1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
104 raise Exception("EAP success timed out")
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e = "WPA2-EAP-SHA256"
123 e = "WPA2/IEEE 802.1X/EAP"
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
203 logger.info("SIM full auth with pseudonym")
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
209 logger.info("SIM full auth with permanent identity")
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
216 logger.info("SIM reauth with mismatching MK")
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
280 dev[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
292 raise Exception("Network connected timed out")
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_sim_oom(dev, apdev):
419 """EAP-SIM and OOM"""
420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
421 hostapd.add_ap(apdev[0]['ifname'], params)
422 tests = [ (1, "milenage_f2345"),
423 (2, "milenage_f2345"),
424 (3, "milenage_f2345"),
425 (4, "milenage_f2345"),
426 (5, "milenage_f2345"),
427 (6, "milenage_f2345"),
428 (7, "milenage_f2345"),
429 (8, "milenage_f2345"),
430 (9, "milenage_f2345"),
431 (10, "milenage_f2345"),
432 (11, "milenage_f2345"),
433 (12, "milenage_f2345") ]
434 for count, func in tests:
435 with alloc_fail(dev[0], count, func):
436 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
437 identity="1232010000000000",
438 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
439 wait_connect=False, scan_freq="2412")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
442 raise Exception("EAP method not selected")
443 dev[0].wait_disconnected()
444 dev[0].request("REMOVE_NETWORK all")
446 def test_ap_wpa2_eap_aka(dev, apdev):
447 """WPA2-Enterprise connection using EAP-AKA"""
448 check_hlr_auc_gw_support()
449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
453 hwsim_utils.test_connectivity(dev[0], hapd)
454 eap_reauth(dev[0], "AKA")
456 logger.info("Negative test with incorrect key")
457 dev[0].request("REMOVE_NETWORK all")
458 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
459 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
462 logger.info("Invalid Milenage key")
463 dev[0].request("REMOVE_NETWORK all")
464 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
465 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
468 logger.info("Invalid Milenage key(2)")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
470 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
473 logger.info("Invalid Milenage key(3)")
474 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
475 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
478 logger.info("Invalid Milenage key(4)")
479 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
480 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
483 logger.info("Invalid Milenage key(5)")
484 dev[0].request("REMOVE_NETWORK all")
485 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
486 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
489 logger.info("Invalid Milenage key(6)")
490 dev[0].request("REMOVE_NETWORK all")
491 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
492 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
495 logger.info("Missing key configuration")
496 dev[0].request("REMOVE_NETWORK all")
497 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
501 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
502 check_hlr_auc_gw_support()
506 raise HwsimSkip("No sqlite3 module available")
507 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
509 params['auth_server_port'] = "1814"
510 hostapd.add_ap(apdev[0]['ifname'], params)
511 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
512 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
514 logger.info("AKA fast re-authentication")
515 eap_reauth(dev[0], "AKA")
517 logger.info("AKA full auth with pseudonym")
520 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
521 eap_reauth(dev[0], "AKA")
523 logger.info("AKA full auth with permanent identity")
526 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
527 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
528 eap_reauth(dev[0], "AKA")
530 logger.info("AKA reauth with mismatching MK")
533 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
534 eap_reauth(dev[0], "AKA", expect_failure=True)
535 dev[0].request("REMOVE_NETWORK all")
537 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
538 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
541 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
542 eap_reauth(dev[0], "AKA")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 logger.info("AKA reauth with mismatching counter")
547 eap_reauth(dev[0], "AKA")
548 dev[0].request("REMOVE_NETWORK all")
550 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
551 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
554 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with max reauth count reached")
556 eap_reauth(dev[0], "AKA")
558 def test_ap_wpa2_eap_aka_config(dev, apdev):
559 """EAP-AKA configuration options"""
560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
561 hostapd.add_ap(apdev[0]['ifname'], params)
562 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
563 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
564 anonymous_identity="2345678")
566 def test_ap_wpa2_eap_aka_ext(dev, apdev):
567 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
569 _test_ap_wpa2_eap_aka_ext(dev, apdev)
571 dev[0].request("SET external_sim 0")
573 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
574 check_hlr_auc_gw_support()
575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
576 hostapd.add_ap(apdev[0]['ifname'], params)
577 dev[0].request("SET external_sim 1")
578 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
579 identity="0232010000000000",
580 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
581 wait_connect=False, scan_freq="2412")
582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
584 raise Exception("Network connected timed out")
586 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
588 raise Exception("Wait for external SIM processing request timed out")
590 if p[1] != "UMTS-AUTH":
591 raise Exception("Unexpected CTRL-REQ-SIM type")
592 rid = p[0].split('-')[3]
595 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
596 # This will fail during processing, but the ctrl_iface command succeeds
