                 private_key="blob://pkcs12",
1446                 private_key_passwd="whatever")
1447
1448 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1449     """WPA2-Enterprise negative test - incorrect trust root"""
1450     check_eap_capa(dev[0], "MSCHAPV2")
1451     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1452     hostapd.add_ap(apdev[0]['ifname'], params)
1453     cert = read_pem("auth_serv/ca-incorrect.pem")
1454     if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1455         raise Exception("Could not set cacert blob")
1456     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1457                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1458                    password="password", phase2="auth=MSCHAPV2",
1459                    ca_cert="blob://cacert",
1460                    wait_connect=False, scan_freq="2412")
1461     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1462                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1463                    password="password", phase2="auth=MSCHAPV2",
1464                    ca_cert="auth_serv/ca-incorrect.pem",
1465                    wait_connect=False, scan_freq="2412")
1466
1467     for dev in (dev[0], dev[1]):
1468         ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1469         if ev is None:
1470             raise Exception("Association and EAP start timed out")
1471
1472         ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1473         if ev is None:
1474             raise Exception("EAP method selection timed out")
1475         if "TTLS" not in ev:
1476             raise Exception("Unexpected EAP method")
1477
1478         ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1479                              "CTRL-EVENT-EAP-SUCCESS",
1480                              "CTRL-EVENT-EAP-FAILURE",
1481                              "CTRL-EVENT-CONNECTED",
1482                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1483         if ev is None:
1484             raise Exception("EAP result timed out")
1485         if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1486             raise Exception("TLS certificate error not reported")
1487
1488         ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1489                              "CTRL-EVENT-EAP-FAILURE",
1490                              "CTRL-EVENT-CONNECTED",
1491                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1492         if ev is None:
1493             raise Exception("EAP result(2) timed out")
1494         if "CTRL-EVENT-EAP-FAILURE" not in ev:
1495             raise Exception("EAP failure not reported")
1496
1497         ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1498                              "CTRL-EVENT-DISCONNECTED"], timeout=10)
1499         if ev is None:
1500             raise Exception("EAP result(3) timed out")
1501         if "CTRL-EVENT-DISCONNECTED" not in ev:
1502             raise Exception("Disconnection not reported")
1503
1504         ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1505         if ev is None:
1506             raise Exception("Network block disabling not reported")
1507
1508 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1509     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1510     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1511     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1512     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1513                    identity="pap user", anonymous_identity="ttls",
1514                    password="password", phase2="auth=PAP",
1515                    ca_cert="auth_serv/ca.pem",
1516                    wait_connect=True, scan_freq="2412")
1517     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1518                         identity="pap user", anonymous_identity="ttls",
1519                         password="password", phase2="auth=PAP",
1520                         ca_cert="auth_serv/ca-incorrect.pem",
1521                         only_add_network=True, scan_freq="2412")
1522
1523     dev[0].request("DISCONNECT")
1524     dev[0].wait_disconnected()
1525     dev[0].dump_monitor()
1526     dev[0].select_network(id, freq="2412")
1527
1528     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1529     if ev is None:
1530         raise Exception("EAP-TTLS not re-started")
1531
1532     ev = dev[0].wait_disconnected(timeout=15)
1533     if "reason=23" not in ev:
1534         raise Exception("Proper reason code for disconnection not reported")
1535
1536 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1537     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1538     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1539     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1540     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1541                    identity="pap user", anonymous_identity="ttls",
1542                    password="password", phase2="auth=PAP",
1543                    wait_connect=True, scan_freq="2412")
1544     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1545                         identity="pap user", anonymous_identity="ttls",
1546                         password="password", phase2="auth=PAP",
1547                         ca_cert="auth_serv/ca-incorrect.pem",
1548                         only_add_network=True, scan_freq="2412")
1549
1550     dev[0].request("DISCONNECT")
1551     dev[0].wait_disconnected()
1552     dev[0].dump_monitor()
1553     dev[0].select_network(id, freq="2412")
1554
1555     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1556     if ev is None:
1557         raise Exception("EAP-TTLS not re-started")
1558
1559     ev = dev[0].wait_disconnected(timeout=15)
1560     if "reason=23" not in ev:
1561         raise Exception("Proper reason code for disconnection not reported")
1562
1563 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1564     """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1565     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1566     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1567     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1568                         identity="pap user", anonymous_identity="ttls",
1569                         password="password", phase2="auth=PAP",
1570                         ca_cert="auth_serv/ca.pem",
1571                         wait_connect=True, scan_freq="2412")
1572     dev[0].request("DISCONNECT")
1573     dev[0].wait_disconnected()
1574     dev[0].dump_monitor()
1575     dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1576     dev[0].select_network(id, freq="2412")
1577
1578     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1579     if ev is None:
1580         raise Exception("EAP-TTLS not re-started")
1581
1582     ev = dev[0].wait_disconnected(timeout=15)
1583     if "reason=23" not in ev:
1584         raise Exception("Proper reason code for disconnection not reported")
1585
1586 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1587     """WPA2-Enterprise negative test - domain suffix mismatch"""
1588     check_domain_suffix_match(dev[0])
1589     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1590     hostapd.add_ap(apdev[0]['ifname'], params)
1591     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1592                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1593                    password="password", phase2="auth=MSCHAPV2",
1594                    ca_cert="auth_serv/ca.pem",
1595                    domain_suffix_match="incorrect.example.com",
1596                    wait_connect=False, scan_freq="2412")
1597
1598     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1599     if ev is None:
1600         raise Exception("Association and EAP start timed out")
1601
1602     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1603     if ev is None:
1604         raise Exception("EAP method selection timed out")
1605     if "TTLS" not in ev:
1606         raise Exception("Unexpected EAP method")
1607
1608     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1609                             "CTRL-EVENT-EAP-SUCCESS",
1610                             "CTRL-EVENT-EAP-FAILURE",
1611                             "CTRL-EVENT-CONNECTED",
1612                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1613     if ev is None:
1614         raise Exception("EAP result timed out")
1615     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1616         raise Exception("TLS certificate error not reported")
1617     if "Domain suffix mismatch" not in ev:
1618         raise Exception("Domain suffix mismatch not reported")
1619
1620     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1621                             "CTRL-EVENT-EAP-FAILURE",
1622                             "CTRL-EVENT-CONNECTED",
1623                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1624     if ev is None:
1625         raise Exception("EAP result(2) timed out")
1626     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1627         raise Exception("EAP failure not reported")
1628
1629     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1630                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1631     if ev is None:
1632         raise Exception("EAP result(3) timed out")
1633     if "CTRL-EVENT-DISCONNECTED" not in ev:
1634         raise Exception("Disconnection not reported")
1635
1636     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1637     if ev is None:
1638         raise Exception("Network block disabling not reported")
1639
1640 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1641     """WPA2-Enterprise negative test - domain mismatch"""
1642     check_domain_match(dev[0])
1643     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1644     hostapd.add_ap(apdev[0]['ifname'], params)
1645     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1646                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1647                    password="password", phase2="auth=MSCHAPV2",
1648                    ca_cert="auth_serv/ca.pem",
1649                    domain_match="w1.fi",
1650                    wait_connect=False, scan_freq="2412")
1651
1652     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1653     if ev is None:
1654         raise Exception("Association and EAP start timed out")
1655
1656     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1657     if ev is None:
1658         raise Exception("EAP method selection timed out")
1659     if "TTLS" not in ev:
1660         raise Exception("Unexpected EAP method")
1661
1662     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1663                             "CTRL-EVENT-EAP-SUCCESS",
1664                             "CTRL-EVENT-EAP-FAILURE",
1665                             "CTRL-EVENT-CONNECTED",
1666                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1667     if ev is None:
1668         raise Exception("EAP result timed out")
1669     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1670         raise Exception("TLS certificate error not reported")
1671     if "Domain mismatch" not in ev:
1672         raise Exception("Domain mismatch not reported")
1673
1674     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1675                             "CTRL-EVENT-EAP-FAILURE",
1676                             "CTRL-EVENT-CONNECTED",
1677                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1678     if ev is None:
1679         raise Exception("EAP result(2) timed out")
1680     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1681         raise Exception("EAP failure not reported")
1682
1683     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1684                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1685     if ev is None:
1686         raise Exception("EAP result(3) timed out")
1687     if "CTRL-EVENT-DISCONNECTED" not in ev:
1688         raise Exception("Disconnection not reported")
1689
1690     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1691     if ev is None:
1692         raise Exception("Network block disabling not reported")
1693
1694 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1695     """WPA2-Enterprise negative test - subject mismatch"""
1696     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1697     hostapd.add_ap(apdev[0]['ifname'], params)
1698     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1699                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1700                    password="password", phase2="auth=MSCHAPV2",
1701                    ca_cert="auth_serv/ca.pem",
1702                    subject_match="/C=FI/O=w1.fi/CN=example.com",
1703                    wait_connect=False, scan_freq="2412")
1704
1705     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1706     if ev is None:
1707         raise Exception("Association and EAP start timed out")
1708
1709     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1710                             "EAP: Failed to initialize EAP method"], timeout=10)
1711     if ev is None:
1712         raise Exception("EAP method selection timed out")
1713     if "EAP: Failed to initialize EAP method" in ev:
1714         tls = dev[0].request("GET tls_library")
1715         if tls.startswith("OpenSSL"):
1716             raise Exception("Failed to select EAP method")
1717         logger.info("subject_match not supported - connection failed, so test succeeded")
1718         return
1719     if "TTLS" not in ev:
1720         raise Exception("Unexpected EAP method")
1721
1722     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1723                             "CTRL-EVENT-EAP-SUCCESS",
1724                             "CTRL-EVENT-EAP-FAILURE",
1725                             "CTRL-EVENT-CONNECTED",
1726                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1727     if ev is None:
1728         raise Exception("EAP result timed out")
1729     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1730         raise Exception("TLS certificate error not reported")
1731     if "Subject mismatch" not in ev:
1732         raise Exception("Subject mismatch not reported")
1733
1734     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1735                             "CTRL-EVENT-EAP-FAILURE",
1736                             "CTRL-EVENT-CONNECTED",
1737                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1738     if ev is None:
1739         raise Exception("EAP result(2) timed out")
1740     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1741         raise Exception("EAP failure not reported")
1742
1743     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1744                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1745     if ev is None:
1746         raise Exception("EAP result(3) timed out")
1747     if "CTRL-EVENT-DISCONNECTED" not in ev:
1748         raise Exception("Disconnection not reported")
1749
1750     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1751     if ev is None:
1752         raise Exception("Network block disabling not reported")
1753
1754 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1755     """WPA2-Enterprise negative test - altsubject mismatch"""
1756     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1757     hostapd.add_ap(apdev[0]['ifname'], params)
1758
1759     tests = [ "incorrect.example.com",
1760               "DNS:incorrect.example.com",
1761               "DNS:w1.fi",
1762               "DNS:erver.w1.fi" ]
1763     for match in tests:
1764         _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1765
1766 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1767     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1768                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1769                    password="password", phase2="auth=MSCHAPV2",
1770                    ca_cert="auth_serv/ca.pem",
1771                    altsubject_match=match,
1772                    wait_connect=False, scan_freq="2412")
1773
1774     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1775     if ev is None:
1776         raise Exception("Association and EAP start timed out")
1777
1778     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1779                             "EAP: Failed to initialize EAP method"], timeout=10)
1780     if ev is None:
1781         raise Exception("EAP method selection timed out")
1782     if "EAP: Failed to initialize EAP method" in ev:
1783         tls = dev[0].request("GET tls_library")
1784         if tls.startswith("OpenSSL"):
1785             raise Exception("Failed to select EAP method")
1786         logger.info("altsubject_match not supported - connection failed, so test succeeded")
1787         return
1788     if "TTLS" not in ev:
1789         raise Exception("Unexpected EAP method")
1790
1791     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1792                             "CTRL-EVENT-EAP-SUCCESS",
