1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
20 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
21 from wpasupplicant import WpaSupplicant
22 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
26 openssl_imported = True
28 openssl_imported = False
30 def check_hlr_auc_gw_support():
31 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev, method):
35 res = dev.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method)
39 def check_subject_match_support(dev):
40 tls = dev.request("GET tls_library")
41 if not tls.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
44 def check_altsubject_match_support(dev):
45 tls = dev.request("GET tls_library")
46 if not tls.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
49 def check_domain_match(dev):
50 tls = dev.request("GET tls_library")
51 if tls.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
54 def check_domain_suffix_match(dev):
55 tls = dev.request("GET tls_library")
56 if tls.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
59 def check_domain_match_full(dev):
60 tls = dev.request("GET tls_library")
61 if not tls.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
64 def check_cert_probe_support(dev):
65 tls = dev.request("GET tls_library")
66 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
69 def check_ext_cert_check_support(dev):
70 tls = dev.request("GET tls_library")
71 if not tls.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
74 def check_ocsp_support(dev):
75 tls = dev.request("GET tls_library")
76 if tls.startswith("internal"):
77 raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev):
82 tls = dev.request("GET tls_library")
83 #if tls.startswith("internal"):
84 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
86 def check_dh_dsa_support(dev):
87 tls = dev.request("GET tls_library")
88 if tls.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
92 with open(fname, "r") as f:
101 if "-----BEGIN" in l:
103 return base64.b64decode(cert)
105 def eap_connect(dev, ap, method, identity,
106 sha256=False, expect_failure=False, local_error_report=False,
107 maybe_local_error=False, **kwargs):
108 hapd = hostapd.Hostapd(ap['ifname'])
109 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
110 eap=method, identity=identity,
111 wait_connect=False, scan_freq="2412", ieee80211w="1",
113 eap_check_auth(dev, method, True, sha256=sha256,
114 expect_failure=expect_failure,
115 local_error_report=local_error_report,
116 maybe_local_error=maybe_local_error)
119 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
125 expect_failure=False, local_error_report=False,
126 maybe_local_error=False):
127 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
129 raise Exception("Association and EAP start timed out")
130 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev:
135 if maybe_local_error:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev = dev.wait_disconnected(timeout=10)
145 if maybe_local_error and "locally_generated=1" in ev:
147 if not local_error_report:
148 if "reason=23" not in ev:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
153 raise Exception("EAP success timed out")
156 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
158 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
160 raise Exception("Association with the AP timed out")
161 status = dev.get_status()
162 if status["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method not in status["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e = "WPA2-EAP-SHA256"
172 e = "WPA2/IEEE 802.1X/EAP"
174 e = "WPA/IEEE 802.1X/EAP"
175 if status["key_mgmt"] != e:
176 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
179 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
180 dev.request("REAUTHENTICATE")
181 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
182 expect_failure=expect_failure)
184 def test_ap_wpa2_eap_sim(dev, apdev):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils.test_connectivity(dev[0], hapd)
192 eap_reauth(dev[0], "SIM")
194 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger.info("Negative test with incorrect key")
201 dev[0].request("REMOVE_NETWORK all")
202 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
203 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger.info("Invalid GSM-Milenage key")
207 dev[0].request("REMOVE_NETWORK all")
208 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
209 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger.info("Invalid GSM-Milenage key(2)")
213 dev[0].request("REMOVE_NETWORK all")
214 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
215 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger.info("Invalid GSM-Milenage key(3)")
219 dev[0].request("REMOVE_NETWORK all")
220 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
221 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger.info("Invalid GSM-Milenage key(4)")
225 dev[0].request("REMOVE_NETWORK all")
226 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
227 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger.info("Missing key configuration")
231 dev[0].request("REMOVE_NETWORK all")
232 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
243 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
244 params['auth_server_port'] = "1814"
245 hostapd.add_ap(apdev[0]['ifname'], params)
246 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
247 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger.info("SIM fast re-authentication")
250 eap_reauth(dev[0], "SIM")
252 logger.info("SIM full auth with pseudonym")
255 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev[0], "SIM")
258 logger.info("SIM full auth with permanent identity")
261 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev[0], "SIM")
265 logger.info("SIM reauth with mismatching MK")
268 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev[0], "SIM", expect_failure=True)
270 dev[0].request("REMOVE_NETWORK all")
272 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
273 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev[0], "SIM")
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger.info("SIM reauth with mismatching counter")
282 eap_reauth(dev[0], "SIM")
283 dev[0].request("REMOVE_NETWORK all")
285 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev, apdev):
294 """EAP-SIM configuration options"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
298 identity="1232010000000000",
299 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1="sim_min_num_chal=1",
301 wait_connect=False, scan_freq="2412")
302 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
304 raise Exception("No EAP error message seen")
305 dev[0].request("REMOVE_NETWORK all")
307 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
308 identity="1232010000000000",
309 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1="sim_min_num_chal=4",
311 wait_connect=False, scan_freq="2412")
312 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
314 raise Exception("No EAP error message seen (2)")
315 dev[0].request("REMOVE_NETWORK all")
317 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
318 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1="sim_min_num_chal=2")
320 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity="345678")
324 def test_ap_wpa2_eap_sim_ext(dev, apdev):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev, apdev)
329 dev[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
332 check_hlr_auc_gw_support()
333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
334 hostapd.add_ap(apdev[0]['ifname'], params)
335 dev[0].request("SET external_sim 1")
336 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
337 identity="1232010000000000",
338 wait_connect=False, scan_freq="2412")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
341 raise Exception("Network connected timed out")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
352 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359 dev[0].wait_disconnected()
362 dev[0].select_network(id, freq="2412")
363 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid = p[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
375 raise Exception("EAP failure not reported")
376 dev[0].request("DISCONNECT")
377 dev[0].wait_disconnected()
380 dev[0].select_network(id, freq="2412")
381 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid = p[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
393 raise Exception("EAP failure not reported")
394 dev[0].request("DISCONNECT")
395 dev[0].wait_disconnected()
398 dev[0].select_network(id, freq="2412")
399 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid = p[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
411 raise Exception("EAP failure not reported")
412 dev[0].request("DISCONNECT")
413 dev[0].wait_disconnected()
416 dev[0].select_network(id, freq="2412")
417 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid = p[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
429 raise Exception("EAP failure not reported")
430 dev[0].request("DISCONNECT")
431 dev[0].wait_disconnected()
434 dev[0].select_network(id, freq="2412")
435 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid = p[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
447 raise Exception("EAP failure not reported")
448 dev[0].request("DISCONNECT")
449 dev[0].wait_disconnected()
452 dev[0].select_network(id, freq="2412")
453 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid = p[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev, apdev):
468 """EAP-SIM and OOM"""
469 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
470 hostapd.add_ap(apdev[0]['ifname'], params)
471 tests = [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count, func in tests:
484 with alloc_fail(dev[0], count, func):
485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
486 identity="1232010000000000",
487 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect=False, scan_freq="2412")
489 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
491 raise Exception("EAP method not selected")
492 dev[0].wait_disconnected()
493 dev[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev, apdev):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
499 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
500 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
501 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils.test_connectivity(dev[0], hapd)
503 eap_reauth(dev[0], "AKA")
505 logger.info("Negative test with incorrect key")
506 dev[0].request("REMOVE_NETWORK all")
507 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
508 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger.info("Invalid Milenage key")
512 dev[0].request("REMOVE_NETWORK all")
513 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
514 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger.info("Invalid Milenage key(2)")
518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
519 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger.info("Invalid Milenage key(3)")
523 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
524 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger.info("Invalid Milenage key(4)")
528 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
529 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger.info("Invalid Milenage key(5)")
533 dev[0].request("REMOVE_NETWORK all")
534 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
535 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger.info("Invalid Milenage key(6)")
539 dev[0].request("REMOVE_NETWORK all")
540 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
541 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger.info("Missing key configuration")
545 dev[0].request("REMOVE_NETWORK all")
546 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 params['auth_server_port'] = "1814"
559 hostapd.add_ap(apdev[0]['ifname'], params)
560 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
561 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger.info("AKA fast re-authentication")
564 eap_reauth(dev[0], "AKA")
566 logger.info("AKA full auth with pseudonym")
569 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev[0], "AKA")
572 logger.info("AKA full auth with permanent identity")
575 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev[0], "AKA")
579 logger.info("AKA reauth with mismatching MK")
582 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev[0], "AKA", expect_failure=True)
584 dev[0].request("REMOVE_NETWORK all")
586 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
587 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev[0], "AKA")
594 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger.info("AKA reauth with mismatching counter")
596 eap_reauth(dev[0], "AKA")
597 dev[0].request("REMOVE_NETWORK all")
599 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
600 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev, apdev):
608 """EAP-AKA configuration options"""
609 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
610 hostapd.add_ap(apdev[0]['ifname'], params)
611 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
612 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev, apdev)
620 dev[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
623 check_hlr_auc_gw_support()
624 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
625 hostapd.add_ap(apdev[0]['ifname'], params)
626 dev[0].request("SET external_sim 1")
627 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
628 identity="0232010000000000",
629 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect=False, scan_freq="2412")
631 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
633 raise Exception("Network connected timed out")
635 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid = p[0].split('-')[3]
644 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
649 raise Exception("EAP failure not reported")
650 dev[0].request("DISCONNECT")
651 dev[0].wait_disconnected()
653 dev[0].dump_monitor()
655 dev[0].select_network(id, freq="2412")
656 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid = p[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid = p[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
678 raise Exception("EAP failure not reported")
679 dev[0].request("DISCONNECT")
680 dev[0].wait_disconnected()
682 dev[0].dump_monitor()
684 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev[0].select_network(id, freq="2412")
693 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid = p[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
705 raise Exception("EAP failure not reported")
706 dev[0].request("DISCONNECT")
707 dev[0].wait_disconnected()
709 dev[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev, apdev):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
715 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
716 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
717 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils.test_connectivity(dev[0], hapd)
719 eap_reauth(dev[0], "AKA'")
721 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
723 identity="6555444333222111@both",
724 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect=False, scan_freq="2412")
726 dev[1].wait_connected(timeout=15)
728 logger.info("Negative test with incorrect key")
729 dev[0].request("REMOVE_NETWORK all")
730 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
731 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 params['auth_server_port'] = "1814"
744 hostapd.add_ap(apdev[0]['ifname'], params)
745 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
746 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger.info("AKA' fast re-authentication")
749 eap_reauth(dev[0], "AKA'")
751 logger.info("AKA' full auth with pseudonym")
754 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev[0], "AKA'")
757 logger.info("AKA' full auth with permanent identity")
760 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev[0], "AKA'")
764 logger.info("AKA' reauth with mismatching k_aut")
767 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev[0], "AKA'", expect_failure=True)
769 dev[0].request("REMOVE_NETWORK all")
771 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
772 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev[0], "AKA'")
779 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev[0], "AKA'")
782 dev[0].request("REMOVE_NETWORK all")
784 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
785 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 key_mgmt = hapd.get_config()['key_mgmt']
797 if key_mgmt.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
799 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
802 hwsim_utils.test_connectivity(dev[0], hapd)
803 eap_reauth(dev[0], "TTLS")
804 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev[0])
810 check_altsubject_match_support(dev[0])
811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
813 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
814 anonymous_identity="ttls", password="password",
815 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
823 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
824 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
825 anonymous_identity="ttls", password="wrong",
826 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
828 eap_connect(dev[1], apdev[0], "TTLS", "user",
829 anonymous_identity="ttls", password="password",
830 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
838 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
841 hwsim_utils.test_connectivity(dev[0], hapd)
842 eap_reauth(dev[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev[0])
847 check_altsubject_match_support(dev[0])
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
850 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
851 anonymous_identity="ttls", password="password",
852 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
853 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev[0])
859 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
860 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
861 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
862 anonymous_identity="ttls", password="wrong",
863 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
865 eap_connect(dev[1], apdev[0], "TTLS", "user",
866 anonymous_identity="ttls", password="password",
867 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev[0])
873 check_domain_suffix_match(dev[0])
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
877 anonymous_identity="ttls", password="password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
879 domain_suffix_match="server.w1.fi")
880 hwsim_utils.test_connectivity(dev[0], hapd)
881 eap_reauth(dev[0], "TTLS")
882 dev[0].request("REMOVE_NETWORK all")
883 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
888 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
889 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
890 skip_with_fips(dev[0])
891 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
892 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
893 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
894 anonymous_identity="ttls", password="wrong",
895 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
897 eap_connect(dev[1], apdev[0], "TTLS", "user",
898 anonymous_identity="ttls", password="password",
899 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
901 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
902 anonymous_identity="ttls", password="password",
903 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
906 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
908 check_domain_suffix_match(dev[0])
909 check_eap_capa(dev[0], "MSCHAPV2")
910 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
911 hostapd.add_ap(apdev[0]['ifname'], params)
912 hapd = hostapd.Hostapd(apdev[0]['ifname'])
913 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
914 anonymous_identity="ttls", password="password",
915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
916 domain_suffix_match="server.w1.fi")
917 hwsim_utils.test_connectivity(dev[0], hapd)
918 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
919 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
920 eap_reauth(dev[0], "TTLS")
921 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
922 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
923 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
924 raise Exception("dot1xAuthEapolFramesRx did not increase")
925 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
926 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
927 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
928 raise Exception("backendAuthSuccesses did not increase")
930 logger.info("Password as hash value")
931 dev[0].request("REMOVE_NETWORK all")
932 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
933 anonymous_identity="ttls",
934 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
937 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
938 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
939 check_domain_match_full(dev[0])
940 skip_with_fips(dev[0])
941 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
942 hostapd.add_ap(apdev[0]['ifname'], params)
943 hapd = hostapd.Hostapd(apdev[0]['ifname'])
944 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
945 anonymous_identity="ttls", password="password",
946 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
947 domain_suffix_match="w1.fi")
948 hwsim_utils.test_connectivity(dev[0], hapd)
949 eap_reauth(dev[0], "TTLS")
951 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
952 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
953 check_domain_match(dev[0])
954 skip_with_fips(dev[0])
955 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
956 hostapd.add_ap(apdev[0]['ifname'], params)
957 hapd = hostapd.Hostapd(apdev[0]['ifname'])
958 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
959 anonymous_identity="ttls", password="password",
960 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
961 domain_match="Server.w1.fi")
962 hwsim_utils.test_connectivity(dev[0], hapd)
963 eap_reauth(dev[0], "TTLS")
965 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
966 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
967 skip_with_fips(dev[0])
968 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
969 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
970 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
971 anonymous_identity="ttls", password="password1",
972 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
974 eap_connect(dev[1], apdev[0], "TTLS", "user",
975 anonymous_identity="ttls", password="password",
976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
979 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
980 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
981 skip_with_fips(dev[0])
982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
983 hostapd.add_ap(apdev[0]['ifname'], params)
984 hapd = hostapd.Hostapd(apdev[0]['ifname'])
985 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
986 anonymous_identity="ttls", password="secret-åäö-€-password",
987 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
988 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
989 anonymous_identity="ttls",
990 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
991 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
992 for p in [ "80", "41c041e04141e041", 257*"41" ]:
993 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
994 eap="TTLS", identity="utf8-user-hash",
995 anonymous_identity="ttls", password_hex=p,
996 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
997 wait_connect=False, scan_freq="2412")
998 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1000 raise Exception("No failure reported")
1001 dev[2].request("REMOVE_NETWORK all")
1002 dev[2].wait_disconnected()
1004 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1006 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1007 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1008 eap_connect(dev[0], apdev[0], "TTLS", "user",
1009 anonymous_identity="ttls", password="password",
1010 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1011 hwsim_utils.test_connectivity(dev[0], hapd)
1012 eap_reauth(dev[0], "TTLS")
1014 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1015 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1016 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1017 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1018 eap_connect(dev[0], apdev[0], "TTLS", "user",
1019 anonymous_identity="ttls", password="wrong",
1020 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1021 expect_failure=True)
1023 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1024 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1025 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1026 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1027 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1028 anonymous_identity="ttls", password="password",
1029 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1030 expect_failure=True)
1032 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1033 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1034 params = int_eap_server_params()
1035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1036 with alloc_fail(hapd, 1, "eap_gtc_init"):
1037 eap_connect(dev[0], apdev[0], "TTLS", "user",
1038 anonymous_identity="ttls", password="password",
1039 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1040 expect_failure=True)
1041 dev[0].request("REMOVE_NETWORK all")
1043 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1044 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1045 eap="TTLS", identity="user",
1046 anonymous_identity="ttls", password="password",
1047 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1048 wait_connect=False, scan_freq="2412")
1049 # This would eventually time out, but we can stop after having reached
1050 # the allocation failure.