597 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
605 dev[0].select_network(id, freq="2412")
606 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 raise Exception("Wait for external SIM processing request timed out")
610 if p[1] != "UMTS-AUTH":
611 raise Exception("Unexpected CTRL-REQ-SIM type")
612 rid = p[0].split('-')[3]
613 # This will fail during UMTS auth validation
614 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
615 raise Exception("CTRL-RSP-SIM failed")
616 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
618 raise Exception("Wait for external SIM processing request timed out")
620 if p[1] != "UMTS-AUTH":
621 raise Exception("Unexpected CTRL-REQ-SIM type")
622 rid = p[0].split('-')[3]
623 # This will fail during UMTS auth validation
624 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
625 raise Exception("CTRL-RSP-SIM failed")
626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
628 raise Exception("EAP failure not reported")
629 dev[0].request("DISCONNECT")
630 dev[0].wait_disconnected()
633 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
635 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
636 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
637 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
638 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
641 dev[0].select_network(id, freq="2412")
642 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
644 raise Exception("Wait for external SIM processing request timed out")
646 if p[1] != "UMTS-AUTH":
647 raise Exception("Unexpected CTRL-REQ-SIM type")
648 rid = p[0].split('-')[3]
649 # This will fail during UMTS auth validation
650 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
651 raise Exception("CTRL-RSP-SIM failed")
652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
654 raise Exception("EAP failure not reported")
655 dev[0].request("DISCONNECT")
656 dev[0].wait_disconnected()
659 def test_ap_wpa2_eap_aka_prime(dev, apdev):
660 """WPA2-Enterprise connection using EAP-AKA'"""
661 check_hlr_auc_gw_support()
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
664 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
665 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
666 hwsim_utils.test_connectivity(dev[0], hapd)
667 eap_reauth(dev[0], "AKA'")
669 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
670 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
671 identity="6555444333222111@both",
672 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
673 wait_connect=False, scan_freq="2412")
674 dev[1].wait_connected(timeout=15)
676 logger.info("Negative test with incorrect key")
677 dev[0].request("REMOVE_NETWORK all")
678 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
683 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
684 check_hlr_auc_gw_support()
688 raise HwsimSkip("No sqlite3 module available")
689 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
691 params['auth_server_port'] = "1814"
692 hostapd.add_ap(apdev[0]['ifname'], params)
693 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
694 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
696 logger.info("AKA' fast re-authentication")
697 eap_reauth(dev[0], "AKA'")
699 logger.info("AKA' full auth with pseudonym")
702 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
703 eap_reauth(dev[0], "AKA'")
705 logger.info("AKA' full auth with permanent identity")
708 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
709 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
710 eap_reauth(dev[0], "AKA'")
712 logger.info("AKA' reauth with mismatching k_aut")
715 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
716 eap_reauth(dev[0], "AKA'", expect_failure=True)
717 dev[0].request("REMOVE_NETWORK all")
719 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
720 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
723 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
724 eap_reauth(dev[0], "AKA'")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 logger.info("AKA' reauth with mismatching counter")
729 eap_reauth(dev[0], "AKA'")
730 dev[0].request("REMOVE_NETWORK all")
732 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
733 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
736 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with max reauth count reached")
738 eap_reauth(dev[0], "AKA'")
740 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 key_mgmt = hapd.get_config()['key_mgmt']
745 if key_mgmt.split(' ')[0] != "WPA-EAP":
746 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
747 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
748 anonymous_identity="ttls", password="password",
749 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
750 hwsim_utils.test_connectivity(dev[0], hapd)
751 eap_reauth(dev[0], "TTLS")
752 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
753 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
755 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
756 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
757 check_subject_match_support(dev[0])
758 check_altsubject_match_support(dev[0])
759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
760 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762 anonymous_identity="ttls", password="password",
763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
764 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
765 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
766 eap_reauth(dev[0], "TTLS")
768 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
769 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
772 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
773 anonymous_identity="ttls", password="wrong",
774 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
776 eap_connect(dev[1], apdev[0], "TTLS", "user",
777 anonymous_identity="ttls", password="password",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
781 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
782 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
784 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
785 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
788 hwsim_utils.test_connectivity(dev[0], hapd)
789 eap_reauth(dev[0], "TTLS")
791 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
792 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
793 check_altsubject_match_support(dev[0])