1793                             "CTRL-EVENT-EAP-FAILURE",
1794                             "CTRL-EVENT-CONNECTED",
1795                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1796     if ev is None:
1797         raise Exception("EAP result timed out")
1798     if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1799         raise Exception("TLS certificate error not reported")
1800     if "AltSubject mismatch" not in ev:
1801         raise Exception("altsubject mismatch not reported")
1802
1803     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1804                             "CTRL-EVENT-EAP-FAILURE",
1805                             "CTRL-EVENT-CONNECTED",
1806                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1807     if ev is None:
1808         raise Exception("EAP result(2) timed out")
1809     if "CTRL-EVENT-EAP-FAILURE" not in ev:
1810         raise Exception("EAP failure not reported")
1811
1812     ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1813                             "CTRL-EVENT-DISCONNECTED"], timeout=10)
1814     if ev is None:
1815         raise Exception("EAP result(3) timed out")
1816     if "CTRL-EVENT-DISCONNECTED" not in ev:
1817         raise Exception("Disconnection not reported")
1818
1819     ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1820     if ev is None:
1821         raise Exception("Network block disabling not reported")
1822
1823     dev[0].request("REMOVE_NETWORK all")
1824
1825 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1826     """WPA2-Enterprise connection using UNAUTH-TLS"""
1827     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1828     hostapd.add_ap(apdev[0]['ifname'], params)
1829     eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1830                 ca_cert="auth_serv/ca.pem")
1831     eap_reauth(dev[0], "UNAUTH-TLS")
1832
1833 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1834     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1835     check_cert_probe_support(dev[0])
1836     skip_with_fips(dev[0])
1837     srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1838     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1839     hostapd.add_ap(apdev[0]['ifname'], params)
1840     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1841                    identity="probe", ca_cert="probe://",
1842                    wait_connect=False, scan_freq="2412")
1843     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1844     if ev is None:
1845         raise Exception("Association and EAP start timed out")
1846     ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1847     if ev is None:
1848         raise Exception("No peer server certificate event seen")
1849     if "hash=" + srv_cert_hash not in ev:
1850         raise Exception("Expected server certificate hash not reported")
1851     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1852     if ev is None:
1853         raise Exception("EAP result timed out")
1854     if "Server certificate chain probe" not in ev:
1855         raise Exception("Server certificate probe not reported")
1856     dev[0].wait_disconnected(timeout=10)
1857     dev[0].request("REMOVE_NETWORK all")
1858
1859     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1860                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1861                    password="password", phase2="auth=MSCHAPV2",
1862                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1863                    wait_connect=False, scan_freq="2412")
1864     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1865     if ev is None:
1866         raise Exception("Association and EAP start timed out")
1867     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1868     if ev is None:
1869         raise Exception("EAP result timed out")
1870     if "Server certificate mismatch" not in ev:
1871         raise Exception("Server certificate mismatch not reported")
1872     dev[0].wait_disconnected(timeout=10)
1873     dev[0].request("REMOVE_NETWORK all")
1874
1875     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1876                 anonymous_identity="ttls", password="password",
1877                 ca_cert="hash://server/sha256/" + srv_cert_hash,
1878                 phase2="auth=MSCHAPV2")
1879
1880 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1881     """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1882     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1883     hostapd.add_ap(apdev[0]['ifname'], params)
1884     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1885                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1886                    password="password", phase2="auth=MSCHAPV2",
1887                    ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1888                    wait_connect=False, scan_freq="2412")
1889     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1890                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1891                    password="password", phase2="auth=MSCHAPV2",
1892                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1893                    wait_connect=False, scan_freq="2412")
1894     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1895                    identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1896                    password="password", phase2="auth=MSCHAPV2",
1897                    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1898                    wait_connect=False, scan_freq="2412")
1899     for i in range(0, 3):
1900         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1901         if ev is None:
1902             raise Exception("Association and EAP start timed out")
1903         ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1904         if ev is None:
1905             raise Exception("Did not report EAP method initialization failure")
1906
1907 def test_ap_wpa2_eap_pwd(dev, apdev):
1908     """WPA2-Enterprise connection using EAP-pwd"""
1909     check_eap_capa(dev[0], "PWD")
1910     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1911     hostapd.add_ap(apdev[0]['ifname'], params)
1912     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1913     eap_reauth(dev[0], "PWD")
1914     dev[0].request("REMOVE_NETWORK all")
1915
1916     eap_connect(dev[1], apdev[0], "PWD",
1917                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1918                 password="secret password",
1919                 fragment_size="90")
1920
1921     logger.info("Negative test with incorrect password")
1922     eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1923                 expect_failure=True, local_error_report=True)
1924
1925     eap_connect(dev[0], apdev[0], "PWD",
1926                 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1927                 password="secret password",
1928                 fragment_size="31")
1929
1930 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1931     """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1932     check_eap_capa(dev[0], "PWD")
1933     skip_with_fips(dev[0])
1934     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1935     hostapd.add_ap(apdev[0]['ifname'], params)
1936     eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1937     eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1938                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1939     eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1940                 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1941                 expect_failure=True, local_error_report=True)
1942
1943 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1944     """WPA2-Enterprise connection using various EAP-pwd groups"""
1945     check_eap_capa(dev[0], "PWD")
1946     tls = dev[0].request("GET tls_library")
1947     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1948                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1949                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1950     groups = [ 19, 20, 21, 25, 26 ]
1951     if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
1952         logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1953         groups += [ 27, 28, 29, 30 ]
1954     for i in groups:
1955         logger.info("Group %d" % i)
1956         params['pwd_group'] = str(i)
1957         hostapd.add_ap(apdev[0]['ifname'], params)
1958         try:
1959             eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1960                         password="secret password")
1961             dev[0].request("REMOVE_NETWORK all")
1962             dev[0].wait_disconnected()
1963             dev[0].dump_monitor()
1964         except:
1965             if "BoringSSL" in tls and i in [ 25 ]:
1966                 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1967                 dev[0].request("DISCONNECT")
1968                 time.sleep(0.1)
1969                 dev[0].request("REMOVE_NETWORK all")
1970                 dev[0].dump_monitor()
1971                 continue
1972             raise
1973
1974 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1975     """WPA2-Enterprise connection using invalid EAP-pwd group"""
1976     check_eap_capa(dev[0], "PWD")
1977     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1978                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1979                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1980     params['pwd_group'] = "0"
1981     hostapd.add_ap(apdev[0]['ifname'], params)
1982     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1983                    identity="pwd user", password="secret password",
1984                    scan_freq="2412", wait_connect=False)
1985     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1986     if ev is None:
1987         raise Exception("Timeout on EAP failure report")
1988
1989 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1990     """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1991     check_eap_capa(dev[0], "PWD")
1992     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1993     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1994                "rsn_pairwise": "CCMP", "ieee8021x": "1",
1995                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1996                "pwd_group": "19", "fragment_size": "40" }
1997     hostapd.add_ap(apdev[0]['ifname'], params)
1998     eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1999
2000 def test_ap_wpa2_eap_gpsk(dev, apdev):
2001     """WPA2-Enterprise connection using EAP-GPSK"""
2002     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2003     hostapd.add_ap(apdev[0]['ifname'], params)
2004     id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2005                      password="abcdefghijklmnop0123456789abcdef")
2006     eap_reauth(dev[0], "GPSK")
2007
2008     logger.info("Test forced algorithm selection")
2009     for phase1 in [ "cipher=1", "cipher=2" ]:
2010         dev[0].set_network_quoted(id, "phase1", phase1)
2011         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2012         if ev is None:
2013             raise Exception("EAP success timed out")
2014         dev[0].wait_connected(timeout=10)
2015
2016     logger.info("Test failed algorithm negotiation")
2017     dev[0].set_network_quoted(id, "phase1", "cipher=9")
2018     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2019     if ev is None:
2020         raise Exception("EAP failure timed out")
2021
2022     logger.info("Negative test with incorrect password")
2023     dev[0].request("REMOVE_NETWORK all")
2024     eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2025                 password="ffcdefghijklmnop0123456789abcdef",
2026                 expect_failure=True)
2027
2028 def test_ap_wpa2_eap_sake(dev, apdev):
2029     """WPA2-Enterprise connection using EAP-SAKE"""
2030     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2031     hostapd.add_ap(apdev[0]['ifname'], params)
2032     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2033                 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2034     eap_reauth(dev[0], "SAKE")
2035
2036     logger.info("Negative test with incorrect password")
2037     dev[0].request("REMOVE_NETWORK all")
2038     eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2039                 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2040                 expect_failure=True)
2041
2042 def test_ap_wpa2_eap_eke(dev, apdev):
2043     """WPA2-Enterprise connection using EAP-EKE"""
2044     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2045     hostapd.add_ap(apdev[0]['ifname'], params)
2046     id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2047     eap_reauth(dev[0], "EKE")
2048
2049     logger.info("Test forced algorithm selection")
2050     for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2051                     "dhgroup=4 encr=1 prf=2 mac=2",
2052                     "dhgroup=3 encr=1 prf=2 mac=2",
2053                     "dhgroup=3 encr=1 prf=1 mac=1" ]:
2054         dev[0].set_network_quoted(id, "phase1", phase1)
2055         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2056         if ev is None:
2057             raise Exception("EAP success timed out")
2058         dev[0].wait_connected(timeout=10)
2059
2060     logger.info("Test failed algorithm negotiation")
2061     dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2062     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2063     if ev is None:
2064         raise Exception("EAP failure timed out")
2065
2066     logger.info("Negative test with incorrect password")
2067     dev[0].request("REMOVE_NETWORK all")
2068     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2069                 expect_failure=True)
2070
2071 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2072     """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2073     params = int_eap_server_params()
2074     params['server_id'] = 'example.server@w1.fi'
2075     hostapd.add_ap(apdev[0]['ifname'], params)
2076     eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2077
2078 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2079     """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2080     params = int_eap_server_params()
2081     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2082     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2083
2084     for count,func in [ (1, "eap_eke_build_commit"),
2085                         (2, "eap_eke_build_commit"),
2086                         (3, "eap_eke_build_commit"),
2087                         (1, "eap_eke_build_confirm"),
2088                         (2, "eap_eke_build_confirm"),
2089                         (1, "eap_eke_process_commit"),
2090                         (2, "eap_eke_process_commit"),
2091                         (1, "eap_eke_process_confirm"),
2092                         (1, "eap_eke_process_identity"),
2093                         (2, "eap_eke_process_identity"),
2094                         (3, "eap_eke_process_identity"),
2095                         (4, "eap_eke_process_identity") ]:
2096         with alloc_fail(hapd, count, func):
2097             eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2098                         expect_failure=True)
2099             dev[0].request("REMOVE_NETWORK all")
2100
2101     for count,func,pw in [ (1, "eap_eke_init", "hello"),
2102                            (1, "eap_eke_get_session_id", "hello"),
2103                            (1, "eap_eke_getKey", "hello"),
2104                            (1, "eap_eke_build_msg", "hello"),
2105                            (1, "eap_eke_build_failure", "wrong"),
2106                            (1, "eap_eke_build_identity", "hello"),
2107                            (2, "eap_eke_build_identity", "hello") ]:
2108         with alloc_fail(hapd, count, func):
2109             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2110                            eap="EKE", identity="eke user", password=pw,
2111                            wait_connect=False, scan_freq="2412")
2112             # This would eventually time out, but we can stop after having
2113             # reached the allocation failure.
2114             for i in range(20):
2115                 time.sleep(0.1)
2116                 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2117                     break
2118             dev[0].request("REMOVE_NETWORK all")
2119
2120     for count in range(1, 1000):
2121         try:
2122             with alloc_fail(hapd, count, "eap_server_sm_step"):
2123                 dev[0].connect("test-wpa2-eap",
2124                                key_mgmt="WPA-EAP WPA-EAP-SHA256",
2125                                eap="EKE", identity="eke user", password=pw,
2126                                wait_connect=False, scan_freq="2412")
2127                 # This would eventually time out, but we can stop after having
2128                 # reached the allocation failure.