1053 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1056 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1057 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1058 check_eap_capa(dev[0], "MD5")
1059 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1060 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1061 eap_connect(dev[0], apdev[0], "TTLS", "user",
1062 anonymous_identity="ttls", password="password",
1063 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1064 hwsim_utils.test_connectivity(dev[0], hapd)
1065 eap_reauth(dev[0], "TTLS")
1067 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1068 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1069 check_eap_capa(dev[0], "MD5")
1070 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1071 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1072 eap_connect(dev[0], apdev[0], "TTLS", "user",
1073 anonymous_identity="ttls", password="wrong",
1074 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1075 expect_failure=True)
1077 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1078 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1079 check_eap_capa(dev[0], "MD5")
1080 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1081 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1082 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1083 anonymous_identity="ttls", password="password",
1084 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1085 expect_failure=True)
1087 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1088 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1089 check_eap_capa(dev[0], "MD5")
1090 params = int_eap_server_params()
1091 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1092 with alloc_fail(hapd, 1, "eap_md5_init"):
1093 eap_connect(dev[0], apdev[0], "TTLS", "user",
1094 anonymous_identity="ttls", password="password",
1095 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1096 expect_failure=True)
1097 dev[0].request("REMOVE_NETWORK all")
1099 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1100 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1101 eap="TTLS", identity="user",
1102 anonymous_identity="ttls", password="password",
1103 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1104 wait_connect=False, scan_freq="2412")
1105 # This would eventually time out, but we can stop after having reached
1106 # the allocation failure.
1109 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1112 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1113 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1114 check_eap_capa(dev[0], "MSCHAPV2")
1115 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1116 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1117 eap_connect(dev[0], apdev[0], "TTLS", "user",
1118 anonymous_identity="ttls", password="password",
1119 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1120 hwsim_utils.test_connectivity(dev[0], hapd)
1121 eap_reauth(dev[0], "TTLS")
1123 logger.info("Negative test with incorrect password")
1124 dev[0].request("REMOVE_NETWORK all")
1125 eap_connect(dev[0], apdev[0], "TTLS", "user",
1126 anonymous_identity="ttls", password="password1",
1127 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1128 expect_failure=True)
1130 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1131 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1132 check_eap_capa(dev[0], "MSCHAPV2")
1133 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1134 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1135 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1136 anonymous_identity="ttls", password="password",
1137 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1138 expect_failure=True)
1140 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1141 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1142 check_eap_capa(dev[0], "MSCHAPV2")
1143 params = int_eap_server_params()
1144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1146 eap_connect(dev[0], apdev[0], "TTLS", "user",
1147 anonymous_identity="ttls", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1149 expect_failure=True)
1150 dev[0].request("REMOVE_NETWORK all")
1152 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1153 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1154 eap="TTLS", identity="user",
1155 anonymous_identity="ttls", password="password",
1156 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1157 wait_connect=False, scan_freq="2412")
1158 # This would eventually time out, but we can stop after having reached
1159 # the allocation failure.
1162 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1164 dev[0].request("REMOVE_NETWORK all")
1166 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1167 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1168 eap="TTLS", identity="user",
1169 anonymous_identity="ttls", password="password",
1170 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1171 wait_connect=False, scan_freq="2412")
1172 # This would eventually time out, but we can stop after having reached
1173 # the allocation failure.
1176 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1178 dev[0].request("REMOVE_NETWORK all")
1180 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1181 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1182 eap="TTLS", identity="user",
1183 anonymous_identity="ttls", password="wrong",
1184 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1185 wait_connect=False, scan_freq="2412")
1186 # This would eventually time out, but we can stop after having reached
1187 # the allocation failure.
1190 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1192 dev[0].request("REMOVE_NETWORK all")
1194 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1195 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1196 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1197 hostapd.add_ap(apdev[0]['ifname'], params)
1198 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1199 anonymous_identity="0232010000000000@ttls",
1200 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1201 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1203 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1205 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1206 hostapd.add_ap(apdev[0]['ifname'], params)
1207 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1208 anonymous_identity="0232010000000000@peap",
1209 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1210 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1212 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1213 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1214 check_eap_capa(dev[0], "FAST")
1215 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1216 hostapd.add_ap(apdev[0]['ifname'], params)
1217 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1218 anonymous_identity="0232010000000000@fast",
1219 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1220 phase1="fast_provisioning=2",
1221 pac_file="blob://fast_pac_auth_aka",
1222 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1224 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1225 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1226 check_eap_capa(dev[0], "MSCHAPV2")
1227 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1228 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1229 eap_connect(dev[0], apdev[0], "PEAP", "user",
1230 anonymous_identity="peap", password="password",
1231 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1232 hwsim_utils.test_connectivity(dev[0], hapd)
1233 eap_reauth(dev[0], "PEAP")
1234 dev[0].request("REMOVE_NETWORK all")
1235 eap_connect(dev[0], apdev[0], "PEAP", "user",
1236 anonymous_identity="peap", password="password",
1237 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1238 fragment_size="200")
1240 logger.info("Password as hash value")
1241 dev[0].request("REMOVE_NETWORK all")
1242 eap_connect(dev[0], apdev[0], "PEAP", "user",
1243 anonymous_identity="peap",
1244 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1245 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1247 logger.info("Negative test with incorrect password")
1248 dev[0].request("REMOVE_NETWORK all")
1249 eap_connect(dev[0], apdev[0], "PEAP", "user",
1250 anonymous_identity="peap", password="password1",
1251 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1252 expect_failure=True)
1254 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1255 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1256 check_eap_capa(dev[0], "MSCHAPV2")
1257 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1258 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1259 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1260 anonymous_identity="peap", password="password",
1261 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1262 hwsim_utils.test_connectivity(dev[0], hapd)
1263 eap_reauth(dev[0], "PEAP")
1265 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1266 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1267 check_eap_capa(dev[0], "MSCHAPV2")
1268 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1269 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1270 eap_connect(dev[0], apdev[0], "PEAP", "user",
1271 anonymous_identity="peap", password="wrong",
1272 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1273 expect_failure=True)
1275 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1276 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1277 check_eap_capa(dev[0], "MSCHAPV2")
1278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1279 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1280 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1281 ca_cert="auth_serv/ca.pem",
1282 phase1="peapver=0 crypto_binding=2",
1283 phase2="auth=MSCHAPV2")
1284 hwsim_utils.test_connectivity(dev[0], hapd)
1285 eap_reauth(dev[0], "PEAP")
1287 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1288 ca_cert="auth_serv/ca.pem",
1289 phase1="peapver=0 crypto_binding=1",
1290 phase2="auth=MSCHAPV2")
1291 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1292 ca_cert="auth_serv/ca.pem",
1293 phase1="peapver=0 crypto_binding=0",
1294 phase2="auth=MSCHAPV2")
1296 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1297 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1298 check_eap_capa(dev[0], "MSCHAPV2")
1299 params = int_eap_server_params()
1300 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1301 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1302 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1303 ca_cert="auth_serv/ca.pem",
1304 phase1="peapver=0 crypto_binding=2",
1305 phase2="auth=MSCHAPV2",
1306 expect_failure=True, local_error_report=True)
1308 def test_ap_wpa2_eap_peap_params(dev, apdev):
1309 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1310 check_eap_capa(dev[0], "MSCHAPV2")
1311 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1312 hostapd.add_ap(apdev[0]['ifname'], params)
1313 eap_connect(dev[0], apdev[0], "PEAP", "user",
1314 anonymous_identity="peap", password="password",
1315 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1316 phase1="peapver=0 peaplabel=1",
1317 expect_failure=True)
1318 dev[0].request("REMOVE_NETWORK all")
1319 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1320 ca_cert="auth_serv/ca.pem",
1321 phase1="peap_outer_success=1",
1322 phase2="auth=MSCHAPV2")
1323 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1324 ca_cert="auth_serv/ca.pem",
1325 phase1="peap_outer_success=2",
1326 phase2="auth=MSCHAPV2")
1327 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1329 anonymous_identity="peap", password="password",
1330 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1331 phase1="peapver=1 peaplabel=1",
1332 wait_connect=False, scan_freq="2412")
1333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1335 raise Exception("No EAP success seen")
1336 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1338 raise Exception("Unexpected connection")
1340 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1341 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1343 hostapd.add_ap(apdev[0]['ifname'], params)
1344 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1345 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1346 ca_cert2="auth_serv/ca.pem",
1347 client_cert2="auth_serv/user.pem",
1348 private_key2="auth_serv/user.key")
1349 eap_reauth(dev[0], "PEAP")
1351 def test_ap_wpa2_eap_tls(dev, apdev):
1352 """WPA2-Enterprise connection using EAP-TLS"""
1353 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1354 hostapd.add_ap(apdev[0]['ifname'], params)
1355 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1356 client_cert="auth_serv/user.pem",
1357 private_key="auth_serv/user.key")
1358 eap_reauth(dev[0], "TLS")
1360 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1361 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1362 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1363 hostapd.add_ap(apdev[0]['ifname'], params)
1364 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1365 client_cert="auth_serv/user.pem",
1366 private_key="auth_serv/user.key.pkcs8",
1367 private_key_passwd="whatever")
1369 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1370 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1371 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1372 hostapd.add_ap(apdev[0]['ifname'], params)
1373 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1374 client_cert="auth_serv/user.pem",
1375 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1376 private_key_passwd="whatever")
1378 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1379 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1380 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1381 hostapd.add_ap(apdev[0]['ifname'], params)
1382 cert = read_pem("auth_serv/ca.pem")
1383 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1384 raise Exception("Could not set cacert blob")
1385 cert = read_pem("auth_serv/user.pem")
1386 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1387 raise Exception("Could not set usercert blob")
1388 key = read_pem("auth_serv/user.rsa-key")
1389 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1390 raise Exception("Could not set cacert blob")
1391 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1392 client_cert="blob://usercert",
1393 private_key="blob://userkey")
1395 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1396 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1397 check_pkcs12_support(dev[0])
1398 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1399 hostapd.add_ap(apdev[0]['ifname'], params)
1400 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1401 private_key="auth_serv/user.pkcs12",
1402 private_key_passwd="whatever")
1403 dev[0].request("REMOVE_NETWORK all")
1404 dev[0].wait_disconnected()
1406 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1407 identity="tls user",
1408 ca_cert="auth_serv/ca.pem",
1409 private_key="auth_serv/user.pkcs12",
1410 wait_connect=False, scan_freq="2412")
1411 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1413 raise Exception("Request for private key passphrase timed out")
1414 id = ev.split(':')[0].split('-')[-1]
1415 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1416 dev[0].wait_connected(timeout=10)
1417 dev[0].request("REMOVE_NETWORK all")
1418 dev[0].wait_disconnected()
1420 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1421 # different files to cover both cases of the extra certificate being the
1422 # one that signed the client certificate and it being unrelated to the
1423 # client certificate.