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
797 anonymous_identity="ttls", password="password",
798 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
799 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
800 eap_reauth(dev[0], "TTLS")
802 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
806 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
807 anonymous_identity="ttls", password="wrong",
808 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
810 eap_connect(dev[1], apdev[0], "TTLS", "user",
811 anonymous_identity="ttls", password="password",
812 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
815 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
816 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
819 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
820 anonymous_identity="ttls", password="password",
821 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
822 domain_suffix_match="server.w1.fi")
823 hwsim_utils.test_connectivity(dev[0], hapd)
824 eap_reauth(dev[0], "TTLS")
825 dev[0].request("REMOVE_NETWORK all")
826 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
827 anonymous_identity="ttls", password="password",
828 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
831 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
832 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
834 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
835 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
836 anonymous_identity="ttls", password="wrong",
837 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 eap_connect(dev[1], apdev[0], "TTLS", "user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
843 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
844 anonymous_identity="ttls", password="password",
845 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
851 hostapd.add_ap(apdev[0]['ifname'], params)
852 hapd = hostapd.Hostapd(apdev[0]['ifname'])
853 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
856 domain_suffix_match="server.w1.fi")
857 hwsim_utils.test_connectivity(dev[0], hapd)
858 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
859 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
860 eap_reauth(dev[0], "TTLS")
861 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
862 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
863 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
864 raise Exception("dot1xAuthEapolFramesRx did not increase")
865 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
866 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
867 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
868 raise Exception("backendAuthSuccesses did not increase")
870 logger.info("Password as hash value")
871 dev[0].request("REMOVE_NETWORK all")
872 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
873 anonymous_identity="ttls",
874 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
877 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
878 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
879 check_domain_match_full(dev[0])
880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
881 hostapd.add_ap(apdev[0]['ifname'], params)
882 hapd = hostapd.Hostapd(apdev[0]['ifname'])
883 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
886 domain_suffix_match="w1.fi")
887 hwsim_utils.test_connectivity(dev[0], hapd)
888 eap_reauth(dev[0], "TTLS")
890 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
891 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
892 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
893 hostapd.add_ap(apdev[0]['ifname'], params)
894 hapd = hostapd.Hostapd(apdev[0]['ifname'])
895 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
896 anonymous_identity="ttls", password="password",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
898 domain_match="Server.w1.fi")
899 hwsim_utils.test_connectivity(dev[0], hapd)
900 eap_reauth(dev[0], "TTLS")
902 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
903 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
906 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
907 anonymous_identity="ttls", password="password1",
908 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 eap_connect(dev[1], apdev[0], "TTLS", "user",
911 anonymous_identity="ttls", password="password",
912 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
916 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hostapd.add_ap(apdev[0]['ifname'], params)
919 hapd = hostapd.Hostapd(apdev[0]['ifname'])
920 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
921 anonymous_identity="ttls", password="secret-åäö-€-password",
922 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
923 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
924 anonymous_identity="ttls",
925 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
928 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
930 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 eap_connect(dev[0], apdev[0], "TTLS", "user",
933 anonymous_identity="ttls", password="password",
934 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
935 hwsim_utils.test_connectivity(dev[0], hapd)
936 eap_reauth(dev[0], "TTLS")
938 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
939 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
940 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
942 eap_connect(dev[0], apdev[0], "TTLS", "user",
943 anonymous_identity="ttls", password="wrong",
944 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
947 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
956 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
957 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
958 params = int_eap_server_params()
959 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
960 with alloc_fail(hapd, 1, "eap_gtc_init"):
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="password",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
965 dev[0].request("REMOVE_NETWORK all")
967 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
968 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
969 eap="TTLS", identity="user",
970 anonymous_identity="ttls", password="password",
971 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
972 wait_connect=False, scan_freq="2412")
973 # This would eventually time out, but we can stop after having reached
974 # the allocation failure.