2129                 for i in range(10):
2130                     time.sleep(0.1)
2131                     if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2132                         break
2133                 dev[0].request("REMOVE_NETWORK all")
2134         except Exception, e:
2135             if str(e) == "Allocation failure did not trigger":
2136                 if count < 30:
2137                     raise Exception("Too few allocation failures")
2138                 logger.info("%d allocation failures tested" % (count - 1))
2139                 break
2140             raise e
2141
2142 def test_ap_wpa2_eap_ikev2(dev, apdev):
2143     """WPA2-Enterprise connection using EAP-IKEv2"""
2144     check_eap_capa(dev[0], "IKEV2")
2145     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2146     hostapd.add_ap(apdev[0]['ifname'], params)
2147     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2148                 password="ike password")
2149     eap_reauth(dev[0], "IKEV2")
2150     dev[0].request("REMOVE_NETWORK all")
2151     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2152                 password="ike password", fragment_size="50")
2153
2154     logger.info("Negative test with incorrect password")
2155     dev[0].request("REMOVE_NETWORK all")
2156     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2157                 password="ike-password", expect_failure=True)
2158
2159 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2160     """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2161     check_eap_capa(dev[0], "IKEV2")
2162     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2163     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2164                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2165                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2166                "fragment_size": "50" }
2167     hostapd.add_ap(apdev[0]['ifname'], params)
2168     eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2169                 password="ike password")
2170     eap_reauth(dev[0], "IKEV2")
2171
2172 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2173     """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2174     check_eap_capa(dev[0], "IKEV2")
2175     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2176     hostapd.add_ap(apdev[0]['ifname'], params)
2177
2178     tests = [ (1, "dh_init"),
2179               (2, "dh_init"),
2180               (1, "dh_derive_shared") ]
2181     for count, func in tests:
2182         with alloc_fail(dev[0], count, func):
2183             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2184                            identity="ikev2 user", password="ike password",
2185                            wait_connect=False, scan_freq="2412")
2186             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2187             if ev is None:
2188                 raise Exception("EAP method not selected")
2189             for i in range(10):
2190                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2191                     break
2192                 time.sleep(0.02)
2193             dev[0].request("REMOVE_NETWORK all")
2194
2195     tests = [ (1, "os_get_random;dh_init") ]
2196     for count, func in tests:
2197         with fail_test(dev[0], count, func):
2198             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2199                            identity="ikev2 user", password="ike password",
2200                            wait_connect=False, scan_freq="2412")
2201             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2202             if ev is None:
2203                 raise Exception("EAP method not selected")
2204             for i in range(10):
2205                 if "0:" in dev[0].request("GET_FAIL"):
2206                     break
2207                 time.sleep(0.02)
2208             dev[0].request("REMOVE_NETWORK all")
2209
2210 def test_ap_wpa2_eap_pax(dev, apdev):
2211     """WPA2-Enterprise connection using EAP-PAX"""
2212     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2213     hostapd.add_ap(apdev[0]['ifname'], params)
2214     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2215                 password_hex="0123456789abcdef0123456789abcdef")
2216     eap_reauth(dev[0], "PAX")
2217
2218     logger.info("Negative test with incorrect password")
2219     dev[0].request("REMOVE_NETWORK all")
2220     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2221                 password_hex="ff23456789abcdef0123456789abcdef",
2222                 expect_failure=True)
2223
2224 def test_ap_wpa2_eap_psk(dev, apdev):
2225     """WPA2-Enterprise connection using EAP-PSK"""
2226     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2227     params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2228     params["ieee80211w"] = "2"
2229     hostapd.add_ap(apdev[0]['ifname'], params)
2230     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2231                 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2232     eap_reauth(dev[0], "PSK", sha256=True)
2233     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2234                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2235
2236     bss = dev[0].get_bss(apdev[0]['bssid'])
2237     if 'flags' not in bss:
2238         raise Exception("Could not get BSS flags from BSS table")
2239     if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2240         raise Exception("Unexpected BSS flags: " + bss['flags'])
2241
2242     logger.info("Negative test with incorrect password")
2243     dev[0].request("REMOVE_NETWORK all")
2244     eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2245                 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2246                 expect_failure=True)
2247
2248 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2249     """WPA2-Enterprise connection using EAP-PSK and OOM"""
2250     skip_with_fips(dev[0])
2251     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252     hostapd.add_ap(apdev[0]['ifname'], params)
2253     tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2254               (1, "omac1_aes_128;aes_128_eax_encrypt"),
2255               (2, "omac1_aes_128;aes_128_eax_encrypt"),
2256               (3, "omac1_aes_128;aes_128_eax_encrypt"),
2257               (1, "=aes_128_eax_encrypt"),
2258               (1, "omac1_aes_vector"),
2259               (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2260               (1, "omac1_aes_128;aes_128_eax_decrypt"),
2261               (2, "omac1_aes_128;aes_128_eax_decrypt"),
2262               (3, "omac1_aes_128;aes_128_eax_decrypt"),
2263               (1, "=aes_128_eax_decrypt") ]
2264     for count, func in tests:
2265         with alloc_fail(dev[0], count, func):
2266             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2267                            identity="psk.user@example.com",
2268                            password_hex="0123456789abcdef0123456789abcdef",
2269                            wait_connect=False, scan_freq="2412")
2270             ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2271             if ev is None:
2272                 raise Exception("EAP method not selected")
2273             for i in range(10):
2274                 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2275                     break
2276                 time.sleep(0.02)
2277             dev[0].request("REMOVE_NETWORK all")
2278
2279     with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2280             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2281                            identity="psk.user@example.com",
2282                            password_hex="0123456789abcdef0123456789abcdef",
2283                            wait_connect=False, scan_freq="2412")
2284             ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2285             if ev is None:
2286                 raise Exception("EAP method failure not reported")
2287             dev[0].request("REMOVE_NETWORK all")
2288
2289 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2290     """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2291     check_eap_capa(dev[0], "MSCHAPV2")
2292     params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2293     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2294     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2295                    identity="user", password="password", phase2="auth=MSCHAPV2",
2296                    ca_cert="auth_serv/ca.pem", wait_connect=False,
2297                    scan_freq="2412")
2298     eap_check_auth(dev[0], "PEAP", True, rsn=False)
2299     hwsim_utils.test_connectivity(dev[0], hapd)
2300     eap_reauth(dev[0], "PEAP", rsn=False)
2301     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2302                         ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2303     status = dev[0].get_status(extra="VERBOSE")
2304     if 'portControl' not in status:
2305         raise Exception("portControl missing from STATUS-VERBOSE")
2306     if status['portControl'] != 'Auto':
2307         raise Exception("Unexpected portControl value: " + status['portControl'])
2308     if 'eap_session_id' not in status:
2309         raise Exception("eap_session_id missing from STATUS-VERBOSE")
2310     if not status['eap_session_id'].startswith("19"):
2311         raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2312
2313 def test_ap_wpa2_eap_interactive(dev, apdev):
2314     """WPA2-Enterprise connection using interactive identity/password entry"""
2315     check_eap_capa(dev[0], "MSCHAPV2")
2316     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2317     hostapd.add_ap(apdev[0]['ifname'], params)
2318     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2319
2320     tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2321                "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2322                None, "password"),
2323               ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2324                "TTLS", "ttls", None, "auth=MSCHAPV2",
2325                "DOMAIN\mschapv2 user", "password"),
2326               ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2327                "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2328               ("Connection with dynamic TTLS/EAP-MD5 password entry",
2329                "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2330               ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2331                "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2332               ("Connection with dynamic PEAP/EAP-GTC password entry",
2333                "PEAP", None, "user", "auth=GTC", None, "password") ]
2334     for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2335         logger.info(desc)
2336         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2337                        anonymous_identity=anon, identity=identity,
2338                        ca_cert="auth_serv/ca.pem", phase2=phase2,
2339                        wait_connect=False, scan_freq="2412")
2340         if req_id:
2341             ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2342             if ev is None:
2343                 raise Exception("Request for identity timed out")
2344             id = ev.split(':')[0].split('-')[-1]
2345             dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2346         ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2347         if ev is None:
2348             raise Exception("Request for password timed out")
2349         id = ev.split(':')[0].split('-')[-1]
2350         type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2351         dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2352         dev[0].wait_connected(timeout=10)
2353         dev[0].request("REMOVE_NETWORK all")
2354
2355 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2356     """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2357     check_eap_capa(dev[0], "MSCHAPV2")
2358     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359     hostapd.add_ap(apdev[0]['ifname'], params)
2360     hapd = hostapd.Hostapd(apdev[0]['ifname'])
2361
2362     id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2363                               only_add_network=True)
2364
2365     req_id = "DOMAIN\mschapv2 user"
2366     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2367                    anonymous_identity="ttls", identity=None,
2368                    password="password",
2369                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2370                    wait_connect=False, scan_freq="2412")
2371     ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2372     if ev is None:
2373         raise Exception("Request for identity timed out")
2374     id = ev.split(':')[0].split('-')[-1]
2375     dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2376     dev[0].wait_connected(timeout=10)
2377
2378     if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2379         raise Exception("Failed to enable network")
2380     ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2381     if ev is not None:
2382         raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2383     dev[0].request("REMOVE_NETWORK all")
2384
2385 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2386     """WPA2-Enterprise connection using EAP vendor test"""
2387     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2388     hostapd.add_ap(apdev[0]['ifname'], params)
2389     eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2390     eap_reauth(dev[0], "VENDOR-TEST")
2391     eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2392                 password="pending")
2393
2394 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2395     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2396     check_eap_capa(dev[0], "FAST")
2397     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2398     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2399     eap_connect(dev[0], apdev[0], "FAST", "user",
2400                 anonymous_identity="FAST", password="password",
2401                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2402                 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2403     hwsim_utils.test_connectivity(dev[0], hapd)
2404     res = eap_reauth(dev[0], "FAST")
2405     if res['tls_session_reused'] != '1':
2406         raise Exception("EAP-FAST could not use PAC session ticket")
2407
2408 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2409     """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2410     check_eap_capa(dev[0], "FAST")
2411     pac_file = os.path.join(params['logdir'], "fast.pac")
2412     pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2413     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2414     hostapd.add_ap(apdev[0]['ifname'], params)
2415
2416     try:
2417         eap_connect(dev[0], apdev[0], "FAST", "user",
2418                     anonymous_identity="FAST", password="password",
2419                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2420                     phase1="fast_provisioning=1", pac_file=pac_file)
2421         with open(pac_file, "r") as f:
2422             data = f.read()
2423             if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2424                 raise Exception("PAC file header missing")
2425             if "PAC-Key=" not in data:
2426                 raise Exception("PAC-Key missing from PAC file")
2427         dev[0].request("REMOVE_NETWORK all")
2428         eap_connect(dev[0], apdev[0], "FAST", "user",
2429                     anonymous_identity="FAST", password="password",
2430                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2431                     pac_file=pac_file)
2432
2433         eap_connect(dev[1], apdev[0], "FAST", "user",
2434                     anonymous_identity="FAST", password="password",
2435                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2436                     phase1="fast_provisioning=1 fast_pac_format=binary",
2437                     pac_file=pac_file2)
2438         dev[1].request("REMOVE_NETWORK all")
2439         eap_connect(dev[1], apdev[0], "FAST", "user",
2440                     anonymous_identity="FAST", password="password",
2441                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2442                     phase1="fast_pac_format=binary",
2443                     pac_file=pac_file2)
2444     finally:
2445         try:
2446             os.remove(pac_file)
2447         except:
2448             pass
2449         try:
2450             os.remove(pac_file2)
2451         except:
2452             pass
2453
2454 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2455     """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2456     check_eap_capa(dev[0], "FAST")
2457     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2458     hostapd.add_ap(apdev[0]['ifname'], params)
2459     eap_connect(dev[0], apdev[0], "FAST", "user",
2460                 anonymous_identity="FAST", password="password",
2461                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2462                 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2463                 pac_file="blob://fast_pac_bin")
2464     res = eap_reauth(dev[0], "FAST")
2465     if res['tls_session_reused'] != '1':
2466         raise Exception("EAP-FAST could not use PAC session ticket")
2467
2468 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2469     """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2470     check_eap_capa(dev[0], "FAST")
2471     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2472     hostapd.add_ap(apdev[0]['ifname'], params)
2473
2474     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2475                    identity="user", anonymous_identity="FAST",
2476                    password="password",
2477                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2478                    pac_file="blob://fast_pac_not_in_use",
2479                    wait_connect=False, scan_freq="2412")
2480     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2481     if ev is None:
2482         raise Exception("Timeout on EAP failure report")
2483     dev[0].request("REMOVE_NETWORK all")
2484
2485     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2486                    identity="user", anonymous_identity="FAST",
2487                    password="password",
2488                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2489                    wait_connect=False, scan_freq="2412")
2490     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2491     if ev is None:
2492         raise Exception("Timeout on EAP failure report")
2493
2494 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2495     """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2496     check_eap_capa(dev[0], "FAST")
2497     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2498     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2499     eap_connect(dev[0], apdev[0], "FAST", "user",
2500                 anonymous_identity="FAST", password="password",
2501                 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2502                 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2503     hwsim_utils.test_connectivity(dev[0], hapd)
2504     res = eap_reauth(dev[0], "FAST")
2505     if res['tls_session_reused'] != '1':
2506         raise Exception("EAP-FAST could not use PAC session ticket")
2507
2508 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2509     """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2510     check_eap_capa(dev[0], "FAST")
2511     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2512     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2513     id = eap_connect(dev[0], apdev[0], "FAST", "user",
2514                      anonymous_identity="FAST", password="password",
2515                      ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2516                      phase1="fast_provisioning=2",
2517                      pac_file="blob://fast_pac_auth")
2518     dev[0].set_network_quoted(id, "identity", "user2")
2519     dev[0].wait_disconnected()
2520     ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2521     if ev is None:
2522         raise Exception("EAP-FAST not started")
2523     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2524     if ev is None:
2525         raise Exception("EAP failure not reported")
2526     dev[0].wait_disconnected()
2527
2528 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2529     """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2530     check_eap_capa(dev[0], "FAST")
2531     tls = dev[0].request("GET tls_library")
2532     if tls.startswith("OpenSSL"):
2533         func = "openssl_tls_prf"
2534         count = 2
2535     elif tls.startswith("internal"):
2536         func = "tls_connection_prf"
2537         count = 1
2538     else:
2539         raise HwsimSkip("Unsupported TLS library")
2540     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2541     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2542     with alloc_fail(dev[0], count, func):