1424 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1426 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1427 ca_cert="auth_serv/ca.pem",
1429 private_key_passwd="whatever")
1430 dev[0].request("REMOVE_NETWORK all")
1431 dev[0].wait_disconnected()
1433 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1434 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1435 check_pkcs12_support(dev[0])
1436 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1437 hostapd.add_ap(apdev[0]['ifname'], params)
1438 cert = read_pem("auth_serv/ca.pem")
1439 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1440 raise Exception("Could not set cacert blob")
1441 with open("auth_serv/user.pkcs12", "rb") as f:
1442 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1443 raise Exception("Could not set pkcs12 blob")
1444 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1445 private_key="blob://pkcs12",
1446 private_key_passwd="whatever")
1448 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1449 """WPA2-Enterprise negative test - incorrect trust root"""
1450 check_eap_capa(dev[0], "MSCHAPV2")
1451 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1452 hostapd.add_ap(apdev[0]['ifname'], params)
1453 cert = read_pem("auth_serv/ca-incorrect.pem")
1454 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1455 raise Exception("Could not set cacert blob")
1456 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1457 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1458 password="password", phase2="auth=MSCHAPV2",
1459 ca_cert="blob://cacert",
1460 wait_connect=False, scan_freq="2412")
1461 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1462 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1463 password="password", phase2="auth=MSCHAPV2",
1464 ca_cert="auth_serv/ca-incorrect.pem",
1465 wait_connect=False, scan_freq="2412")
1467 for dev in (dev[0], dev[1]):
1468 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1470 raise Exception("Association and EAP start timed out")
1472 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1474 raise Exception("EAP method selection timed out")
1475 if "TTLS" not in ev:
1476 raise Exception("Unexpected EAP method")
1478 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1479 "CTRL-EVENT-EAP-SUCCESS",
1480 "CTRL-EVENT-EAP-FAILURE",
1481 "CTRL-EVENT-CONNECTED",
1482 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1484 raise Exception("EAP result timed out")
1485 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1486 raise Exception("TLS certificate error not reported")
1488 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1489 "CTRL-EVENT-EAP-FAILURE",
1490 "CTRL-EVENT-CONNECTED",
1491 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1493 raise Exception("EAP result(2) timed out")
1494 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1495 raise Exception("EAP failure not reported")
1497 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1498 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1500 raise Exception("EAP result(3) timed out")
1501 if "CTRL-EVENT-DISCONNECTED" not in ev:
1502 raise Exception("Disconnection not reported")
1504 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1506 raise Exception("Network block disabling not reported")
1508 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1509 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1510 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1511 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1512 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1513 identity="pap user", anonymous_identity="ttls",
1514 password="password", phase2="auth=PAP",
1515 ca_cert="auth_serv/ca.pem",
1516 wait_connect=True, scan_freq="2412")
1517 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1518 identity="pap user", anonymous_identity="ttls",
1519 password="password", phase2="auth=PAP",
1520 ca_cert="auth_serv/ca-incorrect.pem",
1521 only_add_network=True, scan_freq="2412")
1523 dev[0].request("DISCONNECT")
1524 dev[0].wait_disconnected()
1525 dev[0].dump_monitor()
1526 dev[0].select_network(id, freq="2412")
1528 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1530 raise Exception("EAP-TTLS not re-started")
1532 ev = dev[0].wait_disconnected(timeout=15)
1533 if "reason=23" not in ev:
1534 raise Exception("Proper reason code for disconnection not reported")
1536 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1537 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1538 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1539 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1540 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1541 identity="pap user", anonymous_identity="ttls",
1542 password="password", phase2="auth=PAP",
1543 wait_connect=True, scan_freq="2412")
1544 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1545 identity="pap user", anonymous_identity="ttls",
1546 password="password", phase2="auth=PAP",
1547 ca_cert="auth_serv/ca-incorrect.pem",
1548 only_add_network=True, scan_freq="2412")
1550 dev[0].request("DISCONNECT")
1551 dev[0].wait_disconnected()
1552 dev[0].dump_monitor()
1553 dev[0].select_network(id, freq="2412")
1555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1557 raise Exception("EAP-TTLS not re-started")
1559 ev = dev[0].wait_disconnected(timeout=15)
1560 if "reason=23" not in ev:
1561 raise Exception("Proper reason code for disconnection not reported")
1563 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1564 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1565 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1566 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1567 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1568 identity="pap user", anonymous_identity="ttls",
1569 password="password", phase2="auth=PAP",
1570 ca_cert="auth_serv/ca.pem",
1571 wait_connect=True, scan_freq="2412")
1572 dev[0].request("DISCONNECT")
1573 dev[0].wait_disconnected()
1574 dev[0].dump_monitor()
1575 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1576 dev[0].select_network(id, freq="2412")
1578 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1580 raise Exception("EAP-TTLS not re-started")
1582 ev = dev[0].wait_disconnected(timeout=15)
1583 if "reason=23" not in ev:
1584 raise Exception("Proper reason code for disconnection not reported")
1586 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1587 """WPA2-Enterprise negative test - domain suffix mismatch"""
1588 check_domain_suffix_match(dev[0])
1589 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1590 hostapd.add_ap(apdev[0]['ifname'], params)
1591 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1592 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1593 password="password", phase2="auth=MSCHAPV2",
1594 ca_cert="auth_serv/ca.pem",
1595 domain_suffix_match="incorrect.example.com",
1596 wait_connect=False, scan_freq="2412")
1598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1600 raise Exception("Association and EAP start timed out")
1602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1604 raise Exception("EAP method selection timed out")
1605 if "TTLS" not in ev:
1606 raise Exception("Unexpected EAP method")
1608 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1609 "CTRL-EVENT-EAP-SUCCESS",
1610 "CTRL-EVENT-EAP-FAILURE",
1611 "CTRL-EVENT-CONNECTED",
1612 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1614 raise Exception("EAP result timed out")
1615 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1616 raise Exception("TLS certificate error not reported")
1617 if "Domain suffix mismatch" not in ev:
1618 raise Exception("Domain suffix mismatch not reported")
1620 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1621 "CTRL-EVENT-EAP-FAILURE",
1622 "CTRL-EVENT-CONNECTED",
1623 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1625 raise Exception("EAP result(2) timed out")
1626 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1627 raise Exception("EAP failure not reported")
1629 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1630 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1632 raise Exception("EAP result(3) timed out")
1633 if "CTRL-EVENT-DISCONNECTED" not in ev:
1634 raise Exception("Disconnection not reported")
1636 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1638 raise Exception("Network block disabling not reported")
1640 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1641 """WPA2-Enterprise negative test - domain mismatch"""
1642 check_domain_match(dev[0])
1643 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1644 hostapd.add_ap(apdev[0]['ifname'], params)
1645 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1646 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1647 password="password", phase2="auth=MSCHAPV2",
1648 ca_cert="auth_serv/ca.pem",
1649 domain_match="w1.fi",
1650 wait_connect=False, scan_freq="2412")
1652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1654 raise Exception("Association and EAP start timed out")
1656 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1658 raise Exception("EAP method selection timed out")
1659 if "TTLS" not in ev:
1660 raise Exception("Unexpected EAP method")
1662 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1663 "CTRL-EVENT-EAP-SUCCESS",
1664 "CTRL-EVENT-EAP-FAILURE",
1665 "CTRL-EVENT-CONNECTED",
1666 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1668 raise Exception("EAP result timed out")
1669 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1670 raise Exception("TLS certificate error not reported")
1671 if "Domain mismatch" not in ev:
1672 raise Exception("Domain mismatch not reported")
1674 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1675 "CTRL-EVENT-EAP-FAILURE",
1676 "CTRL-EVENT-CONNECTED",
1677 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1679 raise Exception("EAP result(2) timed out")
1680 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1681 raise Exception("EAP failure not reported")
1683 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1684 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1686 raise Exception("EAP result(3) timed out")
1687 if "CTRL-EVENT-DISCONNECTED" not in ev:
1688 raise Exception("Disconnection not reported")
1690 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1692 raise Exception("Network block disabling not reported")
1694 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1695 """WPA2-Enterprise negative test - subject mismatch"""
1696 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1697 hostapd.add_ap(apdev[0]['ifname'], params)
1698 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1699 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1700 password="password", phase2="auth=MSCHAPV2",
1701 ca_cert="auth_serv/ca.pem",
1702 subject_match="/C=FI/O=w1.fi/CN=example.com",
1703 wait_connect=False, scan_freq="2412")
1705 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1707 raise Exception("Association and EAP start timed out")
1709 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1710 "EAP: Failed to initialize EAP method"], timeout=10)
1712 raise Exception("EAP method selection timed out")
1713 if "EAP: Failed to initialize EAP method" in ev:
1714 tls = dev[0].request("GET tls_library")
1715 if tls.startswith("OpenSSL"):
1716 raise Exception("Failed to select EAP method")
1717 logger.info("subject_match not supported - connection failed, so test succeeded")
1719 if "TTLS" not in ev:
1720 raise Exception("Unexpected EAP method")
1722 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1723 "CTRL-EVENT-EAP-SUCCESS",
1724 "CTRL-EVENT-EAP-FAILURE",
1725 "CTRL-EVENT-CONNECTED",
1726 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1728 raise Exception("EAP result timed out")
1729 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1730 raise Exception("TLS certificate error not reported")
1731 if "Subject mismatch" not in ev:
1732 raise Exception("Subject mismatch not reported")
1734 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1735 "CTRL-EVENT-EAP-FAILURE",
1736 "CTRL-EVENT-CONNECTED",
1737 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1739 raise Exception("EAP result(2) timed out")
1740 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1741 raise Exception("EAP failure not reported")
1743 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1744 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1746 raise Exception("EAP result(3) timed out")
1747 if "CTRL-EVENT-DISCONNECTED" not in ev:
1748 raise Exception("Disconnection not reported")
1750 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1752 raise Exception("Network block disabling not reported")
1754 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1755 """WPA2-Enterprise negative test - altsubject mismatch"""
1756 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1757 hostapd.add_ap(apdev[0]['ifname'], params)
1759 tests = [ "incorrect.example.com",
1760 "DNS:incorrect.example.com",
1764 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1766 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1767 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1768 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1769 password="password", phase2="auth=MSCHAPV2",
1770 ca_cert="auth_serv/ca.pem",
1771 altsubject_match=match,
1772 wait_connect=False, scan_freq="2412")
1774 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1776 raise Exception("Association and EAP start timed out")
1778 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1779 "EAP: Failed to initialize EAP method"], timeout=10)
1781 raise Exception("EAP method selection timed out")
1782 if "EAP: Failed to initialize EAP method" in ev:
1783 tls = dev[0].request("GET tls_library")
1784 if tls.startswith("OpenSSL"):
1785 raise Exception("Failed to select EAP method")
1786 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1788 if "TTLS" not in ev:
1789 raise Exception("Unexpected EAP method")
1791 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1792 "CTRL-EVENT-EAP-SUCCESS",
1793 "CTRL-EVENT-EAP-FAILURE",
1794 "CTRL-EVENT-CONNECTED",
1795 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1797 raise Exception("EAP result timed out")
1798 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1799 raise Exception("TLS certificate error not reported")
1800 if "AltSubject mismatch" not in ev:
1801 raise Exception("altsubject mismatch not reported")
1803 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1804 "CTRL-EVENT-EAP-FAILURE",
1805 "CTRL-EVENT-CONNECTED",
1806 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1808 raise Exception("EAP result(2) timed out")
1809 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1810 raise Exception("EAP failure not reported")
1812 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1813 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1815 raise Exception("EAP result(3) timed out")
1816 if "CTRL-EVENT-DISCONNECTED" not in ev:
1817 raise Exception("Disconnection not reported")
1819 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1821 raise Exception("Network block disabling not reported")
1823 dev[0].request("REMOVE_NETWORK all")
1825 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1826 """WPA2-Enterprise connection using UNAUTH-TLS"""
1827 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1828 hostapd.add_ap(apdev[0]['ifname'], params)
1829 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1830 ca_cert="auth_serv/ca.pem")
1831 eap_reauth(dev[0], "UNAUTH-TLS")
1833 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1834 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1835 check_cert_probe_support(dev[0])
1836 skip_with_fips(dev[0])
1837 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1838 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1839 hostapd.add_ap(apdev[0]['ifname'], params)
1840 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1841 identity="probe", ca_cert="probe://",
1842 wait_connect=False, scan_freq="2412")
1843 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1845 raise Exception("Association and EAP start timed out")
1846 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1848 raise Exception("No peer server certificate event seen")
1849 if "hash=" + srv_cert_hash not in ev:
1850 raise Exception("Expected server certificate hash not reported")
1851 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1853 raise Exception("EAP result timed out")
1854 if "Server certificate chain probe" not in ev:
1855 raise Exception("Server certificate probe not reported")
1856 dev[0].wait_disconnected(timeout=10)
1857 dev[0].request("REMOVE_NETWORK all")
1859 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1860 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1861 password="password", phase2="auth=MSCHAPV2",
1862 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1863 wait_connect=False, scan_freq="2412")
1864 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1866 raise Exception("Association and EAP start timed out")
1867 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1869 raise Exception("EAP result timed out")
1870 if "Server certificate mismatch" not in ev:
1871 raise Exception("Server certificate mismatch not reported")
1872 dev[0].wait_disconnected(timeout=10)
1873 dev[0].request("REMOVE_NETWORK all")
1875 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1876 anonymous_identity="ttls", password="password",
1877 ca_cert="hash://server/sha256/" + srv_cert_hash,
1878 phase2="auth=MSCHAPV2")
1880 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1881 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1882 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1883 hostapd.add_ap(apdev[0]['ifname'], params)
1884 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1885 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1886 password="password", phase2="auth=MSCHAPV2",
1887 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1888 wait_connect=False, scan_freq="2412")
1889 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1890 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1891 password="password", phase2="auth=MSCHAPV2",
1892 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1893 wait_connect=False, scan_freq="2412")
1894 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1895 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1896 password="password", phase2="auth=MSCHAPV2",
1897 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1898 wait_connect=False, scan_freq="2412")
1899 for i in range(0, 3):
1900 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1902 raise Exception("Association and EAP start timed out")
1903 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1905 raise Exception("Did not report EAP method initialization failure")
1907 def test_ap_wpa2_eap_pwd(dev, apdev):
1908 """WPA2-Enterprise connection using EAP-pwd"""
1909 check_eap_capa(dev[0], "PWD")
1910 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1911 hostapd.add_ap(apdev[0]['ifname'], params)
1912 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1913 eap_reauth(dev[0], "PWD")
1914 dev[0].request("REMOVE_NETWORK all")
1916 eap_connect(dev[1], apdev[0], "PWD",
1917 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1918 password="secret password",
1921 logger.info("Negative test with incorrect password")
1922 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1923 expect_failure=True, local_error_report=True)
1925 eap_connect(dev[0], apdev[0], "PWD",
1926 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1927 password="secret password",
1930 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1931 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1932 check_eap_capa(dev[0], "PWD")
1933 skip_with_fips(dev[0])
1934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1935 hostapd.add_ap(apdev[0]['ifname'], params)
1936 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1937 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1938 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1939 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1940 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1941 expect_failure=True, local_error_report=True)
1943 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1944 """WPA2-Enterprise connection using various EAP-pwd groups"""
1945 check_eap_capa(dev[0], "PWD")
1946 tls = dev[0].request("GET tls_library")
1947 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1948 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1949 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1950 groups = [ 19, 20, 21, 25, 26 ]
1951 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
1952 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1953 groups += [ 27, 28, 29, 30 ]
1955 logger.info("Group %d" % i)
1956 params['pwd_group'] = str(i)
1957 hostapd.add_ap(apdev[0]['ifname'], params)
1959 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
1960 password="secret password")
1961 dev[0].request("REMOVE_NETWORK all")
1962 dev[0].wait_disconnected()
1963 dev[0].dump_monitor()
1965 if "BoringSSL" in tls and i in [ 25 ]:
1966 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
1967 dev[0].request("DISCONNECT")
1969 dev[0].request("REMOVE_NETWORK all")
1970 dev[0].dump_monitor()
1974 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1975 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1976 check_eap_capa(dev[0], "PWD")
1977 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1978 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1979 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1980 params['pwd_group'] = "0"
1981 hostapd.add_ap(apdev[0]['ifname'], params)
1982 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1983 identity="pwd user", password="secret password",
1984 scan_freq="2412", wait_connect=False)
1985 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1987 raise Exception("Timeout on EAP failure report")
1989 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1990 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1991 check_eap_capa(dev[0], "PWD")
1992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1993 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1994 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1995 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1996 "pwd_group": "19", "fragment_size": "40" }
1997 hostapd.add_ap(apdev[0]['ifname'], params)
1998 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2000 def test_ap_wpa2_eap_gpsk(dev, apdev):
2001 """WPA2-Enterprise connection using EAP-GPSK"""
2002 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2003 hostapd.add_ap(apdev[0]['ifname'], params)
2004 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2005 password="abcdefghijklmnop0123456789abcdef")
2006 eap_reauth(dev[0], "GPSK")
2008 logger.info("Test forced algorithm selection")
2009 for phase1 in [ "cipher=1", "cipher=2" ]:
2010 dev[0].set_network_quoted(id, "phase1", phase1)
2011 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2013 raise Exception("EAP success timed out")
2014 dev[0].wait_connected(timeout=10)
2016 logger.info("Test failed algorithm negotiation")
2017 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2018 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2020 raise Exception("EAP failure timed out")
2022 logger.info("Negative test with incorrect password")
2023 dev[0].request("REMOVE_NETWORK all")
2024 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2025 password="ffcdefghijklmnop0123456789abcdef",
2026 expect_failure=True)
2028 def test_ap_wpa2_eap_sake(dev, apdev):
2029 """WPA2-Enterprise connection using EAP-SAKE"""
2030 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2031 hostapd.add_ap(apdev[0]['ifname'], params)
2032 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2033 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2034 eap_reauth(dev[0], "SAKE")
2036 logger.info("Negative test with incorrect password")
2037 dev[0].request("REMOVE_NETWORK all")
2038 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2039 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2040 expect_failure=True)
2042 def test_ap_wpa2_eap_eke(dev, apdev):
2043 """WPA2-Enterprise connection using EAP-EKE"""
2044 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2045 hostapd.add_ap(apdev[0]['ifname'], params)
2046 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2047 eap_reauth(dev[0], "EKE")
2049 logger.info("Test forced algorithm selection")
2050 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2051 "dhgroup=4 encr=1 prf=2 mac=2",
2052 "dhgroup=3 encr=1 prf=2 mac=2",
2053 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2054 dev[0].set_network_quoted(id, "phase1", phase1)
2055 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2057 raise Exception("EAP success timed out")
2058 dev[0].wait_connected(timeout=10)
2060 logger.info("Test failed algorithm negotiation")
2061 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2062 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2064 raise Exception("EAP failure timed out")
2066 logger.info("Negative test with incorrect password")
2067 dev[0].request("REMOVE_NETWORK all")
2068 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2069 expect_failure=True)
2071 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2072 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2073 params = int_eap_server_params()
2074 params['server_id'] = 'example.server@w1.fi'
2075 hostapd.add_ap(apdev[0]['ifname'], params)
2076 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2078 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2079 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2080 params = int_eap_server_params()
2081 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2082 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2084 for count,func in [ (1, "eap_eke_build_commit"),
2085 (2, "eap_eke_build_commit"),
2086 (3, "eap_eke_build_commit"),
2087 (1, "eap_eke_build_confirm"),
2088 (2, "eap_eke_build_confirm"),
2089 (1, "eap_eke_process_commit"),
2090 (2, "eap_eke_process_commit"),
2091 (1, "eap_eke_process_confirm"),
2092 (1, "eap_eke_process_identity"),
2093 (2, "eap_eke_process_identity"),
2094 (3, "eap_eke_process_identity"),
2095 (4, "eap_eke_process_identity") ]:
2096 with alloc_fail(hapd, count, func):
2097 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2098 expect_failure=True)
2099 dev[0].request("REMOVE_NETWORK all")
2101 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2102 (1, "eap_eke_get_session_id", "hello"),
2103 (1, "eap_eke_getKey", "hello"),
2104 (1, "eap_eke_build_msg", "hello"),
2105 (1, "eap_eke_build_failure", "wrong"),
2106 (1, "eap_eke_build_identity", "hello"),
2107 (2, "eap_eke_build_identity", "hello") ]:
2108 with alloc_fail(hapd, count, func):
2109 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2110 eap="EKE", identity="eke user", password=pw,
2111 wait_connect=False, scan_freq="2412")
2112 # This would eventually time out, but we can stop after having
2113 # reached the allocation failure.