977 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
980 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 eap_connect(dev[0], apdev[0], "TTLS", "user",
985 anonymous_identity="ttls", password="password",
986 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
987 hwsim_utils.test_connectivity(dev[0], hapd)
988 eap_reauth(dev[0], "TTLS")
990 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
991 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "TTLS", "user",
995 anonymous_identity="ttls", password="wrong",
996 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
999 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1001 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1002 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1003 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1004 anonymous_identity="ttls", password="password",
1005 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1006 expect_failure=True)
1008 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1009 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1010 params = int_eap_server_params()
1011 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1012 with alloc_fail(hapd, 1, "eap_md5_init"):
1013 eap_connect(dev[0], apdev[0], "TTLS", "user",
1014 anonymous_identity="ttls", password="password",
1015 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1016 expect_failure=True)
1017 dev[0].request("REMOVE_NETWORK all")
1019 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1021 eap="TTLS", identity="user",
1022 anonymous_identity="ttls", password="password",
1023 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1024 wait_connect=False, scan_freq="2412")
1025 # This would eventually time out, but we can stop after having reached
1026 # the allocation failure.
1029 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1032 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1033 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1034 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1039 hwsim_utils.test_connectivity(dev[0], hapd)
1040 eap_reauth(dev[0], "TTLS")
1042 logger.info("Negative test with incorrect password")
1043 dev[0].request("REMOVE_NETWORK all")
1044 eap_connect(dev[0], apdev[0], "TTLS", "user",
1045 anonymous_identity="ttls", password="password1",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1047 expect_failure=True)
1049 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1050 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1052 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1053 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1054 anonymous_identity="ttls", password="password",
1055 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1056 expect_failure=True)
1058 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1059 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1060 params = int_eap_server_params()
1061 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1062 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1067 dev[0].request("REMOVE_NETWORK all")
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="password",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev[0].request("REMOVE_NETWORK all")
1083 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1085 eap="TTLS", identity="user",
1086 anonymous_identity="ttls", password="password",
1087 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1088 wait_connect=False, scan_freq="2412")
1089 # This would eventually time out, but we can stop after having reached
1090 # the allocation failure.
1093 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1095 dev[0].request("REMOVE_NETWORK all")
1097 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1098 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1099 eap="TTLS", identity="user",
1100 anonymous_identity="ttls", password="wrong",
1101 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1102 wait_connect=False, scan_freq="2412")
1103 # This would eventually time out, but we can stop after having reached
1104 # the allocation failure.
1107 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1109 dev[0].request("REMOVE_NETWORK all")
1111 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1112 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1113 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1114 hostapd.add_ap(apdev[0]['ifname'], params)
1115 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1116 anonymous_identity="0232010000000000@ttls",
1117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1120 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1121 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hostapd.add_ap(apdev[0]['ifname'], params)
1124 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1125 anonymous_identity="0232010000000000@peap",
1126 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1127 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1129 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1130 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1131 check_eap_capa(dev[0], "FAST")
1132 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1133 hostapd.add_ap(apdev[0]['ifname'], params)
1134 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1135 anonymous_identity="0232010000000000@fast",
1136 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1137 phase1="fast_provisioning=2",
1138 pac_file="blob://fast_pac_auth_aka",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1141 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "user",