2543         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2544                        identity="user", anonymous_identity="FAST",
2545                        password="password", ca_cert="auth_serv/ca.pem",
2546                        phase2="auth=GTC",
2547                        phase1="fast_provisioning=2",
2548                        pac_file="blob://fast_pac_auth",
2549                        wait_connect=False, scan_freq="2412")
2550         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2551         if ev is None:
2552             raise Exception("EAP failure not reported")
2553     dev[0].request("DISCONNECT")
2554
2555 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2556     """EAP-FAST/MSCHAPv2 and server OOM"""
2557     check_eap_capa(dev[0], "FAST")
2558
2559     params = int_eap_server_params()
2560     params['dh_file'] = 'auth_serv/dh.conf'
2561     params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2562     params['eap_fast_a_id'] = '1011'
2563     params['eap_fast_a_id_info'] = 'another test server'
2564     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2565
2566     with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2567         id = eap_connect(dev[0], apdev[0], "FAST", "user",
2568                          anonymous_identity="FAST", password="password",
2569                          ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2570                          phase1="fast_provisioning=1",
2571                          pac_file="blob://fast_pac",
2572                          expect_failure=True)
2573         ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2574         if ev is None:
2575             raise Exception("No EAP failure reported")
2576         dev[0].wait_disconnected()
2577         dev[0].request("DISCONNECT")
2578
2579     dev[0].select_network(id, freq="2412")
2580
2581 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2582     """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2583     check_ocsp_support(dev[0])
2584     check_pkcs12_support(dev[0])
2585     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2586     hostapd.add_ap(apdev[0]['ifname'], params)
2587     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2588                 private_key="auth_serv/user.pkcs12",
2589                 private_key_passwd="whatever", ocsp=2)
2590
2591 def int_eap_server_params():
2592     params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2593                "rsn_pairwise": "CCMP", "ieee8021x": "1",
2594                "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2595                "ca_cert": "auth_serv/ca.pem",
2596                "server_cert": "auth_serv/server.pem",
2597                "private_key": "auth_serv/server.key" }
2598     return params
2599
2600 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2601     """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2602     check_ocsp_support(dev[0])
2603     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2604     if not os.path.exists(ocsp):
2605         raise HwsimSkip("No OCSP response available")
2606     params = int_eap_server_params()
2607     params["ocsp_stapling_response"] = ocsp
2608     hostapd.add_ap(apdev[0]['ifname'], params)
2609     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2610                    identity="tls user", ca_cert="auth_serv/ca.pem",
2611                    private_key="auth_serv/user.pkcs12",
2612                    private_key_passwd="whatever", ocsp=2,
2613                    scan_freq="2412")
2614
2615 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2616     """EAP-TLS and CA signed OCSP response (good)"""
2617     check_ocsp_support(dev[0])
2618     ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2619     if not os.path.exists(ocsp):
2620         raise HwsimSkip("No OCSP response available")
2621     params = int_eap_server_params()
2622     params["ocsp_stapling_response"] = ocsp
2623     hostapd.add_ap(apdev[0]['ifname'], params)
2624     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2625                    identity="tls user", ca_cert="auth_serv/ca.pem",
2626                    private_key="auth_serv/user.pkcs12",
2627                    private_key_passwd="whatever", ocsp=2,
2628                    scan_freq="2412")
2629
2630 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2631     """EAP-TLS and CA signed OCSP response (revoked)"""
2632     check_ocsp_support(dev[0])
2633     ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2634     if not os.path.exists(ocsp):
2635         raise HwsimSkip("No OCSP response available")
2636     params = int_eap_server_params()
2637     params["ocsp_stapling_response"] = ocsp
2638     hostapd.add_ap(apdev[0]['ifname'], params)
2639     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2640                    identity="tls user", ca_cert="auth_serv/ca.pem",
2641                    private_key="auth_serv/user.pkcs12",
2642                    private_key_passwd="whatever", ocsp=2,
2643                    wait_connect=False, scan_freq="2412")
2644     count = 0
2645     while True:
2646         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2647         if ev is None:
2648             raise Exception("Timeout on EAP status")
2649         if 'bad certificate status response' in ev:
2650             break
2651         if 'certificate revoked' in ev:
2652             break
2653         count = count + 1
2654         if count > 10:
2655             raise Exception("Unexpected number of EAP status messages")
2656
2657     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2658     if ev is None:
2659         raise Exception("Timeout on EAP failure report")
2660
2661 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2662     """EAP-TLS and CA signed OCSP response (unknown)"""
2663     check_ocsp_support(dev[0])
2664     ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2665     if not os.path.exists(ocsp):
2666         raise HwsimSkip("No OCSP response available")
2667     params = int_eap_server_params()
2668     params["ocsp_stapling_response"] = ocsp
2669     hostapd.add_ap(apdev[0]['ifname'], params)
2670     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2671                    identity="tls user", ca_cert="auth_serv/ca.pem",
2672                    private_key="auth_serv/user.pkcs12",
2673                    private_key_passwd="whatever", ocsp=2,
2674                    wait_connect=False, scan_freq="2412")
2675     count = 0
2676     while True:
2677         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2678         if ev is None:
2679             raise Exception("Timeout on EAP status")
2680         if 'bad certificate status response' in ev:
2681             break
2682         count = count + 1
2683         if count > 10:
2684             raise Exception("Unexpected number of EAP status messages")
2685
2686     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2687     if ev is None:
2688         raise Exception("Timeout on EAP failure report")
2689
2690 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2691     """EAP-TLS and server signed OCSP response"""
2692     check_ocsp_support(dev[0])
2693     ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2694     if not os.path.exists(ocsp):
2695         raise HwsimSkip("No OCSP response available")
2696     params = int_eap_server_params()
2697     params["ocsp_stapling_response"] = ocsp
2698     hostapd.add_ap(apdev[0]['ifname'], params)
2699     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2700                    identity="tls user", ca_cert="auth_serv/ca.pem",
2701                    private_key="auth_serv/user.pkcs12",
2702                    private_key_passwd="whatever", ocsp=2,
2703                    wait_connect=False, scan_freq="2412")
2704     count = 0
2705     while True:
2706         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2707         if ev is None:
2708             raise Exception("Timeout on EAP status")
2709         if 'bad certificate status response' in ev:
2710             break
2711         count = count + 1
2712         if count > 10:
2713             raise Exception("Unexpected number of EAP status messages")
2714
2715     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2716     if ev is None:
2717         raise Exception("Timeout on EAP failure report")
2718
2719 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2720     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2721     check_ocsp_support(dev[0])
2722     params = int_eap_server_params()
2723     params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2724     hostapd.add_ap(apdev[0]['ifname'], params)
2725     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2726                    identity="tls user", ca_cert="auth_serv/ca.pem",
2727                    private_key="auth_serv/user.pkcs12",
2728                    private_key_passwd="whatever", ocsp=2,
2729                    wait_connect=False, scan_freq="2412")
2730     count = 0
2731     while True:
2732         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2733         if ev is None:
2734             raise Exception("Timeout on EAP status")
2735         if 'bad certificate status response' in ev:
2736             break
2737         count = count + 1
2738         if count > 10:
2739             raise Exception("Unexpected number of EAP status messages")
2740
2741     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2742     if ev is None:
2743         raise Exception("Timeout on EAP failure report")
2744
2745 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2746     """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2747     check_ocsp_support(dev[0])
2748     params = int_eap_server_params()
2749     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2750     hostapd.add_ap(apdev[0]['ifname'], params)
2751     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2752                    identity="tls user", ca_cert="auth_serv/ca.pem",
2753                    private_key="auth_serv/user.pkcs12",
2754                    private_key_passwd="whatever", ocsp=2,
2755                    wait_connect=False, scan_freq="2412")
2756     count = 0
2757     while True:
2758         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2759         if ev is None:
2760             raise Exception("Timeout on EAP status")
2761         if 'bad certificate status response' in ev:
2762             break
2763         count = count + 1
2764         if count > 10:
2765             raise Exception("Unexpected number of EAP status messages")
2766
2767     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2768     if ev is None:
2769         raise Exception("Timeout on EAP failure report")
2770
2771 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2772     """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2773     check_ocsp_support(dev[0])
2774     params = int_eap_server_params()
2775     params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2776     hostapd.add_ap(apdev[0]['ifname'], params)
2777     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2778                    identity="tls user", ca_cert="auth_serv/ca.pem",
2779                    private_key="auth_serv/user.pkcs12",
2780                    private_key_passwd="whatever", ocsp=2,
2781                    wait_connect=False, scan_freq="2412")
2782     count = 0
2783     while True:
2784         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2785         if ev is None:
2786             raise Exception("Timeout on EAP status")
2787         if 'bad certificate status response' in ev:
2788             break
2789         count = count + 1
2790         if count > 10:
2791             raise Exception("Unexpected number of EAP status messages")
2792
2793     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2794     if ev is None:
2795         raise Exception("Timeout on EAP failure report")
2796
2797 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2798     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2799     check_ocsp_support(dev[0])
2800     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2801     if not os.path.exists(ocsp):
2802         raise HwsimSkip("No OCSP response available")
2803     params = int_eap_server_params()
2804     params["ocsp_stapling_response"] = ocsp
2805     hostapd.add_ap(apdev[0]['ifname'], params)
2806     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2807                    identity="pap user", ca_cert="auth_serv/ca.pem",
2808                    anonymous_identity="ttls", password="password",
2809                    phase2="auth=PAP", ocsp=2,
2810                    wait_connect=False, scan_freq="2412")
2811     count = 0
2812     while True:
2813         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2814         if ev is None:
2815             raise Exception("Timeout on EAP status")
2816         if 'bad certificate status response' in ev:
2817             break
2818         if 'certificate revoked' in ev:
2819             break
2820         count = count + 1
2821         if count > 10:
2822             raise Exception("Unexpected number of EAP status messages")
2823
2824     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2825     if ev is None:
2826         raise Exception("Timeout on EAP failure report")
2827
2828 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2829     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2830     check_ocsp_support(dev[0])
2831     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2832     if not os.path.exists(ocsp):
2833         raise HwsimSkip("No OCSP response available")
2834     params = int_eap_server_params()
2835     params["ocsp_stapling_response"] = ocsp
2836     hostapd.add_ap(apdev[0]['ifname'], params)
2837     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2838                    identity="pap user", ca_cert="auth_serv/ca.pem",
2839                    anonymous_identity="ttls", password="password",
2840                    phase2="auth=PAP", ocsp=2,
2841                    wait_connect=False, scan_freq="2412")
2842     count = 0
2843     while True:
2844         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2845         if ev is None:
2846             raise Exception("Timeout on EAP status")
2847         if 'bad certificate status response' in ev:
2848             break
2849         count = count + 1
2850         if count > 10:
2851             raise Exception("Unexpected number of EAP status messages")
2852
2853     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2854     if ev is None:
2855         raise Exception("Timeout on EAP failure report")
2856
2857 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2858     """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2859     ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2860     if not os.path.exists(ocsp):
2861         raise HwsimSkip("No OCSP response available")
2862     params = int_eap_server_params()
2863     params["ocsp_stapling_response"] = ocsp
2864     hostapd.add_ap(apdev[0]['ifname'], params)
2865     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2866                    identity="pap user", ca_cert="auth_serv/ca.pem",
2867                    anonymous_identity="ttls", password="password",
2868                    phase2="auth=PAP", ocsp=1, scan_freq="2412")
2869
2870 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2871     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2872     check_domain_match_full(dev[0])
2873     params = int_eap_server_params()
2874     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2875     params["private_key"] = "auth_serv/server-no-dnsname.key"
2876     hostapd.add_ap(apdev[0]['ifname'], params)
2877     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2878                    identity="tls user", ca_cert="auth_serv/ca.pem",
2879                    private_key="auth_serv/user.pkcs12",
2880                    private_key_passwd="whatever",
2881                    domain_suffix_match="server3.w1.fi",
2882                    scan_freq="2412")
2883
2884 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2885     """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2886     check_domain_match(dev[0])
2887     params = int_eap_server_params()
2888     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2889     params["private_key"] = "auth_serv/server-no-dnsname.key"
2890     hostapd.add_ap(apdev[0]['ifname'], params)
2891     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2892                    identity="tls user", ca_cert="auth_serv/ca.pem",
2893                    private_key="auth_serv/user.pkcs12",
2894                    private_key_passwd="whatever",
2895                    domain_match="server3.w1.fi",
2896                    scan_freq="2412")
2897
2898 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2899     """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2900     check_domain_match_full(dev[0])
2901     params = int_eap_server_params()
2902     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2903     params["private_key"] = "auth_serv/server-no-dnsname.key"
2904     hostapd.add_ap(apdev[0]['ifname'], params)
2905     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2906                    identity="tls user", ca_cert="auth_serv/ca.pem",
2907                    private_key="auth_serv/user.pkcs12",
2908                    private_key_passwd="whatever",
2909                    domain_suffix_match="w1.fi",
2910                    scan_freq="2412")
2911
2912 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2913     """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2914     check_domain_suffix_match(dev[0])
2915     params = int_eap_server_params()
2916     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2917     params["private_key"] = "auth_serv/server-no-dnsname.key"
2918     hostapd.add_ap(apdev[0]['ifname'], params)
2919     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2920                    identity="tls user", ca_cert="auth_serv/ca.pem",
2921                    private_key="auth_serv/user.pkcs12",
2922                    private_key_passwd="whatever",
2923                    domain_suffix_match="example.com",
2924                    wait_connect=False,
2925                    scan_freq="2412")
2926     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2927                    identity="tls user", ca_cert="auth_serv/ca.pem",
2928                    private_key="auth_serv/user.pkcs12",
2929                    private_key_passwd="whatever",
2930                    domain_suffix_match="erver3.w1.fi",
2931                    wait_connect=False,
2932                    scan_freq="2412")
2933     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2934     if ev is None:
2935         raise Exception("Timeout on EAP failure report")
2936     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2937     if ev is None:
2938         raise Exception("Timeout on EAP failure report (2)")
2939
2940 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2941     """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2942     check_domain_match(dev[0])
2943     params = int_eap_server_params()
2944     params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2945     params["private_key"] = "auth_serv/server-no-dnsname.key"
2946     hostapd.add_ap(apdev[0]['ifname'], params)
2947     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2948                    identity="tls user", ca_cert="auth_serv/ca.pem",
2949                    private_key="auth_serv/user.pkcs12",
2950                    private_key_passwd="whatever",
2951                    domain_match="example.com",
2952                    wait_connect=False,
2953                    scan_freq="2412")
2954     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2955                    identity="tls user", ca_cert="auth_serv/ca.pem",
2956                    private_key="auth_serv/user.pkcs12",
2957                    private_key_passwd="whatever",
2958                    domain_match="w1.fi",
2959                    wait_connect=False,
2960                    scan_freq="2412")
2961     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2962     if ev is None:
2963         raise Exception("Timeout on EAP failure report")
2964     ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2965     if ev is None:
2966         raise Exception("Timeout on EAP failure report (2)")
2967
2968 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2969     """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2970     skip_with_fips(dev[0])
2971     params = int_eap_server_params()
2972     params["server_cert"] = "auth_serv/server-expired.pem"
2973     params["private_key"] = "auth_serv/server-expired.key"
2974     hostapd.add_ap(apdev[0]['ifname'], params)
2975     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2976                    identity="mschap user", password="password",
2977                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2978                    wait_connect=False,
2979                    scan_freq="2412")
2980     ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2981     if ev is None:
2982         raise Exception("Timeout on EAP certificate error report")
2983     if "reason=4" not in ev or "certificate has expired" not in ev:
2984         raise Exception("Unexpected failure reason: " + ev)
2985     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2986     if ev is None:
2987         raise Exception("Timeout on EAP failure report")
2988
2989 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2990     """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2991     skip_with_fips(dev[0])
2992     params = int_eap_server_params()
2993     params["server_cert"] = "auth_serv/server-expired.pem"
2994     params["private_key"] = "auth_serv/server-expired.key"
2995     hostapd.add_ap(apdev[0]['ifname'], params)
2996     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2997                    identity="mschap user", password="password",
2998                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2999                    phase1="tls_disable_time_checks=1",
3000                    scan_freq="2412")
3001
3002 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3003     """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3004     skip_with_fips(dev[0])
3005     params = int_eap_server_params()
3006     params["server_cert"] = "auth_serv/server-long-duration.pem"
3007     params["private_key"] = "auth_serv/server-long-duration.key"
3008     hostapd.add_ap(apdev[0]['ifname'], params)
3009     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3010                    identity="mschap user", password="password",
3011                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3012                    scan_freq="2412")
3013
3014 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3015     """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3016     skip_with_fips(dev[0])
3017     params = int_eap_server_params()
3018     params["server_cert"] = "auth_serv/server-eku-client.pem"
3019     params["private_key"] = "auth_serv/server-eku-client.key"
3020     hostapd.add_ap(apdev[0]['ifname'], params)
3021     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3022                    identity="mschap user", password="password",
3023                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3024                    wait_connect=False,
3025                    scan_freq="2412")
3026     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3027     if ev is None:
3028         raise Exception("Timeout on EAP failure report")
3029
3030 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3031     """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3032     skip_with_fips(dev[0])
3033     params = int_eap_server_params()
3034     params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3035     params["private_key"] = "auth_serv/server-eku-client-server.key"
3036     hostapd.add_ap(apdev[0]['ifname'], params)
3037     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3038                    identity="mschap user", password="password",
3039                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3040                    scan_freq="2412")
3041
3042 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3043     """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3044     skip_with_fips(dev[0])
3045     params = int_eap_server_params()
3046     del params["server_cert"]
3047     params["private_key"] = "auth_serv/server.pkcs12"
3048     hostapd.add_ap(apdev[0]['ifname'], params)
3049     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3050                    identity="mschap user", password="password",
3051                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3052                    scan_freq="2412")
3053
3054 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3055     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3056     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3057     hostapd.add_ap(apdev[0]['ifname'], params)
3058     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3059                 anonymous_identity="ttls", password="password",
3060                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3061                 dh_file="auth_serv/dh.conf")
3062
3063 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3064     """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3065     check_dh_dsa_support(dev[0])
3066     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3067     hostapd.add_ap(apdev[0]['ifname'], params)
3068     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3069                 anonymous_identity="ttls", password="password",
3070                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3071                 dh_file="auth_serv/dsaparam.pem")
3072
3073 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3074     """EAP-TTLS and DH params file not found"""
3075     skip_with_fips(dev[0])
3076     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3077     hostapd.add_ap(apdev[0]['ifname'], params)
3078     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3079                    identity="mschap user", password="password",
3080                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3081                    dh_file="auth_serv/dh-no-such-file.conf",
3082                    scan_freq="2412", wait_connect=False)
3083     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3084     if ev is None:
3085         raise Exception("EAP failure timed out")
3086     dev[0].request("REMOVE_NETWORK all")
3087     dev[0].wait_disconnected()
3088
3089 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3090     """EAP-TTLS and invalid DH params file"""
3091     skip_with_fips(dev[0])
3092     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3093     hostapd.add_ap(apdev[0]['ifname'], params)
3094     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3095                    identity="mschap user", password="password",
3096                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3097                    dh_file="auth_serv/ca.pem",
3098                    scan_freq="2412", wait_connect=False)
3099     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3100     if ev is None:
3101         raise Exception("EAP failure timed out")
3102     dev[0].request("REMOVE_NETWORK all")
3103     dev[0].wait_disconnected()
3104
3105 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3106     """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3107     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3108     hostapd.add_ap(apdev[0]['ifname'], params)
3109     dh = read_pem("auth_serv/dh2.conf")
3110     if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3111         raise Exception("Could not set dhparams blob")
3112     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3113                 anonymous_identity="ttls", password="password",
3114                 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3115                 dh_file="blob://dhparams")
3116
3117 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3118     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3119     params = int_eap_server_params()
3120     params["dh_file"] = "auth_serv/dh2.conf"
3121     hostapd.add_ap(apdev[0]['ifname'], params)
3122     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3123                 anonymous_identity="ttls", password="password",
3124                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3125
3126 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3127     """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3128     params = int_eap_server_params()
3129     params["dh_file"] = "auth_serv/dsaparam.pem"
3130     hostapd.add_ap(apdev[0]['ifname'], params)
3131     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3132                 anonymous_identity="ttls", password="password",
3133                 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3134
3135 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3136     """EAP-TLS server and dhparams file not found"""
3137     params = int_eap_server_params()
3138     params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3139     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3140     if "FAIL" not in hapd.request("ENABLE"):
3141         raise Exception("Invalid configuration accepted")
3142
3143 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3144     """EAP-TLS server and invalid dhparams file"""
3145     params = int_eap_server_params()
3146     params["dh_file"] = "auth_serv/ca.pem"
3147     hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3148     if "FAIL" not in hapd.request("ENABLE"):
3149         raise Exception("Invalid configuration accepted")
3150
3151 def test_ap_wpa2_eap_reauth(dev, apdev):
3152     """WPA2-Enterprise and Authenticator forcing reauthentication"""
3153     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3154     params['eap_reauth_period'] = '2'
3155     hostapd.add_ap(apdev[0]['ifname'], params)
3156     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3157                 password_hex="0123456789abcdef0123456789abcdef")
3158     logger.info("Wait for reauthentication")
3159     ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3160     if ev is None:
3161         raise Exception("Timeout on reauthentication")
3162     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3163     if ev is None:
3164         raise Exception("Timeout on reauthentication")
3165     for i in range(0, 20):
3166         state = dev[0].get_status_field("wpa_state")
3167         if state == "COMPLETED":
3168             break
3169         time.sleep(0.1)
3170     if state != "COMPLETED":
3171         raise Exception("Reauthentication did not complete")
3172
3173 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3174     """Optional displayable message in EAP Request-Identity"""
3175     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176     params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3177     hostapd.add_ap(apdev[0]['ifname'], params)
3178     eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3179                 password_hex="0123456789abcdef0123456789abcdef")
3180
3181 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3182     """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3183     check_hlr_auc_gw_support()
3184     params = int_eap_server_params()
3185     params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3186     params['eap_sim_aka_result_ind'] = "1"
3187     hostapd.add_ap(apdev[0]['ifname'], params)
3188
3189     eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3190                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3191                 phase1="result_ind=1")
3192     eap_reauth(dev[0], "SIM")
3193     eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3194                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3195
3196     dev[0].request("REMOVE_NETWORK all")
3197     dev[1].request("REMOVE_NETWORK all")
3198
3199     eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3200                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3201                 phase1="result_ind=1")
3202     eap_reauth(dev[0], "AKA")
3203     eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3204                 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3205
3206     dev[0].request("REMOVE_NETWORK all")
3207     dev[1].request("REMOVE_NETWORK all")
3208
3209     eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3210                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3211                 phase1="result_ind=1")
3212     eap_reauth(dev[0], "AKA'")
3213     eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3214                 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3215
3216 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3217     """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3218     skip_with_fips(dev[0])
3219     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3220     hostapd.add_ap(apdev[0]['ifname'], params)
3221     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3222                    eap="TTLS", identity="mschap user",
3223                    wait_connect=False, scan_freq="2412", ieee80211w="1",
3224                    anonymous_identity="ttls", password="password",
3225                    ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3226                    fragment_size="10")
3227     ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3228     if ev is None:
3229         raise Exception("EAP roundtrip limit not reached")
3230
3231 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3232     """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3233     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3234     hostapd.add_ap(apdev[0]['ifname'], params)
3235     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3236                    eap="PSK", identity="vendor-test",
3237                    password_hex="ff23456789abcdef0123456789abcdef",
3238                    wait_connect=False)
3239
3240     found = False
3241     for i in range(0, 5):
3242         ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3243         if ev is None:
3244             raise Exception("Association and EAP start timed out")
3245         if "refuse proposed method" in ev:
3246             found = True
3247             break
3248     if not found:
3249         raise Exception("Unexpected EAP status: " + ev)
3250
3251     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3252     if ev is None:
3253         raise Exception("EAP failure timed out")
3254
3255 def test_ap_wpa2_eap_sql(dev, apdev, params):
3256     """WPA2-Enterprise connection using SQLite for user DB"""
3257     skip_with_fips(dev[0])
3258     try:
3259         import sqlite3
3260     except ImportError:
3261         raise HwsimSkip("No sqlite3 module available")
3262     dbfile = os.path.join(params['logdir'], "eap-user.db")
3263     try:
3264         os.remove(dbfile)
3265     except:
3266         pass
3267     con = sqlite3.connect(dbfile)
3268     with con:
3269         cur = con.cursor()
3270         cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3271         cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3272         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3273         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3274         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3275         cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3276         cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3277         cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3278
3279     try:
3280         params = int_eap_server_params()
3281         params["eap_user_file"] = "sqlite:" + dbfile
3282         hostapd.add_ap(apdev[0]['ifname'], params)
3283         eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3284                     anonymous_identity="ttls", password="password",
3285                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3286         dev[0].request("REMOVE_NETWORK all")
3287         eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3288                     anonymous_identity="ttls", password="password",
3289                     ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3290         dev[1].request("REMOVE_NETWORK all")
3291         eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3292                     anonymous_identity="ttls", password="password",
3293                     ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3294         eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3295                     anonymous_identity="ttls", password="password",
3296                     ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3297     finally:
3298         os.remove(dbfile)
3299
3300 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3301     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3302     params = int_eap_server_params()
3303     hostapd.add_ap(apdev[0]['ifname'], params)
3304     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3305                    identity="\x80", password="password", wait_connect=False)
3306     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3307                    identity="a\x80", password="password", wait_connect=False)
3308     for i in range(0, 2):
3309         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3310         if ev is None:
3311             raise Exception("Association and EAP start timed out")
3312         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3313         if ev is None:
3314             raise Exception("EAP method selection timed out")
3315
3316 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3317     """WPA2-Enterprise connection attempt using non-ASCII identity"""
3318     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3319     hostapd.add_ap(apdev[0]['ifname'], params)
3320     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3321                    identity="\x80", password="password", wait_connect=False)
3322     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3323                    identity="a\x80", password="password", wait_connect=False)
3324     for i in range(0, 2):
3325         ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3326         if ev is None:
3327             raise Exception("Association and EAP start timed out")
3328         ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3329         if ev is None:
3330             raise Exception("EAP method selection timed out")
3331
3332 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3333     """OpenSSL cipher suite configuration on wpa_supplicant"""
3334     tls = dev[0].request("GET tls_library")
3335     if not tls.startswith("OpenSSL"):
3336         raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3337     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3338     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3339     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3340                 anonymous_identity="ttls", password="password",
3341                 openssl_ciphers="AES128",
3342                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3343     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3344                 anonymous_identity="ttls", password="password",
3345                 openssl_ciphers="EXPORT",
3346                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3347                 expect_failure=True, maybe_local_error=True)
3348     dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3349                    identity="pap user", anonymous_identity="ttls",
3350                    password="password",
3351                    openssl_ciphers="FOO",
3352                    ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3353                    wait_connect=False)
3354     ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3355     if ev is None:
3356         raise Exception("EAP failure after invalid openssl_ciphers not reported")
3357     dev[2].request("DISCONNECT")
3358
3359 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3360     """OpenSSL cipher suite configuration on hostapd"""
3361     tls = dev[0].request("GET tls_library")
3362     if not tls.startswith("OpenSSL"):
3363         raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3364     params = int_eap_server_params()
3365     params['openssl_ciphers'] = "AES256"
3366     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3367     tls = hapd.request("GET tls_library")
3368     if not tls.startswith("OpenSSL"):
3369         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3370     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3371                 anonymous_identity="ttls", password="password",
3372                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3373     eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3374                 anonymous_identity="ttls", password="password",
3375                 openssl_ciphers="AES128",
3376                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3377                 expect_failure=True)
3378     eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3379                 anonymous_identity="ttls", password="password",
3380                 openssl_ciphers="HIGH:!ADH",
3381                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3382
3383     params['openssl_ciphers'] = "FOO"
3384     hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3385     if "FAIL" not in hapd2.request("ENABLE"):
3386         raise Exception("Invalid openssl_ciphers value accepted")
3387
3388 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3389     """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3390     p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3391     hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3392     password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3393     pid = find_wpas_process(dev[0])
3394     id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3395                      anonymous_identity="ttls", password=password,
3396                      ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3397     # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3398     # event has been delivered, so verify that wpa_supplicant has returned to
3399     # eloop before reading process memory.