2116 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2118 dev[0].request("REMOVE_NETWORK all")
2120 for count in range(1, 1000):
2122 with alloc_fail(hapd, count, "eap_server_sm_step"):
2123 dev[0].connect("test-wpa2-eap",
2124 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2125 eap="EKE", identity="eke user", password=pw,
2126 wait_connect=False, scan_freq="2412")
2127 # This would eventually time out, but we can stop after having
2128 # reached the allocation failure.
2131 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2133 dev[0].request("REMOVE_NETWORK all")
2134 except Exception, e:
2135 if str(e) == "Allocation failure did not trigger":
2137 raise Exception("Too few allocation failures")
2138 logger.info("%d allocation failures tested" % (count - 1))
2142 def test_ap_wpa2_eap_ikev2(dev, apdev):
2143 """WPA2-Enterprise connection using EAP-IKEv2"""
2144 check_eap_capa(dev[0], "IKEV2")
2145 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2146 hostapd.add_ap(apdev[0]['ifname'], params)
2147 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2148 password="ike password")
2149 eap_reauth(dev[0], "IKEV2")
2150 dev[0].request("REMOVE_NETWORK all")
2151 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2152 password="ike password", fragment_size="50")
2154 logger.info("Negative test with incorrect password")
2155 dev[0].request("REMOVE_NETWORK all")
2156 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2157 password="ike-password", expect_failure=True)
2159 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2160 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2161 check_eap_capa(dev[0], "IKEV2")
2162 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2163 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2164 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2165 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2166 "fragment_size": "50" }
2167 hostapd.add_ap(apdev[0]['ifname'], params)
2168 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2169 password="ike password")
2170 eap_reauth(dev[0], "IKEV2")
2172 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2173 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2174 check_eap_capa(dev[0], "IKEV2")
2175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2176 hostapd.add_ap(apdev[0]['ifname'], params)
2178 tests = [ (1, "dh_init"),
2180 (1, "dh_derive_shared") ]
2181 for count, func in tests:
2182 with alloc_fail(dev[0], count, func):
2183 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2184 identity="ikev2 user", password="ike password",
2185 wait_connect=False, scan_freq="2412")
2186 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2188 raise Exception("EAP method not selected")
2190 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2193 dev[0].request("REMOVE_NETWORK all")
2195 tests = [ (1, "os_get_random;dh_init") ]
2196 for count, func in tests:
2197 with fail_test(dev[0], count, func):
2198 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2199 identity="ikev2 user", password="ike password",
2200 wait_connect=False, scan_freq="2412")
2201 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2203 raise Exception("EAP method not selected")
2205 if "0:" in dev[0].request("GET_FAIL"):
2208 dev[0].request("REMOVE_NETWORK all")
2210 def test_ap_wpa2_eap_pax(dev, apdev):
2211 """WPA2-Enterprise connection using EAP-PAX"""
2212 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2213 hostapd.add_ap(apdev[0]['ifname'], params)
2214 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2215 password_hex="0123456789abcdef0123456789abcdef")
2216 eap_reauth(dev[0], "PAX")
2218 logger.info("Negative test with incorrect password")
2219 dev[0].request("REMOVE_NETWORK all")
2220 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2221 password_hex="ff23456789abcdef0123456789abcdef",
2222 expect_failure=True)
2224 def test_ap_wpa2_eap_psk(dev, apdev):
2225 """WPA2-Enterprise connection using EAP-PSK"""
2226 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2227 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2228 params["ieee80211w"] = "2"
2229 hostapd.add_ap(apdev[0]['ifname'], params)
2230 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2231 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2232 eap_reauth(dev[0], "PSK", sha256=True)
2233 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2234 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2236 bss = dev[0].get_bss(apdev[0]['bssid'])
2237 if 'flags' not in bss:
2238 raise Exception("Could not get BSS flags from BSS table")
2239 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2240 raise Exception("Unexpected BSS flags: " + bss['flags'])
2242 logger.info("Negative test with incorrect password")
2243 dev[0].request("REMOVE_NETWORK all")
2244 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2245 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2246 expect_failure=True)
2248 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2249 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2250 skip_with_fips(dev[0])
2251 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2252 hostapd.add_ap(apdev[0]['ifname'], params)
2253 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2254 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2255 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2256 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2257 (1, "=aes_128_eax_encrypt"),
2258 (1, "omac1_aes_vector"),
2259 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2260 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2261 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2262 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2263 (1, "=aes_128_eax_decrypt") ]
2264 for count, func in tests:
2265 with alloc_fail(dev[0], count, func):
2266 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2267 identity="psk.user@example.com",
2268 password_hex="0123456789abcdef0123456789abcdef",
2269 wait_connect=False, scan_freq="2412")
2270 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2272 raise Exception("EAP method not selected")
2274 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2277 dev[0].request("REMOVE_NETWORK all")
2279 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2280 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2281 identity="psk.user@example.com",
2282 password_hex="0123456789abcdef0123456789abcdef",
2283 wait_connect=False, scan_freq="2412")
2284 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2286 raise Exception("EAP method failure not reported")
2287 dev[0].request("REMOVE_NETWORK all")
2289 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2290 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2291 check_eap_capa(dev[0], "MSCHAPV2")
2292 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2293 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2294 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2295 identity="user", password="password", phase2="auth=MSCHAPV2",
2296 ca_cert="auth_serv/ca.pem", wait_connect=False,
2298 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2299 hwsim_utils.test_connectivity(dev[0], hapd)
2300 eap_reauth(dev[0], "PEAP", rsn=False)
2301 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2302 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2303 status = dev[0].get_status(extra="VERBOSE")
2304 if 'portControl' not in status:
2305 raise Exception("portControl missing from STATUS-VERBOSE")
2306 if status['portControl'] != 'Auto':
2307 raise Exception("Unexpected portControl value: " + status['portControl'])
2308 if 'eap_session_id' not in status:
2309 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2310 if not status['eap_session_id'].startswith("19"):
2311 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2313 def test_ap_wpa2_eap_interactive(dev, apdev):
2314 """WPA2-Enterprise connection using interactive identity/password entry"""
2315 check_eap_capa(dev[0], "MSCHAPV2")
2316 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2317 hostapd.add_ap(apdev[0]['ifname'], params)
2318 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2320 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2321 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2323 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2324 "TTLS", "ttls", None, "auth=MSCHAPV2",
2325 "DOMAIN\mschapv2 user", "password"),
2326 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2327 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2328 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2329 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2330 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2331 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2332 ("Connection with dynamic PEAP/EAP-GTC password entry",
2333 "PEAP", None, "user", "auth=GTC", None, "password") ]
2334 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2336 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2337 anonymous_identity=anon, identity=identity,
2338 ca_cert="auth_serv/ca.pem", phase2=phase2,
2339 wait_connect=False, scan_freq="2412")
2341 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2343 raise Exception("Request for identity timed out")
2344 id = ev.split(':')[0].split('-')[-1]
2345 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2346 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2348 raise Exception("Request for password timed out")
2349 id = ev.split(':')[0].split('-')[-1]
2350 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2351 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2352 dev[0].wait_connected(timeout=10)
2353 dev[0].request("REMOVE_NETWORK all")
2355 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2356 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2357 check_eap_capa(dev[0], "MSCHAPV2")
2358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2359 hostapd.add_ap(apdev[0]['ifname'], params)
2360 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2362 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2363 only_add_network=True)
2365 req_id = "DOMAIN\mschapv2 user"
2366 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2367 anonymous_identity="ttls", identity=None,
2368 password="password",
2369 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2370 wait_connect=False, scan_freq="2412")
2371 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2373 raise Exception("Request for identity timed out")
2374 id = ev.split(':')[0].split('-')[-1]
2375 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2376 dev[0].wait_connected(timeout=10)
2378 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2379 raise Exception("Failed to enable network")
2380 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2382 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2383 dev[0].request("REMOVE_NETWORK all")
2385 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2386 """WPA2-Enterprise connection using EAP vendor test"""
2387 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2388 hostapd.add_ap(apdev[0]['ifname'], params)
2389 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2390 eap_reauth(dev[0], "VENDOR-TEST")
2391 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2394 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2395 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2396 check_eap_capa(dev[0], "FAST")
2397 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2398 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2399 eap_connect(dev[0], apdev[0], "FAST", "user",
2400 anonymous_identity="FAST", password="password",
2401 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2402 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2403 hwsim_utils.test_connectivity(dev[0], hapd)
2404 res = eap_reauth(dev[0], "FAST")
2405 if res['tls_session_reused'] != '1':
2406 raise Exception("EAP-FAST could not use PAC session ticket")
2408 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2409 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2410 check_eap_capa(dev[0], "FAST")
2411 pac_file = os.path.join(params['logdir'], "fast.pac")
2412 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2413 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2414 hostapd.add_ap(apdev[0]['ifname'], params)
2417 eap_connect(dev[0], apdev[0], "FAST", "user",
2418 anonymous_identity="FAST", password="password",
2419 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2420 phase1="fast_provisioning=1", pac_file=pac_file)
2421 with open(pac_file, "r") as f:
2423 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2424 raise Exception("PAC file header missing")
2425 if "PAC-Key=" not in data:
2426 raise Exception("PAC-Key missing from PAC file")
2427 dev[0].request("REMOVE_NETWORK all")
2428 eap_connect(dev[0], apdev[0], "FAST", "user",
2429 anonymous_identity="FAST", password="password",
2430 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2433 eap_connect(dev[1], apdev[0], "FAST", "user",
2434 anonymous_identity="FAST", password="password",
2435 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2436 phase1="fast_provisioning=1 fast_pac_format=binary",
2438 dev[1].request("REMOVE_NETWORK all")
2439 eap_connect(dev[1], apdev[0], "FAST", "user",
2440 anonymous_identity="FAST", password="password",
2441 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2442 phase1="fast_pac_format=binary",
2450 os.remove(pac_file2)
2454 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2455 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2456 check_eap_capa(dev[0], "FAST")
2457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2458 hostapd.add_ap(apdev[0]['ifname'], params)
2459 eap_connect(dev[0], apdev[0], "FAST", "user",
2460 anonymous_identity="FAST", password="password",
2461 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2462 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2463 pac_file="blob://fast_pac_bin")
2464 res = eap_reauth(dev[0], "FAST")
2465 if res['tls_session_reused'] != '1':
2466 raise Exception("EAP-FAST could not use PAC session ticket")
2468 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2469 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2470 check_eap_capa(dev[0], "FAST")
2471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2472 hostapd.add_ap(apdev[0]['ifname'], params)
2474 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2475 identity="user", anonymous_identity="FAST",
2476 password="password",
2477 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2478 pac_file="blob://fast_pac_not_in_use",
2479 wait_connect=False, scan_freq="2412")
2480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2482 raise Exception("Timeout on EAP failure report")
2483 dev[0].request("REMOVE_NETWORK all")
2485 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2486 identity="user", anonymous_identity="FAST",
2487 password="password",
2488 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2489 wait_connect=False, scan_freq="2412")
2490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2492 raise Exception("Timeout on EAP failure report")
2494 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2495 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2496 check_eap_capa(dev[0], "FAST")
2497 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2498 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2499 eap_connect(dev[0], apdev[0], "FAST", "user",
2500 anonymous_identity="FAST", password="password",
2501 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2502 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2503 hwsim_utils.test_connectivity(dev[0], hapd)
2504 res = eap_reauth(dev[0], "FAST")
2505 if res['tls_session_reused'] != '1':
2506 raise Exception("EAP-FAST could not use PAC session ticket")
2508 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2509 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2510 check_eap_capa(dev[0], "FAST")
2511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2512 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2513 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2514 anonymous_identity="FAST", password="password",
2515 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2516 phase1="fast_provisioning=2",
2517 pac_file="blob://fast_pac_auth")
2518 dev[0].set_network_quoted(id, "identity", "user2")
2519 dev[0].wait_disconnected()
2520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2522 raise Exception("EAP-FAST not started")
2523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2525 raise Exception("EAP failure not reported")
2526 dev[0].wait_disconnected()
2528 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2529 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2530 check_eap_capa(dev[0], "FAST")
2531 tls = dev[0].request("GET tls_library")
2532 if tls.startswith("OpenSSL"):
2533 func = "openssl_tls_prf"
2535 elif tls.startswith("internal"):
2536 func = "tls_connection_prf"
2539 raise HwsimSkip("Unsupported TLS library")
2540 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2541 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2542 with alloc_fail(dev[0], count, func):
2543 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2544 identity="user", anonymous_identity="FAST",
2545 password="password", ca_cert="auth_serv/ca.pem",
2547 phase1="fast_provisioning=2",
2548 pac_file="blob://fast_pac_auth",
2549 wait_connect=False, scan_freq="2412")
2550 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2552 raise Exception("EAP failure not reported")
2553 dev[0].request("DISCONNECT")
2555 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2556 """EAP-FAST/MSCHAPv2 and server OOM"""
2557 check_eap_capa(dev[0], "FAST")
2559 params = int_eap_server_params()
2560 params['dh_file'] = 'auth_serv/dh.conf'
2561 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2562 params['eap_fast_a_id'] = '1011'
2563 params['eap_fast_a_id_info'] = 'another test server'
2564 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2566 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2567 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2568 anonymous_identity="FAST", password="password",
2569 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2570 phase1="fast_provisioning=1",
2571 pac_file="blob://fast_pac",
2572 expect_failure=True)
2573 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2575 raise Exception("No EAP failure reported")
2576 dev[0].wait_disconnected()
2577 dev[0].request("DISCONNECT")
2579 dev[0].select_network(id, freq="2412")
2581 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2582 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2583 check_ocsp_support(dev[0])
2584 check_pkcs12_support(dev[0])
2585 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2586 hostapd.add_ap(apdev[0]['ifname'], params)