1146 anonymous_identity="peap", password="password",
1147 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1148 hwsim_utils.test_connectivity(dev[0], hapd)
1149 eap_reauth(dev[0], "PEAP")
1150 dev[0].request("REMOVE_NETWORK all")
1151 eap_connect(dev[0], apdev[0], "PEAP", "user",
1152 anonymous_identity="peap", password="password",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1154 fragment_size="200")
1156 logger.info("Password as hash value")
1157 dev[0].request("REMOVE_NETWORK all")
1158 eap_connect(dev[0], apdev[0], "PEAP", "user",
1159 anonymous_identity="peap",
1160 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1163 logger.info("Negative test with incorrect password")
1164 dev[0].request("REMOVE_NETWORK all")
1165 eap_connect(dev[0], apdev[0], "PEAP", "user",
1166 anonymous_identity="peap", password="password1",
1167 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1168 expect_failure=True)
1170 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1172 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1173 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1174 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1175 anonymous_identity="peap", password="password",
1176 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1177 hwsim_utils.test_connectivity(dev[0], hapd)
1178 eap_reauth(dev[0], "PEAP")
1180 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1181 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1182 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1183 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1184 eap_connect(dev[0], apdev[0], "PEAP", "user",
1185 anonymous_identity="peap", password="wrong",
1186 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1187 expect_failure=True)
1189 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1190 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1191 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1192 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1193 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1194 ca_cert="auth_serv/ca.pem",
1195 phase1="peapver=0 crypto_binding=2",
1196 phase2="auth=MSCHAPV2")
1197 hwsim_utils.test_connectivity(dev[0], hapd)
1198 eap_reauth(dev[0], "PEAP")
1200 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1201 ca_cert="auth_serv/ca.pem",
1202 phase1="peapver=0 crypto_binding=1",
1203 phase2="auth=MSCHAPV2")
1204 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1205 ca_cert="auth_serv/ca.pem",
1206 phase1="peapver=0 crypto_binding=0",
1207 phase2="auth=MSCHAPV2")
1209 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1210 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1211 params = int_eap_server_params()
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1214 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1215 ca_cert="auth_serv/ca.pem",
1216 phase1="peapver=0 crypto_binding=2",
1217 phase2="auth=MSCHAPV2",
1218 expect_failure=True, local_error_report=True)
1220 def test_ap_wpa2_eap_peap_params(dev, apdev):
1221 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 eap_connect(dev[0], apdev[0], "PEAP", "user",
1225 anonymous_identity="peap", password="password",
1226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1227 phase1="peapver=0 peaplabel=1",
1228 expect_failure=True)
1229 dev[0].request("REMOVE_NETWORK all")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peap_outer_success=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peap_outer_success=2",
1237 phase2="auth=MSCHAPV2")
1238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1240 anonymous_identity="peap", password="password",
1241 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1242 phase1="peapver=1 peaplabel=1",
1243 wait_connect=False, scan_freq="2412")
1244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1246 raise Exception("No EAP success seen")
1247 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1249 raise Exception("Unexpected connection")
1251 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1254 hostapd.add_ap(apdev[0]['ifname'], params)
1255 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1256 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1257 ca_cert2="auth_serv/ca.pem",
1258 client_cert2="auth_serv/user.pem",
1259 private_key2="auth_serv/user.key")
1260 eap_reauth(dev[0], "PEAP")
1262 def test_ap_wpa2_eap_tls(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TLS"""
1264 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1265 hostapd.add_ap(apdev[0]['ifname'], params)
1266 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1267 client_cert="auth_serv/user.pem",
1268 private_key="auth_serv/user.key")
1269 eap_reauth(dev[0], "TLS")
1271 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1272 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1274 hostapd.add_ap(apdev[0]['ifname'], params)
1275 cert = read_pem("auth_serv/ca.pem")
1276 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1277 raise Exception("Could not set cacert blob")
1278 cert = read_pem("auth_serv/user.pem")
1279 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1280 raise Exception("Could not set usercert blob")
1281 key = read_pem("auth_serv/user.rsa-key")
1282 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1283 raise Exception("Could not set cacert blob")
1284 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1285 client_cert="blob://usercert",