3400     time.sleep(1)
3401     dev[0].ping()
3402     buf = read_process_memory(pid, password)
3403
3404     dev[0].request("DISCONNECT")
3405     dev[0].wait_disconnected()
3406
3407     dev[0].relog()
3408     msk = None
3409     emsk = None
3410     pmk = None
3411     ptk = None
3412     gtk = None
3413     with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3414         for l in f.readlines():
3415             if "EAP-TTLS: Derived key - hexdump" in l:
3416                 val = l.strip().split(':')[3].replace(' ', '')
3417                 msk = binascii.unhexlify(val)
3418             if "EAP-TTLS: Derived EMSK - hexdump" in l:
3419                 val = l.strip().split(':')[3].replace(' ', '')
3420                 emsk = binascii.unhexlify(val)
3421             if "WPA: PMK - hexdump" in l:
3422                 val = l.strip().split(':')[3].replace(' ', '')
3423                 pmk = binascii.unhexlify(val)
3424             if "WPA: PTK - hexdump" in l:
3425                 val = l.strip().split(':')[3].replace(' ', '')
3426                 ptk = binascii.unhexlify(val)
3427             if "WPA: Group Key - hexdump" in l:
3428                 val = l.strip().split(':')[3].replace(' ', '')
3429                 gtk = binascii.unhexlify(val)
3430     if not msk or not emsk or not pmk or not ptk or not gtk:
3431         raise Exception("Could not find keys from debug log")
3432     if len(gtk) != 16:
3433         raise Exception("Unexpected GTK length")
3434
3435     kck = ptk[0:16]
3436     kek = ptk[16:32]
3437     tk = ptk[32:48]
3438
3439     fname = os.path.join(params['logdir'],
3440                          'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3441
3442     logger.info("Checking keys in memory while associated")
3443     get_key_locations(buf, password, "Password")
3444     get_key_locations(buf, pmk, "PMK")
3445     get_key_locations(buf, msk, "MSK")
3446     get_key_locations(buf, emsk, "EMSK")
3447     if password not in buf:
3448         raise HwsimSkip("Password not found while associated")
3449     if pmk not in buf:
3450         raise HwsimSkip("PMK not found while associated")
3451     if kck not in buf:
3452         raise Exception("KCK not found while associated")
3453     if kek not in buf:
3454         raise Exception("KEK not found while associated")
3455     if tk in buf:
3456         raise Exception("TK found from memory")
3457     if gtk in buf:
3458         get_key_locations(buf, gtk, "GTK")
3459         raise Exception("GTK found from memory")
3460
3461     logger.info("Checking keys in memory after disassociation")
3462     buf = read_process_memory(pid, password)
3463
3464     # Note: Password is still present in network configuration
3465     # Note: PMK is in PMKSA cache and EAP fast re-auth data
3466
3467     get_key_locations(buf, password, "Password")
3468     get_key_locations(buf, pmk, "PMK")
3469     get_key_locations(buf, msk, "MSK")
3470     get_key_locations(buf, emsk, "EMSK")
3471     verify_not_present(buf, kck, fname, "KCK")
3472     verify_not_present(buf, kek, fname, "KEK")
3473     verify_not_present(buf, tk, fname, "TK")
3474     verify_not_present(buf, gtk, fname, "GTK")
3475
3476     dev[0].request("PMKSA_FLUSH")
3477     dev[0].set_network_quoted(id, "identity", "foo")
3478     logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3479     buf = read_process_memory(pid, password)
3480     get_key_locations(buf, password, "Password")
3481     get_key_locations(buf, pmk, "PMK")
3482     get_key_locations(buf, msk, "MSK")
3483     get_key_locations(buf, emsk, "EMSK")
3484     verify_not_present(buf, pmk, fname, "PMK")
3485
3486     dev[0].request("REMOVE_NETWORK all")
3487
3488     logger.info("Checking keys in memory after network profile removal")
3489     buf = read_process_memory(pid, password)
3490
3491     get_key_locations(buf, password, "Password")
3492     get_key_locations(buf, pmk, "PMK")
3493     get_key_locations(buf, msk, "MSK")
3494     get_key_locations(buf, emsk, "EMSK")
3495     verify_not_present(buf, password, fname, "password")
3496     verify_not_present(buf, pmk, fname, "PMK")
3497     verify_not_present(buf, kck, fname, "KCK")
3498     verify_not_present(buf, kek, fname, "KEK")
3499     verify_not_present(buf, tk, fname, "TK")
3500     verify_not_present(buf, gtk, fname, "GTK")
3501     verify_not_present(buf, msk, fname, "MSK")
3502     verify_not_present(buf, emsk, fname, "EMSK")
3503
3504 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3505     """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3506     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3507     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3508     bssid = apdev[0]['bssid']
3509     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3510                 anonymous_identity="ttls", password="password",
3511                 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3512
3513     # Send unexpected WEP EAPOL-Key; this gets dropped
3514     res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3515     if "OK" not in res:
3516         raise Exception("EAPOL_RX to wpa_supplicant failed")
3517
3518 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3519     """WPA2-EAP and wpas interface in a bridge"""
3520     br_ifname='sta-br0'
3521     ifname='wlan5'
3522     try:
3523         _test_ap_wpa2_eap_in_bridge(dev, apdev)
3524     finally:
3525         subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3526         subprocess.call(['brctl', 'delif', br_ifname, ifname])
3527         subprocess.call(['brctl', 'delbr', br_ifname])
3528         subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3529
3530 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3531     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3532     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3533
3534     br_ifname='sta-br0'
3535     ifname='wlan5'
3536     wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3537     subprocess.call(['brctl', 'addbr', br_ifname])
3538     subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3539     subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3540     subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3541     subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3542     wpas.interface_add(ifname, br_ifname=br_ifname)
3543     wpas.dump_monitor()
3544
3545     id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3546                      password_hex="0123456789abcdef0123456789abcdef")
3547     wpas.dump_monitor()
3548     eap_reauth(wpas, "PAX")
3549     wpas.dump_monitor()
3550     # Try again as a regression test for packet socket workaround
3551     eap_reauth(wpas, "PAX")
3552     wpas.dump_monitor()
3553     wpas.request("DISCONNECT")
3554     wpas.wait_disconnected()
3555     wpas.dump_monitor()
3556     wpas.request("RECONNECT")
3557     wpas.wait_connected()
3558     wpas.dump_monitor()
3559
3560 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3561     """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3562     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3563     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3564     key_mgmt = hapd.get_config()['key_mgmt']
3565     if key_mgmt.split(' ')[0] != "WPA-EAP":
3566         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3567     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3568                 anonymous_identity="ttls", password="password",
3569                 ca_cert="auth_serv/ca.pem",
3570                 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3571     eap_reauth(dev[0], "TTLS")
3572
3573 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3574     """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3575     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3576     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3577     key_mgmt = hapd.get_config()['key_mgmt']
3578     if key_mgmt.split(' ')[0] != "WPA-EAP":
3579         raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3580     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3581                 anonymous_identity="ttls", password="password",
3582                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3583                 phase2="auth=PAP")
3584     eap_reauth(dev[0], "TTLS")
3585
3586 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3587     """EAP-TLS and server checking CRL"""
3588     params = int_eap_server_params()
3589     params['check_crl'] = '1'
3590     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3591
3592     # check_crl=1 and no CRL available --> reject connection
3593     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3594                 client_cert="auth_serv/user.pem",
3595                 private_key="auth_serv/user.key", expect_failure=True)
3596     dev[0].request("REMOVE_NETWORK all")
3597
3598     hapd.disable()
3599     hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3600     hapd.enable()
3601
3602     # check_crl=1 and valid CRL --> accept
3603     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3604                 client_cert="auth_serv/user.pem",
3605                 private_key="auth_serv/user.key")
3606     dev[0].request("REMOVE_NETWORK all")
3607
3608     hapd.disable()
3609     hapd.set("check_crl", "2")
3610     hapd.enable()
3611
3612     # check_crl=2 and valid CRL --> accept
3613     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3614                 client_cert="auth_serv/user.pem",
3615                 private_key="auth_serv/user.key")
3616     dev[0].request("REMOVE_NETWORK all")
3617
3618 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3619     """EAP-TLS and OOM"""
3620     check_subject_match_support(dev[0])
3621     check_altsubject_match_support(dev[0])
3622     check_domain_match(dev[0])
3623     check_domain_match_full(dev[0])
3624
3625     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3626     hostapd.add_ap(apdev[0]['ifname'], params)
3627
3628     tests = [ (1, "tls_connection_set_subject_match"),
3629               (2, "tls_connection_set_subject_match"),
3630               (3, "tls_connection_set_subject_match"),
3631               (4, "tls_connection_set_subject_match") ]
3632     for count, func in tests:
3633         with alloc_fail(dev[0], count, func):
3634             dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3635                            identity="tls user", ca_cert="auth_serv/ca.pem",
3636                            client_cert="auth_serv/user.pem",
3637                            private_key="auth_serv/user.key",
3638                            subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3639                            altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3640                            domain_suffix_match="server.w1.fi",
3641                            domain_match="server.w1.fi",
3642                            wait_connect=False, scan_freq="2412")
3643             # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3644             ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3645             if ev is None:
3646                 raise Exception("No passphrase request")
3647             dev[0].request("REMOVE_NETWORK all")
3648             dev[0].wait_disconnected()
3649
3650 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3651     """WPA2-Enterprise connection using MAC ACL"""
3652     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3653     params["macaddr_acl"] = "2"
3654     hostapd.add_ap(apdev[0]['ifname'], params)
3655     eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3656                 client_cert="auth_serv/user.pem",
3657                 private_key="auth_serv/user.key")
3658
3659 def test_ap_wpa2_eap_oom(dev, apdev):
3660     """EAP server and OOM"""
3661     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3662     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3663     dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3664
3665     with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3666         # The first attempt fails, but STA will send EAPOL-Start to retry and
3667         # that succeeds.
3668         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3669                        identity="tls user", ca_cert="auth_serv/ca.pem",
3670                        client_cert="auth_serv/user.pem",
3671                        private_key="auth_serv/user.key",
3672                        scan_freq="2412")
3673
3674 def check_tls_ver(dev, ap, phase1, expected):
3675     eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3676                 client_cert="auth_serv/user.pem",
3677                 private_key="auth_serv/user.key",
3678                 phase1=phase1)
3679     ver = dev.get_status_field("eap_tls_version")
3680     if ver != expected:
3681         raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3682
3683 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3684     """EAP-TLS and TLS version configuration"""
3685     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3686     hostapd.add_ap(apdev[0]['ifname'], params)
3687
3688     tls = dev[0].request("GET tls_library")
3689     if tls.startswith("OpenSSL"):
3690         if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3691             check_tls_ver(dev[0], apdev[0],
3692                           "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3693                           "TLSv1.2")
3694     elif tls.startswith("internal"):
3695         check_tls_ver(dev[0], apdev[0],
3696                       "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3697     check_tls_ver(dev[1], apdev[0],
3698                   "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3699     check_tls_ver(dev[2], apdev[0],
3700                   "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3701
3702 def test_rsn_ie_proto_eap_sta(dev, apdev):
3703     """RSN element protocol testing for EAP cases on STA side"""
3704     bssid = apdev[0]['bssid']
3705     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3706     # This is the RSN element used normally by hostapd
3707     params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3708     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3709     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3710                         identity="gpsk user",
3711                         password="abcdefghijklmnop0123456789abcdef",
3712                         scan_freq="2412")
3713
3714     tests = [ ('No RSN Capabilities field',
3715                '30120100000fac040100000fac040100000fac01'),
3716               ('No AKM Suite fields',
3717                '300c0100000fac040100000fac04'),
3718               ('No Pairwise Cipher Suite fields',
3719                '30060100000fac04'),
3720               ('No Group Data Cipher Suite field',
3721                '30020100') ]
3722     for txt,ie in tests:
3723         dev[0].request("DISCONNECT")
3724         dev[0].wait_disconnected()
3725         logger.info(txt)
3726         hapd.disable()
3727         hapd.set('own_ie_override', ie)
3728         hapd.enable()
3729         dev[0].request("BSS_FLUSH 0")
3730         dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3731         dev[0].select_network(id, freq=2412)
3732         dev[0].wait_connected()
3733
3734 def check_tls_session_resumption_capa(dev, hapd):
3735     tls = hapd.request("GET tls_library")
3736     if not tls.startswith("OpenSSL"):
3737         raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3738
3739     tls = dev.request("GET tls_library")
3740     if not tls.startswith("OpenSSL"):
3741         raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3742
3743 def test_eap_ttls_pap_session_resumption(dev, apdev):
3744     """EAP-TTLS/PAP session resumption"""
3745     params = int_eap_server_params()
3746     params['tls_session_lifetime'] = '60'
3747     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3748     check_tls_session_resumption_capa(dev[0], hapd)
3749     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3750                 anonymous_identity="ttls", password="password",
3751                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3752                 phase2="auth=PAP")
3753     if dev[0].get_status_field("tls_session_reused") != '0':
3754         raise Exception("Unexpected session resumption on the first connection")
3755
3756     dev[0].request("REAUTHENTICATE")
3757     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3758     if ev is None:
3759         raise Exception("EAP success timed out")
3760     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3761     if ev is None:
3762         raise Exception("Key handshake with the AP timed out")
3763     if dev[0].get_status_field("tls_session_reused") != '1':
3764         raise Exception("Session resumption not used on the second connection")
3765
3766 def test_eap_ttls_chap_session_resumption(dev, apdev):
3767     """EAP-TTLS/CHAP session resumption"""
3768     params = int_eap_server_params()
3769     params['tls_session_lifetime'] = '60'
3770     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3771     check_tls_session_resumption_capa(dev[0], hapd)
3772     eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3773                 anonymous_identity="ttls", password="password",
3774                 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3775     if dev[0].get_status_field("tls_session_reused") != '0':
3776         raise Exception("Unexpected session resumption on the first connection")
3777
3778     dev[0].request("REAUTHENTICATE")
3779     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3780     if ev is None:
3781         raise Exception("EAP success timed out")
3782     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3783     if ev is None:
3784         raise Exception("Key handshake with the AP timed out")
3785     if dev[0].get_status_field("tls_session_reused") != '1':
3786         raise Exception("Session resumption not used on the second connection")
3787
3788 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3789     """EAP-TTLS/MSCHAP session resumption"""
3790     check_domain_suffix_match(dev[0])
3791     params = int_eap_server_params()
3792     params['tls_session_lifetime'] = '60'
3793     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3794     check_tls_session_resumption_capa(dev[0], hapd)
3795     eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3796                 anonymous_identity="ttls", password="password",
3797                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3798                 domain_suffix_match="server.w1.fi")