2587 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2588 private_key="auth_serv/user.pkcs12",
2589 private_key_passwd="whatever", ocsp=2)
2591 def int_eap_server_params():
2592 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2593 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2594 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2595 "ca_cert": "auth_serv/ca.pem",
2596 "server_cert": "auth_serv/server.pem",
2597 "private_key": "auth_serv/server.key" }
2600 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
2601 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
2602 check_ocsp_support(dev[0])
2603 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
2604 if not os.path.exists(ocsp):
2605 raise HwsimSkip("No OCSP response available")
2606 params = int_eap_server_params()
2607 params["ocsp_stapling_response"] = ocsp
2608 hostapd.add_ap(apdev[0]['ifname'], params)
2609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2610 identity="tls user", ca_cert="auth_serv/ca.pem",
2611 private_key="auth_serv/user.pkcs12",
2612 private_key_passwd="whatever", ocsp=2,
2615 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
2616 """EAP-TLS and CA signed OCSP response (good)"""
2617 check_ocsp_support(dev[0])
2618 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
2619 if not os.path.exists(ocsp):
2620 raise HwsimSkip("No OCSP response available")
2621 params = int_eap_server_params()
2622 params["ocsp_stapling_response"] = ocsp
2623 hostapd.add_ap(apdev[0]['ifname'], params)
2624 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2625 identity="tls user", ca_cert="auth_serv/ca.pem",
2626 private_key="auth_serv/user.pkcs12",
2627 private_key_passwd="whatever", ocsp=2,
2630 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
2631 """EAP-TLS and CA signed OCSP response (revoked)"""
2632 check_ocsp_support(dev[0])
2633 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
2634 if not os.path.exists(ocsp):
2635 raise HwsimSkip("No OCSP response available")
2636 params = int_eap_server_params()
2637 params["ocsp_stapling_response"] = ocsp
2638 hostapd.add_ap(apdev[0]['ifname'], params)
2639 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2640 identity="tls user", ca_cert="auth_serv/ca.pem",
2641 private_key="auth_serv/user.pkcs12",
2642 private_key_passwd="whatever", ocsp=2,
2643 wait_connect=False, scan_freq="2412")
2646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2648 raise Exception("Timeout on EAP status")
2649 if 'bad certificate status response' in ev:
2651 if 'certificate revoked' in ev:
2655 raise Exception("Unexpected number of EAP status messages")
2657 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2659 raise Exception("Timeout on EAP failure report")
2661 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
2662 """EAP-TLS and CA signed OCSP response (unknown)"""
2663 check_ocsp_support(dev[0])
2664 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
2665 if not os.path.exists(ocsp):
2666 raise HwsimSkip("No OCSP response available")
2667 params = int_eap_server_params()
2668 params["ocsp_stapling_response"] = ocsp
2669 hostapd.add_ap(apdev[0]['ifname'], params)
2670 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2671 identity="tls user", ca_cert="auth_serv/ca.pem",
2672 private_key="auth_serv/user.pkcs12",
2673 private_key_passwd="whatever", ocsp=2,
2674 wait_connect=False, scan_freq="2412")
2677 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2679 raise Exception("Timeout on EAP status")
2680 if 'bad certificate status response' in ev:
2684 raise Exception("Unexpected number of EAP status messages")
2686 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2688 raise Exception("Timeout on EAP failure report")
2690 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
2691 """EAP-TLS and server signed OCSP response"""
2692 check_ocsp_support(dev[0])
2693 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
2694 if not os.path.exists(ocsp):
2695 raise HwsimSkip("No OCSP response available")
2696 params = int_eap_server_params()
2697 params["ocsp_stapling_response"] = ocsp
2698 hostapd.add_ap(apdev[0]['ifname'], params)
2699 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2700 identity="tls user", ca_cert="auth_serv/ca.pem",
2701 private_key="auth_serv/user.pkcs12",
2702 private_key_passwd="whatever", ocsp=2,
2703 wait_connect=False, scan_freq="2412")
2706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2708 raise Exception("Timeout on EAP status")
2709 if 'bad certificate status response' in ev:
2713 raise Exception("Unexpected number of EAP status messages")
2715 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2717 raise Exception("Timeout on EAP failure report")
2719 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2720 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2721 check_ocsp_support(dev[0])
2722 params = int_eap_server_params()
2723 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2724 hostapd.add_ap(apdev[0]['ifname'], params)
2725 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2726 identity="tls user", ca_cert="auth_serv/ca.pem",
2727 private_key="auth_serv/user.pkcs12",
2728 private_key_passwd="whatever", ocsp=2,
2729 wait_connect=False, scan_freq="2412")
2732 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2734 raise Exception("Timeout on EAP status")
2735 if 'bad certificate status response' in ev:
2739 raise Exception("Unexpected number of EAP status messages")
2741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2743 raise Exception("Timeout on EAP failure report")
2745 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2746 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2747 check_ocsp_support(dev[0])
2748 params = int_eap_server_params()
2749 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2750 hostapd.add_ap(apdev[0]['ifname'], params)
2751 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2752 identity="tls user", ca_cert="auth_serv/ca.pem",
2753 private_key="auth_serv/user.pkcs12",
2754 private_key_passwd="whatever", ocsp=2,
2755 wait_connect=False, scan_freq="2412")
2758 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2760 raise Exception("Timeout on EAP status")
2761 if 'bad certificate status response' in ev:
2765 raise Exception("Unexpected number of EAP status messages")
2767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2769 raise Exception("Timeout on EAP failure report")
2771 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2772 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2773 check_ocsp_support(dev[0])
2774 params = int_eap_server_params()
2775 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2776 hostapd.add_ap(apdev[0]['ifname'], params)
2777 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2778 identity="tls user", ca_cert="auth_serv/ca.pem",
2779 private_key="auth_serv/user.pkcs12",
2780 private_key_passwd="whatever", ocsp=2,
2781 wait_connect=False, scan_freq="2412")
2784 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2786 raise Exception("Timeout on EAP status")
2787 if 'bad certificate status response' in ev:
2791 raise Exception("Unexpected number of EAP status messages")
2793 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2795 raise Exception("Timeout on EAP failure report")
2797 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2798 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2799 check_ocsp_support(dev[0])
2800 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2801 if not os.path.exists(ocsp):
2802 raise HwsimSkip("No OCSP response available")
2803 params = int_eap_server_params()
2804 params["ocsp_stapling_response"] = ocsp
2805 hostapd.add_ap(apdev[0]['ifname'], params)
2806 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2807 identity="pap user", ca_cert="auth_serv/ca.pem",
2808 anonymous_identity="ttls", password="password",
2809 phase2="auth=PAP", ocsp=2,
2810 wait_connect=False, scan_freq="2412")
2813 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2815 raise Exception("Timeout on EAP status")
2816 if 'bad certificate status response' in ev:
2818 if 'certificate revoked' in ev:
2822 raise Exception("Unexpected number of EAP status messages")
2824 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2826 raise Exception("Timeout on EAP failure report")
2828 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2829 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2830 check_ocsp_support(dev[0])
2831 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2832 if not os.path.exists(ocsp):
2833 raise HwsimSkip("No OCSP response available")
2834 params = int_eap_server_params()
2835 params["ocsp_stapling_response"] = ocsp
2836 hostapd.add_ap(apdev[0]['ifname'], params)
2837 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2838 identity="pap user", ca_cert="auth_serv/ca.pem",
2839 anonymous_identity="ttls", password="password",
2840 phase2="auth=PAP", ocsp=2,
2841 wait_connect=False, scan_freq="2412")
2844 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2846 raise Exception("Timeout on EAP status")
2847 if 'bad certificate status response' in ev:
2851 raise Exception("Unexpected number of EAP status messages")
2853 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2855 raise Exception("Timeout on EAP failure report")
2857 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2858 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2859 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2860 if not os.path.exists(ocsp):
2861 raise HwsimSkip("No OCSP response available")
2862 params = int_eap_server_params()
2863 params["ocsp_stapling_response"] = ocsp
2864 hostapd.add_ap(apdev[0]['ifname'], params)
2865 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2866 identity="pap user", ca_cert="auth_serv/ca.pem",
2867 anonymous_identity="ttls", password="password",
2868 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2870 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2871 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2872 check_domain_match_full(dev[0])
2873 params = int_eap_server_params()
2874 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2875 params["private_key"] = "auth_serv/server-no-dnsname.key"
2876 hostapd.add_ap(apdev[0]['ifname'], params)
2877 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2878 identity="tls user", ca_cert="auth_serv/ca.pem",
2879 private_key="auth_serv/user.pkcs12",
2880 private_key_passwd="whatever",
2881 domain_suffix_match="server3.w1.fi",
2884 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2885 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2886 check_domain_match(dev[0])
2887 params = int_eap_server_params()
2888 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2889 params["private_key"] = "auth_serv/server-no-dnsname.key"
2890 hostapd.add_ap(apdev[0]['ifname'], params)
2891 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2892 identity="tls user", ca_cert="auth_serv/ca.pem",
2893 private_key="auth_serv/user.pkcs12",
2894 private_key_passwd="whatever",
2895 domain_match="server3.w1.fi",
2898 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2899 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2900 check_domain_match_full(dev[0])
2901 params = int_eap_server_params()
2902 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2903 params["private_key"] = "auth_serv/server-no-dnsname.key"
2904 hostapd.add_ap(apdev[0]['ifname'], params)
2905 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2906 identity="tls user", ca_cert="auth_serv/ca.pem",
2907 private_key="auth_serv/user.pkcs12",
2908 private_key_passwd="whatever",
2909 domain_suffix_match="w1.fi",
2912 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2913 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2914 check_domain_suffix_match(dev[0])
2915 params = int_eap_server_params()
2916 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2917 params["private_key"] = "auth_serv/server-no-dnsname.key"
2918 hostapd.add_ap(apdev[0]['ifname'], params)
2919 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2920 identity="tls user", ca_cert="auth_serv/ca.pem",
2921 private_key="auth_serv/user.pkcs12",
2922 private_key_passwd="whatever",
2923 domain_suffix_match="example.com",
2926 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2927 identity="tls user", ca_cert="auth_serv/ca.pem",
2928 private_key="auth_serv/user.pkcs12",
2929 private_key_passwd="whatever",
2930 domain_suffix_match="erver3.w1.fi",
2933 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2935 raise Exception("Timeout on EAP failure report")
2936 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2938 raise Exception("Timeout on EAP failure report (2)")
2940 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2941 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2942 check_domain_match(dev[0])
2943 params = int_eap_server_params()
2944 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2945 params["private_key"] = "auth_serv/server-no-dnsname.key"
2946 hostapd.add_ap(apdev[0]['ifname'], params)
2947 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2948 identity="tls user", ca_cert="auth_serv/ca.pem",
2949 private_key="auth_serv/user.pkcs12",
2950 private_key_passwd="whatever",
2951 domain_match="example.com",
2954 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2955 identity="tls user", ca_cert="auth_serv/ca.pem",
2956 private_key="auth_serv/user.pkcs12",
2957 private_key_passwd="whatever",
2958 domain_match="w1.fi",
2961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2963 raise Exception("Timeout on EAP failure report")
2964 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2966 raise Exception("Timeout on EAP failure report (2)")
2968 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2969 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2970 skip_with_fips(dev[0])
2971 params = int_eap_server_params()
2972 params["server_cert"] = "auth_serv/server-expired.pem"
2973 params["private_key"] = "auth_serv/server-expired.key"
2974 hostapd.add_ap(apdev[0]['ifname'], params)
2975 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2976 identity="mschap user", password="password",
2977 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2980 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2982 raise Exception("Timeout on EAP certificate error report")
2983 if "reason=4" not in ev or "certificate has expired" not in ev:
2984 raise Exception("Unexpected failure reason: " + ev)
2985 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2987 raise Exception("Timeout on EAP failure report")
2989 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2990 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2991 skip_with_fips(dev[0])
2992 params = int_eap_server_params()
2993 params["server_cert"] = "auth_serv/server-expired.pem"
2994 params["private_key"] = "auth_serv/server-expired.key"
2995 hostapd.add_ap(apdev[0]['ifname'], params)
2996 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2997 identity="mschap user", password="password",
2998 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2999 phase1="tls_disable_time_checks=1",
3002 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
3003 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
3004 skip_with_fips(dev[0])
3005 params = int_eap_server_params()
3006 params["server_cert"] = "auth_serv/server-long-duration.pem"
3007 params["private_key"] = "auth_serv/server-long-duration.key"
3008 hostapd.add_ap(apdev[0]['ifname'], params)
3009 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3010 identity="mschap user", password="password",
3011 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3014 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
3015 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3016 skip_with_fips(dev[0])
3017 params = int_eap_server_params()
3018 params["server_cert"] = "auth_serv/server-eku-client.pem"
3019 params["private_key"] = "auth_serv/server-eku-client.key"
3020 hostapd.add_ap(apdev[0]['ifname'], params)
3021 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3022 identity="mschap user", password="password",
3023 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3028 raise Exception("Timeout on EAP failure report")
3030 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
3031 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3032 skip_with_fips(dev[0])
3033 params = int_eap_server_params()
3034 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
3035 params["private_key"] = "auth_serv/server-eku-client-server.key"
3036 hostapd.add_ap(apdev[0]['ifname'], params)
3037 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3038 identity="mschap user", password="password",
3039 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3042 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
3043 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3044 skip_with_fips(dev[0])
3045 params = int_eap_server_params()
3046 del params["server_cert"]
3047 params["private_key"] = "auth_serv/server.pkcs12"
3048 hostapd.add_ap(apdev[0]['ifname'], params)
3049 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3050 identity="mschap user", password="password",
3051 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3054 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
3055 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3056 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3057 hostapd.add_ap(apdev[0]['ifname'], params)
3058 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3059 anonymous_identity="ttls", password="password",
3060 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3061 dh_file="auth_serv/dh.conf")
3063 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
3064 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3065 check_dh_dsa_support(dev[0])
3066 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3067 hostapd.add_ap(apdev[0]['ifname'], params)
3068 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3069 anonymous_identity="ttls", password="password",
3070 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3071 dh_file="auth_serv/dsaparam.pem")
3073 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3074 """EAP-TTLS and DH params file not found"""
3075 skip_with_fips(dev[0])
3076 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3077 hostapd.add_ap(apdev[0]['ifname'], params)
3078 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3079 identity="mschap user", password="password",
3080 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3081 dh_file="auth_serv/dh-no-such-file.conf",
3082 scan_freq="2412", wait_connect=False)
3083 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3085 raise Exception("EAP failure timed out")
3086 dev[0].request("REMOVE_NETWORK all")
3087 dev[0].wait_disconnected()
3089 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3090 """EAP-TTLS and invalid DH params file"""