1286 private_key="blob://userkey")
1288 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hostapd.add_ap(apdev[0]['ifname'], params)
1292 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1293 private_key="auth_serv/user.pkcs12",
1294 private_key_passwd="whatever")
1295 dev[0].request("REMOVE_NETWORK all")
1296 dev[0].wait_disconnected()
1298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1299 identity="tls user",
1300 ca_cert="auth_serv/ca.pem",
1301 private_key="auth_serv/user.pkcs12",
1302 wait_connect=False, scan_freq="2412")
1303 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1305 raise Exception("Request for private key passphrase timed out")
1306 id = ev.split(':')[0].split('-')[-1]
1307 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1308 dev[0].wait_connected(timeout=10)
1309 dev[0].request("REMOVE_NETWORK all")
1310 dev[0].wait_disconnected()
1312 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1313 private_key="auth_serv/user2.pkcs12",
1314 private_key_passwd="whatever")
1315 dev[0].request("REMOVE_NETWORK all")
1316 dev[0].wait_disconnected()
1318 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1319 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1321 hostapd.add_ap(apdev[0]['ifname'], params)
1322 cert = read_pem("auth_serv/ca.pem")
1323 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1324 raise Exception("Could not set cacert blob")
1325 with open("auth_serv/user.pkcs12", "rb") as f:
1326 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1327 raise Exception("Could not set pkcs12 blob")
1328 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1329 private_key="blob://pkcs12",
1330 private_key_passwd="whatever")
1332 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1333 """WPA2-Enterprise negative test - incorrect trust root"""
1334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1335 hostapd.add_ap(apdev[0]['ifname'], params)
1336 cert = read_pem("auth_serv/ca-incorrect.pem")
1337 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1338 raise Exception("Could not set cacert blob")
1339 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1340 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1341 password="password", phase2="auth=MSCHAPV2",
1342 ca_cert="blob://cacert",
1343 wait_connect=False, scan_freq="2412")
1344 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1345 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1346 password="password", phase2="auth=MSCHAPV2",
1347 ca_cert="auth_serv/ca-incorrect.pem",
1348 wait_connect=False, scan_freq="2412")
1350 for dev in (dev[0], dev[1]):
1351 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1353 raise Exception("Association and EAP start timed out")
1355 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1357 raise Exception("EAP method selection timed out")
1358 if "TTLS" not in ev:
1359 raise Exception("Unexpected EAP method")
1361 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1362 "CTRL-EVENT-EAP-SUCCESS",
1363 "CTRL-EVENT-EAP-FAILURE",
1364 "CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1367 raise Exception("EAP result timed out")
1368 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1369 raise Exception("TLS certificate error not reported")
1371 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1372 "CTRL-EVENT-EAP-FAILURE",
1373 "CTRL-EVENT-CONNECTED",
1374 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1376 raise Exception("EAP result(2) timed out")
1377 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1378 raise Exception("EAP failure not reported")
1380 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1381 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1383 raise Exception("EAP result(3) timed out")
1384 if "CTRL-EVENT-DISCONNECTED" not in ev:
1385 raise Exception("Disconnection not reported")
1387 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1389 raise Exception("Network block disabling not reported")
1391 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1392 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1395 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1396 identity="pap user", anonymous_identity="ttls",
1397 password="password", phase2="auth=PAP",
1398 ca_cert="auth_serv/ca.pem",
1399 wait_connect=True, scan_freq="2412")
1400 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1401 identity="pap user", anonymous_identity="ttls",
1402 password="password", phase2="auth=PAP",
1403 ca_cert="auth_serv/ca-incorrect.pem",
1404 only_add_network=True, scan_freq="2412")
1406 dev[0].request("DISCONNECT")
1407 dev[0].wait_disconnected()
1408 dev[0].dump_monitor()
1409 dev[0].select_network(id, freq="2412")
1411 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1413 raise Exception("EAP-TTLS not re-started")
1415 ev = dev[0].wait_disconnected(timeout=15)
1416 if "reason=23" not in ev:
1417 raise Exception("Proper reason code for disconnection not reported")
1419 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1423 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1424 identity="pap user", anonymous_identity="ttls",
1425 password="password", phase2="auth=PAP",
1426 wait_connect=True, scan_freq="2412")
1427 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1428 identity="pap user", anonymous_identity="ttls",
1429 password="password", phase2="auth=PAP",
1430 ca_cert="auth_serv/ca-incorrect.pem",
1431 only_add_network=True, scan_freq="2412")
1433 dev[0].request("DISCONNECT")