3799     if dev[0].get_status_field("tls_session_reused") != '0':
3800         raise Exception("Unexpected session resumption on the first connection")
3801
3802     dev[0].request("REAUTHENTICATE")
3803     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3804     if ev is None:
3805         raise Exception("EAP success timed out")
3806     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3807     if ev is None:
3808         raise Exception("Key handshake with the AP timed out")
3809     if dev[0].get_status_field("tls_session_reused") != '1':
3810         raise Exception("Session resumption not used on the second connection")
3811
3812 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3813     """EAP-TTLS/MSCHAPv2 session resumption"""
3814     check_domain_suffix_match(dev[0])
3815     check_eap_capa(dev[0], "MSCHAPV2")
3816     params = int_eap_server_params()
3817     params['tls_session_lifetime'] = '60'
3818     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3819     check_tls_session_resumption_capa(dev[0], hapd)
3820     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3821                 anonymous_identity="ttls", password="password",
3822                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3823                 domain_suffix_match="server.w1.fi")
3824     if dev[0].get_status_field("tls_session_reused") != '0':
3825         raise Exception("Unexpected session resumption on the first connection")
3826
3827     dev[0].request("REAUTHENTICATE")
3828     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3829     if ev is None:
3830         raise Exception("EAP success timed out")
3831     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3832     if ev is None:
3833         raise Exception("Key handshake with the AP timed out")
3834     if dev[0].get_status_field("tls_session_reused") != '1':
3835         raise Exception("Session resumption not used on the second connection")
3836
3837 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3838     """EAP-TTLS/EAP-GTC session resumption"""
3839     params = int_eap_server_params()
3840     params['tls_session_lifetime'] = '60'
3841     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3842     check_tls_session_resumption_capa(dev[0], hapd)
3843     eap_connect(dev[0], apdev[0], "TTLS", "user",
3844                 anonymous_identity="ttls", password="password",
3845                 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3846     if dev[0].get_status_field("tls_session_reused") != '0':
3847         raise Exception("Unexpected session resumption on the first connection")
3848
3849     dev[0].request("REAUTHENTICATE")
3850     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3851     if ev is None:
3852         raise Exception("EAP success timed out")
3853     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3854     if ev is None:
3855         raise Exception("Key handshake with the AP timed out")
3856     if dev[0].get_status_field("tls_session_reused") != '1':
3857         raise Exception("Session resumption not used on the second connection")
3858
3859 def test_eap_ttls_no_session_resumption(dev, apdev):
3860     """EAP-TTLS session resumption disabled on server"""
3861     params = int_eap_server_params()
3862     params['tls_session_lifetime'] = '0'
3863     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3864     eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3865                 anonymous_identity="ttls", password="password",
3866                 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3867                 phase2="auth=PAP")
3868     if dev[0].get_status_field("tls_session_reused") != '0':
3869         raise Exception("Unexpected session resumption on the first connection")
3870
3871     dev[0].request("REAUTHENTICATE")
3872     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3873     if ev is None:
3874         raise Exception("EAP success timed out")
3875     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3876     if ev is None:
3877         raise Exception("Key handshake with the AP timed out")
3878     if dev[0].get_status_field("tls_session_reused") != '0':
3879         raise Exception("Unexpected session resumption on the second connection")
3880
3881 def test_eap_peap_session_resumption(dev, apdev):
3882     """EAP-PEAP session resumption"""
3883     params = int_eap_server_params()
3884     params['tls_session_lifetime'] = '60'
3885     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3886     check_tls_session_resumption_capa(dev[0], hapd)
3887     eap_connect(dev[0], apdev[0], "PEAP", "user",
3888                 anonymous_identity="peap", password="password",
3889                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3890     if dev[0].get_status_field("tls_session_reused") != '0':
3891         raise Exception("Unexpected session resumption on the first connection")
3892
3893     dev[0].request("REAUTHENTICATE")
3894     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3895     if ev is None:
3896         raise Exception("EAP success timed out")
3897     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3898     if ev is None:
3899         raise Exception("Key handshake with the AP timed out")
3900     if dev[0].get_status_field("tls_session_reused") != '1':
3901         raise Exception("Session resumption not used on the second connection")
3902
3903 def test_eap_peap_no_session_resumption(dev, apdev):
3904     """EAP-PEAP session resumption disabled on server"""
3905     params = int_eap_server_params()
3906     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3907     eap_connect(dev[0], apdev[0], "PEAP", "user",
3908                 anonymous_identity="peap", password="password",
3909                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3910     if dev[0].get_status_field("tls_session_reused") != '0':
3911         raise Exception("Unexpected session resumption on the first connection")
3912
3913     dev[0].request("REAUTHENTICATE")
3914     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3915     if ev is None:
3916         raise Exception("EAP success timed out")
3917     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3918     if ev is None:
3919         raise Exception("Key handshake with the AP timed out")
3920     if dev[0].get_status_field("tls_session_reused") != '0':
3921         raise Exception("Unexpected session resumption on the second connection")
3922
3923 def test_eap_tls_session_resumption(dev, apdev):
3924     """EAP-TLS session resumption"""
3925     params = int_eap_server_params()
3926     params['tls_session_lifetime'] = '60'
3927     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3928     check_tls_session_resumption_capa(dev[0], hapd)
3929     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3930                 client_cert="auth_serv/user.pem",
3931                 private_key="auth_serv/user.key")
3932     if dev[0].get_status_field("tls_session_reused") != '0':
3933         raise Exception("Unexpected session resumption on the first connection")
3934
3935     dev[0].request("REAUTHENTICATE")
3936     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3937     if ev is None:
3938         raise Exception("EAP success timed out")
3939     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3940     if ev is None:
3941         raise Exception("Key handshake with the AP timed out")
3942     if dev[0].get_status_field("tls_session_reused") != '1':
3943         raise Exception("Session resumption not used on the second connection")
3944
3945     dev[0].request("REAUTHENTICATE")
3946     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3947     if ev is None:
3948         raise Exception("EAP success timed out")
3949     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3950     if ev is None:
3951         raise Exception("Key handshake with the AP timed out")
3952     if dev[0].get_status_field("tls_session_reused") != '1':
3953         raise Exception("Session resumption not used on the third connection")
3954
3955 def test_eap_tls_session_resumption_expiration(dev, apdev):
3956     """EAP-TLS session resumption"""
3957     params = int_eap_server_params()
3958     params['tls_session_lifetime'] = '1'
3959     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3960     check_tls_session_resumption_capa(dev[0], hapd)
3961     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3962                 client_cert="auth_serv/user.pem",
3963                 private_key="auth_serv/user.key")
3964     if dev[0].get_status_field("tls_session_reused") != '0':
3965         raise Exception("Unexpected session resumption on the first connection")
3966
3967     # Allow multiple attempts since OpenSSL may not expire the cached entry
3968     # immediately.
3969     for i in range(10):
3970         time.sleep(1.2)
3971
3972         dev[0].request("REAUTHENTICATE")
3973         ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3974         if ev is None:
3975             raise Exception("EAP success timed out")
3976         ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3977         if ev is None:
3978             raise Exception("Key handshake with the AP timed out")
3979         if dev[0].get_status_field("tls_session_reused") == '0':
3980             break
3981     if dev[0].get_status_field("tls_session_reused") != '0':
3982         raise Exception("Session resumption used after lifetime expiration")
3983
3984 def test_eap_tls_no_session_resumption(dev, apdev):
3985     """EAP-TLS session resumption disabled on server"""
3986     params = int_eap_server_params()
3987     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3988     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3989                 client_cert="auth_serv/user.pem",
3990                 private_key="auth_serv/user.key")
3991     if dev[0].get_status_field("tls_session_reused") != '0':
3992         raise Exception("Unexpected session resumption on the first connection")
3993
3994     dev[0].request("REAUTHENTICATE")
3995     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3996     if ev is None:
3997         raise Exception("EAP success timed out")
3998     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3999     if ev is None:
4000         raise Exception("Key handshake with the AP timed out")
4001     if dev[0].get_status_field("tls_session_reused") != '0':
4002         raise Exception("Unexpected session resumption on the second connection")
4003
4004 def test_eap_tls_session_resumption_radius(dev, apdev):
4005     """EAP-TLS session resumption (RADIUS)"""
4006     params = { "ssid": "as", "beacon_int": "2000",
4007                "radius_server_clients": "auth_serv/radius_clients.conf",
4008                "radius_server_auth_port": '18128',
4009                "eap_server": "1",
4010                "eap_user_file": "auth_serv/eap_user.conf",
4011                "ca_cert": "auth_serv/ca.pem",
4012                "server_cert": "auth_serv/server.pem",
4013                "private_key": "auth_serv/server.key",
4014                "tls_session_lifetime": "60" }
4015     authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4016     check_tls_session_resumption_capa(dev[0], authsrv)
4017
4018     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4019     params['auth_server_port'] = "18128"
4020     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4021     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4022                 client_cert="auth_serv/user.pem",
4023                 private_key="auth_serv/user.key")
4024     if dev[0].get_status_field("tls_session_reused") != '0':
4025         raise Exception("Unexpected session resumption on the first connection")
4026
4027     dev[0].request("REAUTHENTICATE")
4028     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4029     if ev is None:
4030         raise Exception("EAP success timed out")
4031     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4032     if ev is None:
4033         raise Exception("Key handshake with the AP timed out")
4034     if dev[0].get_status_field("tls_session_reused") != '1':
4035         raise Exception("Session resumption not used on the second connection")
4036
4037 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4038     """EAP-TLS session resumption disabled (RADIUS)"""
4039     params = { "ssid": "as", "beacon_int": "2000",
4040                "radius_server_clients": "auth_serv/radius_clients.conf",
4041                "radius_server_auth_port": '18128',
4042                "eap_server": "1",
4043                "eap_user_file": "auth_serv/eap_user.conf",
4044                "ca_cert": "auth_serv/ca.pem",
4045                "server_cert": "auth_serv/server.pem",
4046                "private_key": "auth_serv/server.key",
4047                "tls_session_lifetime": "0" }
4048     hostapd.add_ap(apdev[1]['ifname'], params)
4049
4050     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4051     params['auth_server_port'] = "18128"
4052     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4053     eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4054                 client_cert="auth_serv/user.pem",
4055                 private_key="auth_serv/user.key")
4056     if dev[0].get_status_field("tls_session_reused") != '0':
4057         raise Exception("Unexpected session resumption on the first connection")
4058
4059     dev[0].request("REAUTHENTICATE")
4060     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4061     if ev is None:
4062         raise Exception("EAP success timed out")
4063     ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4064     if ev is None:
4065         raise Exception("Key handshake with the AP timed out")
4066     if dev[0].get_status_field("tls_session_reused") != '0':
4067         raise Exception("Unexpected session resumption on the second connection")
4068
4069 def test_eap_mschapv2_errors(dev, apdev):
4070     """EAP-MSCHAPv2 error cases"""
4071     check_eap_capa(dev[0], "MSCHAPV2")
4072     check_eap_capa(dev[0], "FAST")
4073
4074     params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4075     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4076     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4077                    identity="phase1-user", password="password",
4078                    scan_freq="2412")
4079     dev[0].request("REMOVE_NETWORK all")
4080     dev[0].wait_disconnected()
4081
4082     tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4083               (1, "nt_password_hash;mschapv2_derive_response"),
4084               (1, "nt_password_hash;=mschapv2_derive_response"),
4085               (1, "generate_nt_response;mschapv2_derive_response"),
4086               (1, "generate_authenticator_response;mschapv2_derive_response"),
4087               (1, "nt_password_hash;=mschapv2_derive_response"),
4088               (1, "get_master_key;mschapv2_derive_response"),
4089               (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4090     for count, func in tests:
4091         with fail_test(dev[0], count, func):
4092             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4093                            identity="phase1-user", password="password",
4094                            wait_connect=False, scan_freq="2412")
4095             wait_fail_trigger(dev[0], "GET_FAIL")
4096             dev[0].request("REMOVE_NETWORK all")
4097             dev[0].wait_disconnected()
4098
4099     tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4100               (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4101               (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4102               (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4103     for count, func in tests:
4104         with fail_test(dev[0], count, func):
4105             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4106                            identity="phase1-user",
4107                            password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4108                            wait_connect=False, scan_freq="2412")
4109             wait_fail_trigger(dev[0], "GET_FAIL")
4110             dev[0].request("REMOVE_NETWORK all")
4111             dev[0].wait_disconnected()
4112
4113     tests = [ (1, "eap_mschapv2_init"),
4114               (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4115               (1, "eap_msg_alloc;eap_mschapv2_success"),
4116               (1, "eap_mschapv2_getKey") ]
4117     for count, func in tests:
4118         with alloc_fail(dev[0], count, func):
4119             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4120                            identity="phase1-user", password="password",
4121                            wait_connect=False, scan_freq="2412")
4122             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4123             dev[0].request("REMOVE_NETWORK all")
4124             dev[0].wait_disconnected()
4125
4126     tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4127     for count, func in tests:
4128         with alloc_fail(dev[0], count, func):
4129             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4130                            identity="phase1-user", password="wrong password",
4131                            wait_connect=False, scan_freq="2412")
4132             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4133             dev[0].request("REMOVE_NETWORK all")
4134             dev[0].wait_disconnected()
4135
4136     tests = [ (2, "eap_mschapv2_init"),
4137               (3, "eap_mschapv2_init") ]
4138     for count, func in tests:
4139         with alloc_fail(dev[0], count, func):
4140             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4141                            anonymous_identity="FAST", identity="user",
4142                            password="password",
4143                            ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4144                            phase1="fast_provisioning=1",
4145                            pac_file="blob://fast_pac",
4146                            wait_connect=False, scan_freq="2412")
4147             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4148             dev[0].request("REMOVE_NETWORK all")
4149             dev[0].wait_disconnected()
4150
4151 def test_eap_gpsk_errors(dev, apdev):
4152     """EAP-GPSK error cases"""
4153     params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4154     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4155     dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4156                    identity="gpsk user",