3091 skip_with_fips(dev[0])
3092 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3093 hostapd.add_ap(apdev[0]['ifname'], params)
3094 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3095 identity="mschap user", password="password",
3096 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3097 dh_file="auth_serv/ca.pem",
3098 scan_freq="2412", wait_connect=False)
3099 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3101 raise Exception("EAP failure timed out")
3102 dev[0].request("REMOVE_NETWORK all")
3103 dev[0].wait_disconnected()
3105 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
3106 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3107 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3108 hostapd.add_ap(apdev[0]['ifname'], params)
3109 dh = read_pem("auth_serv/dh2.conf")
3110 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
3111 raise Exception("Could not set dhparams blob")
3112 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3113 anonymous_identity="ttls", password="password",
3114 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
3115 dh_file="blob://dhparams")
3117 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
3118 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3119 params = int_eap_server_params()
3120 params["dh_file"] = "auth_serv/dh2.conf"
3121 hostapd.add_ap(apdev[0]['ifname'], params)
3122 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3123 anonymous_identity="ttls", password="password",
3124 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3126 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
3127 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3128 params = int_eap_server_params()
3129 params["dh_file"] = "auth_serv/dsaparam.pem"
3130 hostapd.add_ap(apdev[0]['ifname'], params)
3131 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3132 anonymous_identity="ttls", password="password",
3133 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
3135 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
3136 """EAP-TLS server and dhparams file not found"""
3137 params = int_eap_server_params()
3138 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
3139 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3140 if "FAIL" not in hapd.request("ENABLE"):
3141 raise Exception("Invalid configuration accepted")
3143 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
3144 """EAP-TLS server and invalid dhparams file"""
3145 params = int_eap_server_params()
3146 params["dh_file"] = "auth_serv/ca.pem"
3147 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
3148 if "FAIL" not in hapd.request("ENABLE"):
3149 raise Exception("Invalid configuration accepted")
3151 def test_ap_wpa2_eap_reauth(dev, apdev):
3152 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3153 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3154 params['eap_reauth_period'] = '2'
3155 hostapd.add_ap(apdev[0]['ifname'], params)
3156 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3157 password_hex="0123456789abcdef0123456789abcdef")
3158 logger.info("Wait for reauthentication")
3159 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3161 raise Exception("Timeout on reauthentication")
3162 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3164 raise Exception("Timeout on reauthentication")
3165 for i in range(0, 20):
3166 state = dev[0].get_status_field("wpa_state")
3167 if state == "COMPLETED":
3170 if state != "COMPLETED":
3171 raise Exception("Reauthentication did not complete")
3173 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
3174 """Optional displayable message in EAP Request-Identity"""
3175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3177 hostapd.add_ap(apdev[0]['ifname'], params)
3178 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
3179 password_hex="0123456789abcdef0123456789abcdef")
3181 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
3182 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3183 check_hlr_auc_gw_support()
3184 params = int_eap_server_params()
3185 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3186 params['eap_sim_aka_result_ind'] = "1"
3187 hostapd.add_ap(apdev[0]['ifname'], params)
3189 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
3190 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3191 phase1="result_ind=1")
3192 eap_reauth(dev[0], "SIM")
3193 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
3194 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3196 dev[0].request("REMOVE_NETWORK all")
3197 dev[1].request("REMOVE_NETWORK all")
3199 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
3200 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3201 phase1="result_ind=1")
3202 eap_reauth(dev[0], "AKA")
3203 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
3204 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3206 dev[0].request("REMOVE_NETWORK all")
3207 dev[1].request("REMOVE_NETWORK all")
3209 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
3210 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3211 phase1="result_ind=1")
3212 eap_reauth(dev[0], "AKA'")
3213 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
3214 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3216 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
3217 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3218 skip_with_fips(dev[0])
3219 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3220 hostapd.add_ap(apdev[0]['ifname'], params)
3221 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3222 eap="TTLS", identity="mschap user",
3223 wait_connect=False, scan_freq="2412", ieee80211w="1",
3224 anonymous_identity="ttls", password="password",
3225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3227 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
3229 raise Exception("EAP roundtrip limit not reached")
3231 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
3232 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3233 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3234 hostapd.add_ap(apdev[0]['ifname'], params)
3235 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
3236 eap="PSK", identity="vendor-test",
3237 password_hex="ff23456789abcdef0123456789abcdef",
3241 for i in range(0, 5):
3242 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
3244 raise Exception("Association and EAP start timed out")
3245 if "refuse proposed method" in ev:
3249 raise Exception("Unexpected EAP status: " + ev)
3251 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3253 raise Exception("EAP failure timed out")
3255 def test_ap_wpa2_eap_sql(dev, apdev, params):
3256 """WPA2-Enterprise connection using SQLite for user DB"""
3257 skip_with_fips(dev[0])
3261 raise HwsimSkip("No sqlite3 module available")
3262 dbfile = os.path.join(params['logdir'], "eap-user.db")
3267 con = sqlite3.connect(dbfile)
3270 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3271 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3272 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3273 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3274 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3275 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3276 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3277 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3280 params = int_eap_server_params()
3281 params["eap_user_file"] = "sqlite:" + dbfile
3282 hostapd.add_ap(apdev[0]['ifname'], params)
3283 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
3284 anonymous_identity="ttls", password="password",
3285 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3286 dev[0].request("REMOVE_NETWORK all")
3287 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
3288 anonymous_identity="ttls", password="password",
3289 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
3290 dev[1].request("REMOVE_NETWORK all")
3291 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
3292 anonymous_identity="ttls", password="password",
3293 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
3294 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
3295 anonymous_identity="ttls", password="password",
3296 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3300 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
3301 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3302 params = int_eap_server_params()
3303 hostapd.add_ap(apdev[0]['ifname'], params)
3304 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3305 identity="\x80", password="password", wait_connect=False)
3306 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3307 identity="a\x80", password="password", wait_connect=False)
3308 for i in range(0, 2):
3309 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3311 raise Exception("Association and EAP start timed out")
3312 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3314 raise Exception("EAP method selection timed out")
3316 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
3317 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3319 hostapd.add_ap(apdev[0]['ifname'], params)
3320 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3321 identity="\x80", password="password", wait_connect=False)
3322 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3323 identity="a\x80", password="password", wait_connect=False)
3324 for i in range(0, 2):
3325 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3327 raise Exception("Association and EAP start timed out")
3328 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3330 raise Exception("EAP method selection timed out")
3332 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3333 """OpenSSL cipher suite configuration on wpa_supplicant"""
3334 tls = dev[0].request("GET tls_library")
3335 if not tls.startswith("OpenSSL"):
3336 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3337 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3338 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3339 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3340 anonymous_identity="ttls", password="password",
3341 openssl_ciphers="AES128",
3342 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3343 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3344 anonymous_identity="ttls", password="password",
3345 openssl_ciphers="EXPORT",
3346 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3347 expect_failure=True, maybe_local_error=True)
3348 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3349 identity="pap user", anonymous_identity="ttls",
3350 password="password",
3351 openssl_ciphers="FOO",
3352 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3354 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3356 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3357 dev[2].request("DISCONNECT")
3359 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3360 """OpenSSL cipher suite configuration on hostapd"""
3361 tls = dev[0].request("GET tls_library")
3362 if not tls.startswith("OpenSSL"):
3363 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3364 params = int_eap_server_params()
3365 params['openssl_ciphers'] = "AES256"
3366 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3367 tls = hapd.request("GET tls_library")
3368 if not tls.startswith("OpenSSL"):
3369 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3370 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3371 anonymous_identity="ttls", password="password",
3372 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3373 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3374 anonymous_identity="ttls", password="password",
3375 openssl_ciphers="AES128",
3376 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3377 expect_failure=True)
3378 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3379 anonymous_identity="ttls", password="password",
3380 openssl_ciphers="HIGH:!ADH",
3381 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3383 params['openssl_ciphers'] = "FOO"
3384 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3385 if "FAIL" not in hapd2.request("ENABLE"):
3386 raise Exception("Invalid openssl_ciphers value accepted")
3388 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3389 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3390 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3391 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3392 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3393 pid = find_wpas_process(dev[0])
3394 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3395 anonymous_identity="ttls", password=password,
3396 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3397 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
3398 # event has been delivered, so verify that wpa_supplicant has returned to
3399 # eloop before reading process memory.
3402 buf = read_process_memory(pid, password)
3404 dev[0].request("DISCONNECT")
3405 dev[0].wait_disconnected()
3413 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3414 for l in f.readlines():
3415 if "EAP-TTLS: Derived key - hexdump" in l:
3416 val = l.strip().split(':')[3].replace(' ', '')
3417 msk = binascii.unhexlify(val)
3418 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3419 val = l.strip().split(':')[3].replace(' ', '')
3420 emsk = binascii.unhexlify(val)
3421 if "WPA: PMK - hexdump" in l:
3422 val = l.strip().split(':')[3].replace(' ', '')
3423 pmk = binascii.unhexlify(val)
3424 if "WPA: PTK - hexdump" in l:
3425 val = l.strip().split(':')[3].replace(' ', '')
3426 ptk = binascii.unhexlify(val)
3427 if "WPA: Group Key - hexdump" in l:
3428 val = l.strip().split(':')[3].replace(' ', '')
3429 gtk = binascii.unhexlify(val)
3430 if not msk or not emsk or not pmk or not ptk or not gtk:
3431 raise Exception("Could not find keys from debug log")
3433 raise Exception("Unexpected GTK length")
3439 fname = os.path.join(params['logdir'],
3440 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3442 logger.info("Checking keys in memory while associated")
3443 get_key_locations(buf, password, "Password")
3444 get_key_locations(buf, pmk, "PMK")
3445 get_key_locations(buf, msk, "MSK")
3446 get_key_locations(buf, emsk, "EMSK")
3447 if password not in buf:
3448 raise HwsimSkip("Password not found while associated")
3450 raise HwsimSkip("PMK not found while associated")
3452 raise Exception("KCK not found while associated")
3454 raise Exception("KEK not found while associated")
3456 raise Exception("TK found from memory")
3458 get_key_locations(buf, gtk, "GTK")
3459 raise Exception("GTK found from memory")
3461 logger.info("Checking keys in memory after disassociation")
3462 buf = read_process_memory(pid, password)
3464 # Note: Password is still present in network configuration
3465 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3467 get_key_locations(buf, password, "Password")
3468 get_key_locations(buf, pmk, "PMK")
3469 get_key_locations(buf, msk, "MSK")
3470 get_key_locations(buf, emsk, "EMSK")
3471 verify_not_present(buf, kck, fname, "KCK")
3472 verify_not_present(buf, kek, fname, "KEK")
3473 verify_not_present(buf, tk, fname, "TK")
3474 verify_not_present(buf, gtk, fname, "GTK")
3476 dev[0].request("PMKSA_FLUSH")
3477 dev[0].set_network_quoted(id, "identity", "foo")
3478 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3479 buf = read_process_memory(pid, password)
3480 get_key_locations(buf, password, "Password")
3481 get_key_locations(buf, pmk, "PMK")
3482 get_key_locations(buf, msk, "MSK")
3483 get_key_locations(buf, emsk, "EMSK")
3484 verify_not_present(buf, pmk, fname, "PMK")
3486 dev[0].request("REMOVE_NETWORK all")
3488 logger.info("Checking keys in memory after network profile removal")
3489 buf = read_process_memory(pid, password)
3491 get_key_locations(buf, password, "Password")
3492 get_key_locations(buf, pmk, "PMK")
3493 get_key_locations(buf, msk, "MSK")
3494 get_key_locations(buf, emsk, "EMSK")
3495 verify_not_present(buf, password, fname, "password")
3496 verify_not_present(buf, pmk, fname, "PMK")
3497 verify_not_present(buf, kck, fname, "KCK")
3498 verify_not_present(buf, kek, fname, "KEK")
3499 verify_not_present(buf, tk, fname, "TK")
3500 verify_not_present(buf, gtk, fname, "GTK")
3501 verify_not_present(buf, msk, fname, "MSK")
3502 verify_not_present(buf, emsk, fname, "EMSK")
3504 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3505 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3506 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3507 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3508 bssid = apdev[0]['bssid']
3509 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3510 anonymous_identity="ttls", password="password",
3511 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3513 # Send unexpected WEP EAPOL-Key; this gets dropped
3514 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3516 raise Exception("EAPOL_RX to wpa_supplicant failed")
3518 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3519 """WPA2-EAP and wpas interface in a bridge"""
3523 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3525 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3526 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3527 subprocess.call(['brctl', 'delbr', br_ifname])
3528 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3530 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3531 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3532 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3536 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3537 subprocess.call(['brctl', 'addbr', br_ifname])
3538 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3539 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3540 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3541 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3542 wpas.interface_add(ifname, br_ifname=br_ifname)
3545 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3546 password_hex="0123456789abcdef0123456789abcdef")
3548 eap_reauth(wpas, "PAX")
3550 # Try again as a regression test for packet socket workaround
3551 eap_reauth(wpas, "PAX")
3553 wpas.request("DISCONNECT")
3554 wpas.wait_disconnected()
3556 wpas.request("RECONNECT")
3557 wpas.wait_connected()
3560 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3561 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3562 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3563 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3564 key_mgmt = hapd.get_config()['key_mgmt']
3565 if key_mgmt.split(' ')[0] != "WPA-EAP":
3566 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3567 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3568 anonymous_identity="ttls", password="password",
3569 ca_cert="auth_serv/ca.pem",
3570 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3571 eap_reauth(dev[0], "TTLS")
3573 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3574 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3576 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3577 key_mgmt = hapd.get_config()['key_mgmt']
3578 if key_mgmt.split(' ')[0] != "WPA-EAP":
3579 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3580 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3581 anonymous_identity="ttls", password="password",
3582 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3584 eap_reauth(dev[0], "TTLS")
3586 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3587 """EAP-TLS and server checking CRL"""
3588 params = int_eap_server_params()
3589 params['check_crl'] = '1'
3590 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3592 # check_crl=1 and no CRL available --> reject connection
3593 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3594 client_cert="auth_serv/user.pem",
3595 private_key="auth_serv/user.key", expect_failure=True)
3596 dev[0].request("REMOVE_NETWORK all")
3599 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3602 # check_crl=1 and valid CRL --> accept
3603 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3604 client_cert="auth_serv/user.pem",
3605 private_key="auth_serv/user.key")
3606 dev[0].request("REMOVE_NETWORK all")
3609 hapd.set("check_crl", "2")
3612 # check_crl=2 and valid CRL --> accept
3613 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3614 client_cert="auth_serv/user.pem",
3615 private_key="auth_serv/user.key")
3616 dev[0].request("REMOVE_NETWORK all")
3618 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3619 """EAP-TLS and OOM"""
3620 check_subject_match_support(dev[0])
3621 check_altsubject_match_support(dev[0])
3622 check_domain_match(dev[0])
3623 check_domain_match_full(dev[0])
3625 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3626 hostapd.add_ap(apdev[0]['ifname'], params)
3628 tests = [ (1, "tls_connection_set_subject_match"),
3629 (2, "tls_connection_set_subject_match"),
3630 (3, "tls_connection_set_subject_match"),
3631 (4, "tls_connection_set_subject_match") ]
3632 for count, func in tests:
3633 with alloc_fail(dev[0], count, func):
3634 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3635 identity="tls user", ca_cert="auth_serv/ca.pem",
3636 client_cert="auth_serv/user.pem",
3637 private_key="auth_serv/user.key",
3638 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3639 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3640 domain_suffix_match="server.w1.fi",
3641 domain_match="server.w1.fi",
3642 wait_connect=False, scan_freq="2412")
3643 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3644 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3646 raise Exception("No passphrase request")
3647 dev[0].request("REMOVE_NETWORK all")
3648 dev[0].wait_disconnected()
3650 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3651 """WPA2-Enterprise connection using MAC ACL"""
3652 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3653 params["macaddr_acl"] = "2"
3654 hostapd.add_ap(apdev[0]['ifname'], params)
3655 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3656 client_cert="auth_serv/user.pem",
3657 private_key="auth_serv/user.key")
3659 def test_ap_wpa2_eap_oom(dev, apdev):
3660 """EAP server and OOM"""
3661 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3662 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3663 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3665 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3666 # The first attempt fails, but STA will send EAPOL-Start to retry and
3668 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3669 identity="tls user", ca_cert="auth_serv/ca.pem",
3670 client_cert="auth_serv/user.pem",
3671 private_key="auth_serv/user.key",
3674 def check_tls_ver(dev, ap, phase1, expected):
3675 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3676 client_cert="auth_serv/user.pem",
3677 private_key="auth_serv/user.key",
3679 ver = dev.get_status_field("eap_tls_version")
3681 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3683 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3684 """EAP-TLS and TLS version configuration"""
3685 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3686 hostapd.add_ap(apdev[0]['ifname'], params)
3688 tls = dev[0].request("GET tls_library")
3689 if tls.startswith("OpenSSL"):
3690 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3691 check_tls_ver(dev[0], apdev[0],
3692 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3694 elif tls.startswith("internal"):
3695 check_tls_ver(dev[0], apdev[0],
3696 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3697 check_tls_ver(dev[1], apdev[0],
3698 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3699 check_tls_ver(dev[2], apdev[0],
3700 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3702 def test_rsn_ie_proto_eap_sta(dev, apdev):
3703 """RSN element protocol testing for EAP cases on STA side"""
3704 bssid = apdev[0]['bssid']
3705 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3706 # This is the RSN element used normally by hostapd
3707 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3708 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3709 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
3710 identity="gpsk user",
3711 password="abcdefghijklmnop0123456789abcdef",
3714 tests = [ ('No RSN Capabilities field',
3715 '30120100000fac040100000fac040100000fac01'),
3716 ('No AKM Suite fields',
3717 '300c0100000fac040100000fac04'),
3718 ('No Pairwise Cipher Suite fields',
3719 '30060100000fac04'),
3720 ('No Group Data Cipher Suite field',
3722 for txt,ie in tests:
3723 dev[0].request("DISCONNECT")
3724 dev[0].wait_disconnected()
3727 hapd.set('own_ie_override', ie)
3729 dev[0].request("BSS_FLUSH 0")
3730 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
3731 dev[0].select_network(id, freq=2412)
3732 dev[0].wait_connected()
3734 def check_tls_session_resumption_capa(dev, hapd):
3735 tls = hapd.request("GET tls_library")
3736 if not tls.startswith("OpenSSL"):
3737 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3739 tls = dev.request("GET tls_library")
3740 if not tls.startswith("OpenSSL"):
3741 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
3743 def test_eap_ttls_pap_session_resumption(dev, apdev):
3744 """EAP-TTLS/PAP session resumption"""
3745 params = int_eap_server_params()
3746 params['tls_session_lifetime'] = '60'
3747 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3748 check_tls_session_resumption_capa(dev[0], hapd)
3749 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3750 anonymous_identity="ttls", password="password",
3751 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3753 if dev[0].get_status_field("tls_session_reused") != '0':
3754 raise Exception("Unexpected session resumption on the first connection")
3756 dev[0].request("REAUTHENTICATE")
3757 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3759 raise Exception("EAP success timed out")
3760 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3762 raise Exception("Key handshake with the AP timed out")
3763 if dev[0].get_status_field("tls_session_reused") != '1':
3764 raise Exception("Session resumption not used on the second connection")
3766 def test_eap_ttls_chap_session_resumption(dev, apdev):
3767 """EAP-TTLS/CHAP session resumption"""
3768 params = int_eap_server_params()
3769 params['tls_session_lifetime'] = '60'
3770 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3771 check_tls_session_resumption_capa(dev[0], hapd)
3772 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
3773 anonymous_identity="ttls", password="password",
3774 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
3775 if dev[0].get_status_field("tls_session_reused") != '0':
3776 raise Exception("Unexpected session resumption on the first connection")
3778 dev[0].request("REAUTHENTICATE")
3779 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3781 raise Exception("EAP success timed out")
3782 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3784 raise Exception("Key handshake with the AP timed out")
3785 if dev[0].get_status_field("tls_session_reused") != '1':
3786 raise Exception("Session resumption not used on the second connection")
3788 def test_eap_ttls_mschap_session_resumption(dev, apdev):
3789 """EAP-TTLS/MSCHAP session resumption"""
3790 check_domain_suffix_match(dev[0])
3791 params = int_eap_server_params()
3792 params['tls_session_lifetime'] = '60'
3793 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3794 check_tls_session_resumption_capa(dev[0], hapd)
3795 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
3796 anonymous_identity="ttls", password="password",
3797 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
3798 domain_suffix_match="server.w1.fi")
3799 if dev[0].get_status_field("tls_session_reused") != '0':
3800 raise Exception("Unexpected session resumption on the first connection")
3802 dev[0].request("REAUTHENTICATE")
3803 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3805 raise Exception("EAP success timed out")
3806 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3808 raise Exception("Key handshake with the AP timed out")
3809 if dev[0].get_status_field("tls_session_reused") != '1':
3810 raise Exception("Session resumption not used on the second connection")
3812 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
3813 """EAP-TTLS/MSCHAPv2 session resumption"""
3814 check_domain_suffix_match(dev[0])
3815 check_eap_capa(dev[0], "MSCHAPV2")
3816 params = int_eap_server_params()
3817 params['tls_session_lifetime'] = '60'
3818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3819 check_tls_session_resumption_capa(dev[0], hapd)
3820 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
3821 anonymous_identity="ttls", password="password",
3822 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3823 domain_suffix_match="server.w1.fi")
3824 if dev[0].get_status_field("tls_session_reused") != '0':
3825 raise Exception("Unexpected session resumption on the first connection")
3827 dev[0].request("REAUTHENTICATE")
3828 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3830 raise Exception("EAP success timed out")
3831 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3833 raise Exception("Key handshake with the AP timed out")
3834 if dev[0].get_status_field("tls_session_reused") != '1':
3835 raise Exception("Session resumption not used on the second connection")
3837 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
3838 """EAP-TTLS/EAP-GTC session resumption"""
3839 params = int_eap_server_params()
3840 params['tls_session_lifetime'] = '60'
3841 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3842 check_tls_session_resumption_capa(dev[0], hapd)
3843 eap_connect(dev[0], apdev[0], "TTLS", "user",
3844 anonymous_identity="ttls", password="password",
3845 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
3846 if dev[0].get_status_field("tls_session_reused") != '0':
3847 raise Exception("Unexpected session resumption on the first connection")
3849 dev[0].request("REAUTHENTICATE")
3850 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3852 raise Exception("EAP success timed out")
3853 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3855 raise Exception("Key handshake with the AP timed out")
3856 if dev[0].get_status_field("tls_session_reused") != '1':
3857 raise Exception("Session resumption not used on the second connection")
3859 def test_eap_ttls_no_session_resumption(dev, apdev):
3860 """EAP-TTLS session resumption disabled on server"""
3861 params = int_eap_server_params()
3862 params['tls_session_lifetime'] = '0'
3863 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3864 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3865 anonymous_identity="ttls", password="password",
3866 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3868 if dev[0].get_status_field("tls_session_reused") != '0':
3869 raise Exception("Unexpected session resumption on the first connection")
3871 dev[0].request("REAUTHENTICATE")
3872 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3874 raise Exception("EAP success timed out")
3875 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3877 raise Exception("Key handshake with the AP timed out")
3878 if dev[0].get_status_field("tls_session_reused") != '0':
3879 raise Exception("Unexpected session resumption on the second connection")
3881 def test_eap_peap_session_resumption(dev, apdev):
3882 """EAP-PEAP session resumption"""
3883 params = int_eap_server_params()
3884 params['tls_session_lifetime'] = '60'
3885 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3886 check_tls_session_resumption_capa(dev[0], hapd)
3887 eap_connect(dev[0], apdev[0], "PEAP", "user",
3888 anonymous_identity="peap", password="password",
3889 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3890 if dev[0].get_status_field("tls_session_reused") != '0':
3891 raise Exception("Unexpected session resumption on the first connection")
3893 dev[0].request("REAUTHENTICATE")
3894 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3896 raise Exception("EAP success timed out")
3897 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3899 raise Exception("Key handshake with the AP timed out")
3900 if dev[0].get_status_field("tls_session_reused") != '1':
3901 raise Exception("Session resumption not used on the second connection")
3903 def test_eap_peap_no_session_resumption(dev, apdev):
3904 """EAP-PEAP session resumption disabled on server"""
3905 params = int_eap_server_params()
3906 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3907 eap_connect(dev[0], apdev[0], "PEAP", "user",
3908 anonymous_identity="peap", password="password",
3909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
3910 if dev[0].get_status_field("tls_session_reused") != '0':
3911 raise Exception("Unexpected session resumption on the first connection")
3913 dev[0].request("REAUTHENTICATE")
3914 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3916 raise Exception("EAP success timed out")
3917 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3919 raise Exception("Key handshake with the AP timed out")
3920 if dev[0].get_status_field("tls_session_reused") != '0':
3921 raise Exception("Unexpected session resumption on the second connection")
3923 def test_eap_tls_session_resumption(dev, apdev):
3924 """EAP-TLS session resumption"""
3925 params = int_eap_server_params()
3926 params['tls_session_lifetime'] = '60'
3927 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3928 check_tls_session_resumption_capa(dev[0], hapd)
3929 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3930 client_cert="auth_serv/user.pem",
3931 private_key="auth_serv/user.key")
3932 if dev[0].get_status_field("tls_session_reused") != '0':
3933 raise Exception("Unexpected session resumption on the first connection")
3935 dev[0].request("REAUTHENTICATE")
3936 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3938 raise Exception("EAP success timed out")
3939 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3941 raise Exception("Key handshake with the AP timed out")
3942 if dev[0].get_status_field("tls_session_reused") != '1':
3943 raise Exception("Session resumption not used on the second connection")
3945 dev[0].request("REAUTHENTICATE")
3946 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3948 raise Exception("EAP success timed out")
3949 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3951 raise Exception("Key handshake with the AP timed out")
3952 if dev[0].get_status_field("tls_session_reused") != '1':
3953 raise Exception("Session resumption not used on the third connection")
3955 def test_eap_tls_session_resumption_expiration(dev, apdev):
3956 """EAP-TLS session resumption"""
3957 params = int_eap_server_params()
3958 params['tls_session_lifetime'] = '1'
3959 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3960 check_tls_session_resumption_capa(dev[0], hapd)
3961 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3962 client_cert="auth_serv/user.pem",
3963 private_key="auth_serv/user.key")
3964 if dev[0].get_status_field("tls_session_reused") != '0':
3965 raise Exception("Unexpected session resumption on the first connection")
3967 # Allow multiple attempts since OpenSSL may not expire the cached entry
3972 dev[0].request("REAUTHENTICATE")
3973 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3975 raise Exception("EAP success timed out")
3976 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
3978 raise Exception("Key handshake with the AP timed out")
3979 if dev[0].get_status_field("tls_session_reused") == '0':
3981 if dev[0].get_status_field("tls_session_reused") != '0':
3982 raise Exception("Session resumption used after lifetime expiration")
3984 def test_eap_tls_no_session_resumption(dev, apdev):
3985 """EAP-TLS session resumption disabled on server"""
3986 params = int_eap_server_params()
3987 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3988 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3989 client_cert="auth_serv/user.pem",
3990 private_key="auth_serv/user.key")
3991 if dev[0].get_status_field("tls_session_reused") != '0':
3992 raise Exception("Unexpected session resumption on the first connection")
3994 dev[0].request("REAUTHENTICATE")
3995 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
3997 raise Exception("EAP success timed out")
3998 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4000 raise Exception("Key handshake with the AP timed out")
4001 if dev[0].get_status_field("tls_session_reused") != '0':
4002 raise Exception("Unexpected session resumption on the second connection")
4004 def test_eap_tls_session_resumption_radius(dev, apdev):
4005 """EAP-TLS session resumption (RADIUS)"""
4006 params = { "ssid": "as", "beacon_int": "2000",
4007 "radius_server_clients": "auth_serv/radius_clients.conf",
4008 "radius_server_auth_port": '18128',
4010 "eap_user_file": "auth_serv/eap_user.conf",
4011 "ca_cert": "auth_serv/ca.pem",
4012 "server_cert": "auth_serv/server.pem",
4013 "private_key": "auth_serv/server.key",
4014 "tls_session_lifetime": "60" }
4015 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
4016 check_tls_session_resumption_capa(dev[0], authsrv)
4018 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4019 params['auth_server_port'] = "18128"
4020 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4021 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4022 client_cert="auth_serv/user.pem",
4023 private_key="auth_serv/user.key")
4024 if dev[0].get_status_field("tls_session_reused") != '0':
4025 raise Exception("Unexpected session resumption on the first connection")
4027 dev[0].request("REAUTHENTICATE")
4028 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4030 raise Exception("EAP success timed out")
4031 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4033 raise Exception("Key handshake with the AP timed out")
4034 if dev[0].get_status_field("tls_session_reused") != '1':
4035 raise Exception("Session resumption not used on the second connection")