4157                    password="abcdefghijklmnop0123456789abcdef",
4158                    scan_freq="2412")
4159     dev[0].request("REMOVE_NETWORK all")
4160     dev[0].wait_disconnected()
4161
4162     tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4163               (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4164                "cipher=1"),
4165               (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4166                "cipher=2"),
4167               (1, "eap_gpsk_derive_keys_helper", None),
4168               (2, "eap_gpsk_derive_keys_helper", None),
4169               (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4170                "cipher=1"),
4171               (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4172                "cipher=2"),
4173               (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4174               (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4175               (1, "eap_gpsk_derive_mid_helper", None) ]
4176     for count, func, phase1 in tests:
4177         with fail_test(dev[0], count, func):
4178             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4179                            identity="gpsk user",
4180                            password="abcdefghijklmnop0123456789abcdef",
4181                            phase1=phase1,
4182                            wait_connect=False, scan_freq="2412")
4183             wait_fail_trigger(dev[0], "GET_FAIL")
4184             dev[0].request("REMOVE_NETWORK all")
4185             dev[0].wait_disconnected()
4186
4187     tests = [ (1, "eap_gpsk_init"),
4188               (2, "eap_gpsk_init"),
4189               (3, "eap_gpsk_init"),
4190               (1, "eap_gpsk_process_id_server"),
4191               (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4192               (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4193               (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4194               (1, "eap_gpsk_derive_keys"),
4195               (1, "eap_gpsk_derive_keys_helper"),
4196               (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4197               (1, "eap_gpsk_getKey"),
4198               (1, "eap_gpsk_get_emsk"),
4199               (1, "eap_gpsk_get_session_id") ]
4200     for count, func in tests:
4201         with alloc_fail(dev[0], count, func):
4202             dev[0].request("ERP_FLUSH")
4203             dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4204                            identity="gpsk user", erp="1",
4205                            password="abcdefghijklmnop0123456789abcdef",
4206                            wait_connect=False, scan_freq="2412")
4207             wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4208             dev[0].request("REMOVE_NETWORK all")
4209             dev[0].wait_disconnected()
4210
4211 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4212     """EAP-SIM DB error cases"""
4213     sockpath = '/tmp/hlr_auc_gw.sock-test'
4214     try:
4215         os.remove(sockpath)
4216     except:
4217         pass
4218     hparams = int_eap_server_params()
4219     hparams['eap_sim_db'] = 'unix:' + sockpath
4220     hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4221
4222     # Initial test with hlr_auc_gw socket not available
4223     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4224                         eap="SIM", identity="1232010000000000",
4225                         password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4226                         scan_freq="2412", wait_connect=False)
4227     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4228     if ev is None:
4229         raise Exception("EAP-Failure not reported")
4230     dev[0].wait_disconnected()
4231     dev[0].request("DISCONNECT")
4232
4233     # Test with invalid responses and response timeout
4234
4235     class test_handler(SocketServer.DatagramRequestHandler):
4236         def handle(self):
4237             data = self.request[0].strip()
4238             socket = self.request[1]
4239             logger.debug("Received hlr_auc_gw request: " + data)
4240             # EAP-SIM DB: Failed to parse response string
4241             socket.sendto("FOO", self.client_address)
4242             # EAP-SIM DB: Failed to parse response string
4243             socket.sendto("FOO 1", self.client_address)
4244             # EAP-SIM DB: Unknown external response
4245             socket.sendto("FOO 1 2", self.client_address)
4246             logger.info("No proper response - wait for pending eap_sim_db request timeout")
4247
4248     server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4249     server.timeout = 1
4250
4251     dev[0].select_network(id)
4252     server.handle_request()
4253     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4254     if ev is None:
4255         raise Exception("EAP-Failure not reported")
4256     dev[0].wait_disconnected()
4257     dev[0].request("DISCONNECT")
4258
4259     # Test with a valid response
4260
4261     class test_handler2(SocketServer.DatagramRequestHandler):
4262         def handle(self):
4263             data = self.request[0].strip()
4264             socket = self.request[1]
4265             logger.debug("Received hlr_auc_gw request: " + data)
4266             fname = os.path.join(params['logdir'],
4267                                  'hlr_auc_gw.milenage_db')
4268             cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4269                                     '-m', fname, data],
4270                                    stdout=subprocess.PIPE)
4271             res = cmd.stdout.read().strip()
4272             cmd.stdout.close()
4273             logger.debug("hlr_auc_gw response: " + res)
4274             socket.sendto(res, self.client_address)
4275
4276     server.RequestHandlerClass = test_handler2
4277
4278     dev[0].select_network(id)
4279     server.handle_request()
4280     dev[0].wait_connected()
4281     dev[0].request("DISCONNECT")
4282     dev[0].wait_disconnected()
4283
4284 def test_eap_tls_sha512(dev, apdev, params):
4285     """EAP-TLS with SHA512 signature"""
4286     params = int_eap_server_params()
4287     params["ca_cert"] = "auth_serv/sha512-ca.pem"
4288     params["server_cert"] = "auth_serv/sha512-server.pem"
4289     params["private_key"] = "auth_serv/sha512-server.key"
4290     hostapd.add_ap(apdev[0]['ifname'], params)
4291
4292     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4293                    identity="tls user sha512",
4294                    ca_cert="auth_serv/sha512-ca.pem",
4295                    client_cert="auth_serv/sha512-user.pem",
4296                    private_key="auth_serv/sha512-user.key",
4297                    scan_freq="2412")
4298     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4299                    identity="tls user sha512",
4300                    ca_cert="auth_serv/sha512-ca.pem",
4301                    client_cert="auth_serv/sha384-user.pem",
4302                    private_key="auth_serv/sha384-user.key",
4303                    scan_freq="2412")
4304
4305 def test_eap_tls_sha384(dev, apdev, params):
4306     """EAP-TLS with SHA384 signature"""
4307     params = int_eap_server_params()
4308     params["ca_cert"] = "auth_serv/sha512-ca.pem"
4309     params["server_cert"] = "auth_serv/sha384-server.pem"
4310     params["private_key"] = "auth_serv/sha384-server.key"
4311     hostapd.add_ap(apdev[0]['ifname'], params)
4312
4313     dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4314                    identity="tls user sha512",
4315                    ca_cert="auth_serv/sha512-ca.pem",
4316                    client_cert="auth_serv/sha512-user.pem",
4317                    private_key="auth_serv/sha512-user.key",
4318                    scan_freq="2412")
4319     dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4320                    identity="tls user sha512",
4321                    ca_cert="auth_serv/sha512-ca.pem",
4322                    client_cert="auth_serv/sha384-user.pem",
4323                    private_key="auth_serv/sha384-user.key",
4324                    scan_freq="2412")
4325
4326 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4327     """WPA2-Enterprise AP and association request RSN IE differences"""
4328     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4329     hostapd.add_ap(apdev[0]['ifname'], params)
4330
4331     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4332     params["ieee80211w"] = "2"
4333     hostapd.add_ap(apdev[1]['ifname'], params)
4334
4335     # Success cases with optional RSN IE fields removed one by one
4336     tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4337                "30140100000fac040100000fac040100000fac010000"),
4338               ("Extra PMKIDCount field in RSN IE",
4339                "30160100000fac040100000fac040100000fac0100000000"),
4340               ("Extra Group Management Cipher Suite in RSN IE",
4341                "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4342               ("Extra undefined extension field in RSN IE",
4343                "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4344               ("RSN IE without RSN Capabilities",
4345                "30120100000fac040100000fac040100000fac01"),
4346               ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4347               ("RSN IE without pairwise", "30060100000fac04"),
4348               ("RSN IE without group", "30020100") ]
4349     for title, ie in tests:
4350         logger.info(title)
4351         set_test_assoc_ie(dev[0], ie)
4352         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4353                        identity="gpsk user",
4354                        password="abcdefghijklmnop0123456789abcdef",
4355                        scan_freq="2412")
4356         dev[0].request("REMOVE_NETWORK all")
4357         dev[0].wait_disconnected()
4358
4359     tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4360                "30140100000fac040100000fac040100000fac01cc00"),
4361               ("Group management cipher included in assoc req RSN IE",
4362                "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4363     for title, ie in tests:
4364         logger.info(title)
4365         set_test_assoc_ie(dev[0], ie)
4366         dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4367                        eap="GPSK", identity="gpsk user",
4368                        password="abcdefghijklmnop0123456789abcdef",
4369                        scan_freq="2412")
4370         dev[0].request("REMOVE_NETWORK all")
4371         dev[0].wait_disconnected()
4372
4373     tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4374               ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4375     for title, ie, status in tests:
4376         logger.info(title)
4377         set_test_assoc_ie(dev[0], ie)
4378         dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4379                        identity="gpsk user",
4380                        password="abcdefghijklmnop0123456789abcdef",
4381                        scan_freq="2412", wait_connect=False)
4382         ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4383         if ev is None:
4384             raise Exception("Association rejection not reported")
4385         if "status_code=" + str(status) not in ev:
4386             raise Exception("Unexpected status code: " + ev)
4387         dev[0].request("REMOVE_NETWORK all")
4388         dev[0].dump_monitor()
4389
4390     tests = [ ("Management frame protection not enabled",
4391                "30140100000fac040100000fac040100000fac010000", 31),
4392               ("Unsupported management group cipher",
4393                "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4394     for title, ie, status in tests:
4395         logger.info(title)
4396         set_test_assoc_ie(dev[0], ie)
4397         dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4398                        eap="GPSK", identity="gpsk user",
4399                        password="abcdefghijklmnop0123456789abcdef",
4400                        scan_freq="2412", wait_connect=False)
4401         ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4402         if ev is None:
4403             raise Exception("Association rejection not reported")
4404         if "status_code=" + str(status) not in ev:
4405             raise Exception("Unexpected status code: " + ev)
4406         dev[0].request("REMOVE_NETWORK all")
4407         dev[0].dump_monitor()
4408
4409 def test_eap_tls_ext_cert_check(dev, apdev):
4410     """EAP-TLS and external server certification validation"""
4411     # With internal server certificate chain validation
4412     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4413                         identity="tls user",
4414                         ca_cert="auth_serv/ca.pem",
4415                         client_cert="auth_serv/user.pem",
4416                         private_key="auth_serv/user.key",
4417                         phase1="tls_ext_cert_check=1", scan_freq="2412",
4418                         only_add_network=True)
4419     run_ext_cert_check(dev, apdev, id)
4420
4421 def test_eap_ttls_ext_cert_check(dev, apdev):
4422     """EAP-TTLS and external server certification validation"""
4423     # Without internal server certificate chain validation
4424     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4425                         identity="pap user", anonymous_identity="ttls",
4426                         password="password", phase2="auth=PAP",
4427                         phase1="tls_ext_cert_check=1", scan_freq="2412",
4428                         only_add_network=True)
4429     run_ext_cert_check(dev, apdev, id)
4430
4431 def test_eap_peap_ext_cert_check(dev, apdev):
4432     """EAP-PEAP and external server certification validation"""
4433     # With internal server certificate chain validation
4434     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4435                         identity="user", anonymous_identity="peap",
4436                         ca_cert="auth_serv/ca.pem",
4437                         password="password", phase2="auth=MSCHAPV2",
4438                         phase1="tls_ext_cert_check=1", scan_freq="2412",
4439                         only_add_network=True)
4440     run_ext_cert_check(dev, apdev, id)
4441
4442 def test_eap_fast_ext_cert_check(dev, apdev):
4443     """EAP-FAST and external server certification validation"""
4444     check_eap_capa(dev[0], "FAST")
4445     # With internal server certificate chain validation
4446     dev[0].request("SET blob fast_pac_auth_ext ")
4447     id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4448                         identity="user", anonymous_identity="FAST",
4449                         ca_cert="auth_serv/ca.pem",
4450                         password="password", phase2="auth=GTC",
4451                         phase1="tls_ext_cert_check=1 fast_provisioning=2",
4452                         pac_file="blob://fast_pac_auth_ext",
4453                         scan_freq="2412",
4454                         only_add_network=True)
4455     run_ext_cert_check(dev, apdev, id)
4456
4457 def run_ext_cert_check(dev, apdev, net_id):
4458     check_ext_cert_check_support(dev[0])
4459     if not openssl_imported:
4460         raise HwsimSkip("OpenSSL python method not available")
4461
4462     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4463     hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4464
4465     dev[0].select_network(net_id)
4466     certs = {}
4467     while True:
4468         ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4469                                 "CTRL-REQ-EXT_CERT_CHECK",
4470                                 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4471         if ev is None:
4472             raise Exception("No peer server certificate event seen")
4473         if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4474             depth = None
4475             cert = None
4476             vals = ev.split(' ')
4477             for v in vals:
4478                 if v.startswith("depth="):
4479                     depth = int(v.split('=')[1])
4480                 elif v.startswith("cert="):
4481                     cert = v.split('=')[1]
4482             if depth is not None and cert:
4483                 certs[depth] = binascii.unhexlify(cert)
4484         elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4485             raise Exception("Unexpected EAP-Success")
4486         elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4487             id = ev.split(':')[0].split('-')[-1]
4488             break
4489     if 0 not in certs:
4490         raise Exception("Server certificate not received")
4491     if 1 not in certs:
4492         raise Exception("Server certificate issuer not received")
4493
4494     cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4495                                            certs[0])
4496     cn = cert.get_subject().commonName
4497     logger.info("Server certificate CN=" + cn)
4498
4499     issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4500                                              certs[1])
4501     icn = issuer.get_subject().commonName
4502     logger.info("Issuer certificate CN=" + icn)
4503
4504     if cn != "server.w1.fi":
4505         raise Exception("Unexpected server certificate CN: " + cn)
4506     if icn != "Root CA":
4507         raise Exception("Unexpected server certificate issuer CN: " + icn)
4508
4509     ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4510     if ev:
4511         raise Exception("Unexpected EAP-Success before external check result indication")
4512
4513     dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4514     dev[0].wait_connected()
4515
4516     dev[0].request("DISCONNECT")
4517     dev[0].wait_disconnected()
4518     if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4519         raise Exception("PMKSA_FLUSH failed")
4520     dev[0].request("SET blob fast_pac_auth_ext ")
4521     dev[0].request("RECONNECT")
4522
4523     ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4524     if ev is None:
4525         raise Exception("No peer server certificate event seen (2)")
4526     id = ev.split(':')[0].split('-')[-1]
4527     dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4528     ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4529     if ev is None:
4530         raise Exception("EAP-Failure not reported")
4531     dev[0].request("REMOVE_NETWORK all")
4532     dev[0].wait_disconnected()