4037 def test_eap_tls_no_session_resumption_radius(dev, apdev):
4038 """EAP-TLS session resumption disabled (RADIUS)"""
4039 params = { "ssid": "as", "beacon_int": "2000",
4040 "radius_server_clients": "auth_serv/radius_clients.conf",
4041 "radius_server_auth_port": '18128',
4043 "eap_user_file": "auth_serv/eap_user.conf",
4044 "ca_cert": "auth_serv/ca.pem",
4045 "server_cert": "auth_serv/server.pem",
4046 "private_key": "auth_serv/server.key",
4047 "tls_session_lifetime": "0" }
4048 hostapd.add_ap(apdev[1]['ifname'], params)
4050 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4051 params['auth_server_port'] = "18128"
4052 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4053 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4054 client_cert="auth_serv/user.pem",
4055 private_key="auth_serv/user.key")
4056 if dev[0].get_status_field("tls_session_reused") != '0':
4057 raise Exception("Unexpected session resumption on the first connection")
4059 dev[0].request("REAUTHENTICATE")
4060 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4062 raise Exception("EAP success timed out")
4063 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4065 raise Exception("Key handshake with the AP timed out")
4066 if dev[0].get_status_field("tls_session_reused") != '0':
4067 raise Exception("Unexpected session resumption on the second connection")
4069 def test_eap_mschapv2_errors(dev, apdev):
4070 """EAP-MSCHAPv2 error cases"""
4071 check_eap_capa(dev[0], "MSCHAPV2")
4072 check_eap_capa(dev[0], "FAST")
4074 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4075 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4076 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4077 identity="phase1-user", password="password",
4079 dev[0].request("REMOVE_NETWORK all")
4080 dev[0].wait_disconnected()
4082 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4083 (1, "nt_password_hash;mschapv2_derive_response"),
4084 (1, "nt_password_hash;=mschapv2_derive_response"),
4085 (1, "generate_nt_response;mschapv2_derive_response"),
4086 (1, "generate_authenticator_response;mschapv2_derive_response"),
4087 (1, "nt_password_hash;=mschapv2_derive_response"),
4088 (1, "get_master_key;mschapv2_derive_response"),
4089 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4090 for count, func in tests:
4091 with fail_test(dev[0], count, func):
4092 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4093 identity="phase1-user", password="password",
4094 wait_connect=False, scan_freq="2412")
4095 wait_fail_trigger(dev[0], "GET_FAIL")
4096 dev[0].request("REMOVE_NETWORK all")
4097 dev[0].wait_disconnected()
4099 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4100 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4101 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4102 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4103 for count, func in tests:
4104 with fail_test(dev[0], count, func):
4105 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4106 identity="phase1-user",
4107 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
4108 wait_connect=False, scan_freq="2412")
4109 wait_fail_trigger(dev[0], "GET_FAIL")
4110 dev[0].request("REMOVE_NETWORK all")
4111 dev[0].wait_disconnected()
4113 tests = [ (1, "eap_mschapv2_init"),
4114 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4115 (1, "eap_msg_alloc;eap_mschapv2_success"),
4116 (1, "eap_mschapv2_getKey") ]
4117 for count, func in tests:
4118 with alloc_fail(dev[0], count, func):
4119 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4120 identity="phase1-user", password="password",
4121 wait_connect=False, scan_freq="2412")
4122 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4123 dev[0].request("REMOVE_NETWORK all")
4124 dev[0].wait_disconnected()
4126 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4127 for count, func in tests:
4128 with alloc_fail(dev[0], count, func):
4129 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
4130 identity="phase1-user", password="wrong password",
4131 wait_connect=False, scan_freq="2412")
4132 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4133 dev[0].request("REMOVE_NETWORK all")
4134 dev[0].wait_disconnected()
4136 tests = [ (2, "eap_mschapv2_init"),
4137 (3, "eap_mschapv2_init") ]
4138 for count, func in tests:
4139 with alloc_fail(dev[0], count, func):
4140 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
4141 anonymous_identity="FAST", identity="user",
4142 password="password",
4143 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
4144 phase1="fast_provisioning=1",
4145 pac_file="blob://fast_pac",
4146 wait_connect=False, scan_freq="2412")
4147 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4148 dev[0].request("REMOVE_NETWORK all")
4149 dev[0].wait_disconnected()
4151 def test_eap_gpsk_errors(dev, apdev):
4152 """EAP-GPSK error cases"""
4153 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
4154 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4155 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4156 identity="gpsk user",
4157 password="abcdefghijklmnop0123456789abcdef",
4159 dev[0].request("REMOVE_NETWORK all")
4160 dev[0].wait_disconnected()
4162 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4163 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4165 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4167 (1, "eap_gpsk_derive_keys_helper", None),
4168 (2, "eap_gpsk_derive_keys_helper", None),
4169 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4171 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4173 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4174 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4175 (1, "eap_gpsk_derive_mid_helper", None) ]
4176 for count, func, phase1 in tests:
4177 with fail_test(dev[0], count, func):
4178 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4179 identity="gpsk user",
4180 password="abcdefghijklmnop0123456789abcdef",
4182 wait_connect=False, scan_freq="2412")
4183 wait_fail_trigger(dev[0], "GET_FAIL")
4184 dev[0].request("REMOVE_NETWORK all")
4185 dev[0].wait_disconnected()
4187 tests = [ (1, "eap_gpsk_init"),
4188 (2, "eap_gpsk_init"),
4189 (3, "eap_gpsk_init"),
4190 (1, "eap_gpsk_process_id_server"),
4191 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4192 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4193 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4194 (1, "eap_gpsk_derive_keys"),
4195 (1, "eap_gpsk_derive_keys_helper"),
4196 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4197 (1, "eap_gpsk_getKey"),
4198 (1, "eap_gpsk_get_emsk"),
4199 (1, "eap_gpsk_get_session_id") ]
4200 for count, func in tests:
4201 with alloc_fail(dev[0], count, func):
4202 dev[0].request("ERP_FLUSH")
4203 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
4204 identity="gpsk user", erp="1",
4205 password="abcdefghijklmnop0123456789abcdef",
4206 wait_connect=False, scan_freq="2412")
4207 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4208 dev[0].request("REMOVE_NETWORK all")
4209 dev[0].wait_disconnected()
4211 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
4212 """EAP-SIM DB error cases"""
4213 sockpath = '/tmp/hlr_auc_gw.sock-test'
4218 hparams = int_eap_server_params()
4219 hparams['eap_sim_db'] = 'unix:' + sockpath
4220 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
4222 # Initial test with hlr_auc_gw socket not available
4223 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4224 eap="SIM", identity="1232010000000000",
4225 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4226 scan_freq="2412", wait_connect=False)
4227 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4229 raise Exception("EAP-Failure not reported")
4230 dev[0].wait_disconnected()
4231 dev[0].request("DISCONNECT")
4233 # Test with invalid responses and response timeout
4235 class test_handler(SocketServer.DatagramRequestHandler):
4237 data = self.request[0].strip()
4238 socket = self.request[1]
4239 logger.debug("Received hlr_auc_gw request: " + data)
4240 # EAP-SIM DB: Failed to parse response string
4241 socket.sendto("FOO", self.client_address)
4242 # EAP-SIM DB: Failed to parse response string
4243 socket.sendto("FOO 1", self.client_address)
4244 # EAP-SIM DB: Unknown external response
4245 socket.sendto("FOO 1 2", self.client_address)
4246 logger.info("No proper response - wait for pending eap_sim_db request timeout")
4248 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
4251 dev[0].select_network(id)
4252 server.handle_request()
4253 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4255 raise Exception("EAP-Failure not reported")
4256 dev[0].wait_disconnected()
4257 dev[0].request("DISCONNECT")
4259 # Test with a valid response
4261 class test_handler2(SocketServer.DatagramRequestHandler):
4263 data = self.request[0].strip()
4264 socket = self.request[1]
4265 logger.debug("Received hlr_auc_gw request: " + data)
4266 fname = os.path.join(params['logdir'],
4267 'hlr_auc_gw.milenage_db')
4268 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
4270 stdout=subprocess.PIPE)
4271 res = cmd.stdout.read().strip()
4273 logger.debug("hlr_auc_gw response: " + res)
4274 socket.sendto(res, self.client_address)
4276 server.RequestHandlerClass = test_handler2
4278 dev[0].select_network(id)
4279 server.handle_request()
4280 dev[0].wait_connected()
4281 dev[0].request("DISCONNECT")
4282 dev[0].wait_disconnected()
4284 def test_eap_tls_sha512(dev, apdev, params):
4285 """EAP-TLS with SHA512 signature"""
4286 params = int_eap_server_params()
4287 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4288 params["server_cert"] = "auth_serv/sha512-server.pem"
4289 params["private_key"] = "auth_serv/sha512-server.key"
4290 hostapd.add_ap(apdev[0]['ifname'], params)
4292 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4293 identity="tls user sha512",
4294 ca_cert="auth_serv/sha512-ca.pem",
4295 client_cert="auth_serv/sha512-user.pem",
4296 private_key="auth_serv/sha512-user.key",
4298 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4299 identity="tls user sha512",
4300 ca_cert="auth_serv/sha512-ca.pem",
4301 client_cert="auth_serv/sha384-user.pem",
4302 private_key="auth_serv/sha384-user.key",
4305 def test_eap_tls_sha384(dev, apdev, params):
4306 """EAP-TLS with SHA384 signature"""
4307 params = int_eap_server_params()
4308 params["ca_cert"] = "auth_serv/sha512-ca.pem"
4309 params["server_cert"] = "auth_serv/sha384-server.pem"
4310 params["private_key"] = "auth_serv/sha384-server.key"
4311 hostapd.add_ap(apdev[0]['ifname'], params)
4313 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4314 identity="tls user sha512",
4315 ca_cert="auth_serv/sha512-ca.pem",
4316 client_cert="auth_serv/sha512-user.pem",
4317 private_key="auth_serv/sha512-user.key",
4319 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4320 identity="tls user sha512",
4321 ca_cert="auth_serv/sha512-ca.pem",
4322 client_cert="auth_serv/sha384-user.pem",
4323 private_key="auth_serv/sha384-user.key",
4326 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
4327 """WPA2-Enterprise AP and association request RSN IE differences"""
4328 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4329 hostapd.add_ap(apdev[0]['ifname'], params)
4331 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
4332 params["ieee80211w"] = "2"
4333 hostapd.add_ap(apdev[1]['ifname'], params)
4335 # Success cases with optional RSN IE fields removed one by one
4336 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4337 "30140100000fac040100000fac040100000fac010000"),
4338 ("Extra PMKIDCount field in RSN IE",
4339 "30160100000fac040100000fac040100000fac0100000000"),
4340 ("Extra Group Management Cipher Suite in RSN IE",
4341 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4342 ("Extra undefined extension field in RSN IE",
4343 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4344 ("RSN IE without RSN Capabilities",
4345 "30120100000fac040100000fac040100000fac01"),
4346 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4347 ("RSN IE without pairwise", "30060100000fac04"),
4348 ("RSN IE without group", "30020100") ]
4349 for title, ie in tests:
4351 set_test_assoc_ie(dev[0], ie)
4352 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4353 identity="gpsk user",
4354 password="abcdefghijklmnop0123456789abcdef",
4356 dev[0].request("REMOVE_NETWORK all")
4357 dev[0].wait_disconnected()
4359 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
4360 "30140100000fac040100000fac040100000fac01cc00"),
4361 ("Group management cipher included in assoc req RSN IE",
4362 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4363 for title, ie in tests:
4365 set_test_assoc_ie(dev[0], ie)
4366 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4367 eap="GPSK", identity="gpsk user",
4368 password="abcdefghijklmnop0123456789abcdef",
4370 dev[0].request("REMOVE_NETWORK all")
4371 dev[0].wait_disconnected()
4373 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
4374 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4375 for title, ie, status in tests:
4377 set_test_assoc_ie(dev[0], ie)
4378 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4379 identity="gpsk user",
4380 password="abcdefghijklmnop0123456789abcdef",
4381 scan_freq="2412", wait_connect=False)
4382 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4384 raise Exception("Association rejection not reported")
4385 if "status_code=" + str(status) not in ev:
4386 raise Exception("Unexpected status code: " + ev)
4387 dev[0].request("REMOVE_NETWORK all")
4388 dev[0].dump_monitor()
4390 tests = [ ("Management frame protection not enabled",
4391 "30140100000fac040100000fac040100000fac010000", 31),
4392 ("Unsupported management group cipher",
4393 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4394 for title, ie, status in tests:
4396 set_test_assoc_ie(dev[0], ie)
4397 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
4398 eap="GPSK", identity="gpsk user",
4399 password="abcdefghijklmnop0123456789abcdef",
4400 scan_freq="2412", wait_connect=False)
4401 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4403 raise Exception("Association rejection not reported")
4404 if "status_code=" + str(status) not in ev:
4405 raise Exception("Unexpected status code: " + ev)
4406 dev[0].request("REMOVE_NETWORK all")
4407 dev[0].dump_monitor()
4409 def test_eap_tls_ext_cert_check(dev, apdev):
4410 """EAP-TLS and external server certification validation"""
4411 # With internal server certificate chain validation
4412 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4413 identity="tls user",
4414 ca_cert="auth_serv/ca.pem",
4415 client_cert="auth_serv/user.pem",
4416 private_key="auth_serv/user.key",
4417 phase1="tls_ext_cert_check=1", scan_freq="2412",
4418 only_add_network=True)
4419 run_ext_cert_check(dev, apdev, id)
4421 def test_eap_ttls_ext_cert_check(dev, apdev):
4422 """EAP-TTLS and external server certification validation"""
4423 # Without internal server certificate chain validation
4424 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4425 identity="pap user", anonymous_identity="ttls",
4426 password="password", phase2="auth=PAP",
4427 phase1="tls_ext_cert_check=1", scan_freq="2412",
4428 only_add_network=True)
4429 run_ext_cert_check(dev, apdev, id)
4431 def test_eap_peap_ext_cert_check(dev, apdev):
4432 """EAP-PEAP and external server certification validation"""
4433 # With internal server certificate chain validation
4434 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
4435 identity="user", anonymous_identity="peap",
4436 ca_cert="auth_serv/ca.pem",
4437 password="password", phase2="auth=MSCHAPV2",
4438 phase1="tls_ext_cert_check=1", scan_freq="2412",
4439 only_add_network=True)
4440 run_ext_cert_check(dev, apdev, id)
4442 def test_eap_fast_ext_cert_check(dev, apdev):
4443 """EAP-FAST and external server certification validation"""
4444 check_eap_capa(dev[0], "FAST")
4445 # With internal server certificate chain validation
4446 dev[0].request("SET blob fast_pac_auth_ext ")
4447 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
4448 identity="user", anonymous_identity="FAST",
4449 ca_cert="auth_serv/ca.pem",
4450 password="password", phase2="auth=GTC",
4451 phase1="tls_ext_cert_check=1 fast_provisioning=2",
4452 pac_file="blob://fast_pac_auth_ext",
4454 only_add_network=True)
4455 run_ext_cert_check(dev, apdev, id)
4457 def run_ext_cert_check(dev, apdev, net_id):
4458 check_ext_cert_check_support(dev[0])
4459 if not openssl_imported:
4460 raise HwsimSkip("OpenSSL python method not available")
4462 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4463 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4465 dev[0].select_network(net_id)
4468 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4469 "CTRL-REQ-EXT_CERT_CHECK",
4470 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4472 raise Exception("No peer server certificate event seen")
4473 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
4476 vals = ev.split(' ')
4478 if v.startswith("depth="):
4479 depth = int(v.split('=')[1])
4480 elif v.startswith("cert="):
4481 cert = v.split('=')[1]
4482 if depth is not None and cert:
4483 certs[depth] = binascii.unhexlify(cert)
4484 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
4485 raise Exception("Unexpected EAP-Success")
4486 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
4487 id = ev.split(':')[0].split('-')[-1]
4490 raise Exception("Server certificate not received")
4492 raise Exception("Server certificate issuer not received")
4494 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4496 cn = cert.get_subject().commonName
4497 logger.info("Server certificate CN=" + cn)
4499 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
4501 icn = issuer.get_subject().commonName
4502 logger.info("Issuer certificate CN=" + icn)
4504 if cn != "server.w1.fi":
4505 raise Exception("Unexpected server certificate CN: " + cn)
4506 if icn != "Root CA":
4507 raise Exception("Unexpected server certificate issuer CN: " + icn)
4509 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
4511 raise Exception("Unexpected EAP-Success before external check result indication")
4513 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4514 dev[0].wait_connected()
4516 dev[0].request("DISCONNECT")
4517 dev[0].wait_disconnected()
4518 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
4519 raise Exception("PMKSA_FLUSH failed")
4520 dev[0].request("SET blob fast_pac_auth_ext ")
4521 dev[0].request("RECONNECT")
4523 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
4525 raise Exception("No peer server certificate event seen (2)")
4526 id = ev.split(':')[0].split('-')[-1]
4527 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4528 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
4530 raise Exception("EAP-Failure not reported")
4531 dev[0].request("REMOVE_NETWORK all")
4532 dev[0].wait_disconnected()