1434 dev[0].wait_disconnected()
1435 dev[0].dump_monitor()
1436 dev[0].select_network(id, freq="2412")
1438 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1440 raise Exception("EAP-TTLS not re-started")
1442 ev = dev[0].wait_disconnected(timeout=15)
1443 if "reason=23" not in ev:
1444 raise Exception("Proper reason code for disconnection not reported")
1446 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1447 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1449 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1450 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1451 identity="pap user", anonymous_identity="ttls",
1452 password="password", phase2="auth=PAP",
1453 ca_cert="auth_serv/ca.pem",
1454 wait_connect=True, scan_freq="2412")
1455 dev[0].request("DISCONNECT")
1456 dev[0].wait_disconnected()
1457 dev[0].dump_monitor()
1458 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1459 dev[0].select_network(id, freq="2412")
1461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1463 raise Exception("EAP-TTLS not re-started")
1465 ev = dev[0].wait_disconnected(timeout=15)
1466 if "reason=23" not in ev:
1467 raise Exception("Proper reason code for disconnection not reported")
1469 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1470 """WPA2-Enterprise negative test - domain suffix mismatch"""
1471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1474 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1475 password="password", phase2="auth=MSCHAPV2",
1476 ca_cert="auth_serv/ca.pem",
1477 domain_suffix_match="incorrect.example.com",
1478 wait_connect=False, scan_freq="2412")
1480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1482 raise Exception("Association and EAP start timed out")
1484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1486 raise Exception("EAP method selection timed out")
1487 if "TTLS" not in ev:
1488 raise Exception("Unexpected EAP method")
1490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1491 "CTRL-EVENT-EAP-SUCCESS",
1492 "CTRL-EVENT-EAP-FAILURE",
1493 "CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1496 raise Exception("EAP result timed out")
1497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1498 raise Exception("TLS certificate error not reported")
1499 if "Domain suffix mismatch" not in ev:
1500 raise Exception("Domain suffix mismatch not reported")
1502 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1503 "CTRL-EVENT-EAP-FAILURE",
1504 "CTRL-EVENT-CONNECTED",
1505 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1507 raise Exception("EAP result(2) timed out")
1508 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1509 raise Exception("EAP failure not reported")
1511 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1512 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1514 raise Exception("EAP result(3) timed out")
1515 if "CTRL-EVENT-DISCONNECTED" not in ev:
1516 raise Exception("Disconnection not reported")
1518 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1520 raise Exception("Network block disabling not reported")
1522 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1523 """WPA2-Enterprise negative test - domain mismatch"""
1524 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1525 hostapd.add_ap(apdev[0]['ifname'], params)
1526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1527 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1528 password="password", phase2="auth=MSCHAPV2",
1529 ca_cert="auth_serv/ca.pem",
1530 domain_match="w1.fi",
1531 wait_connect=False, scan_freq="2412")
1533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1535 raise Exception("Association and EAP start timed out")
1537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1539 raise Exception("EAP method selection timed out")
1540 if "TTLS" not in ev:
1541 raise Exception("Unexpected EAP method")
1543 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1544 "CTRL-EVENT-EAP-SUCCESS",
1545 "CTRL-EVENT-EAP-FAILURE",
1546 "CTRL-EVENT-CONNECTED",
1547 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1549 raise Exception("EAP result timed out")
1550 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1551 raise Exception("TLS certificate error not reported")
1552 if "Domain mismatch" not in ev:
1553 raise Exception("Domain mismatch not reported")
1555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1556 "CTRL-EVENT-EAP-FAILURE",
1557 "CTRL-EVENT-CONNECTED",
1558 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1560 raise Exception("EAP result(2) timed out")
1561 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1562 raise Exception("EAP failure not reported")
1564 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1565 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1567 raise Exception("EAP result(3) timed out")
1568 if "CTRL-EVENT-DISCONNECTED" not in ev:
1569 raise Exception("Disconnection not reported")
1571 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1573 raise Exception("Network block disabling not reported")
1575 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1576 """WPA2-Enterprise negative test - subject mismatch"""
1577 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1578 hostapd.add_ap(apdev[0]['ifname'], params)
1579 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1580 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1581 password="password", phase2="auth=MSCHAPV2",
1582 ca_cert="auth_serv/ca.pem",
1583 subject_match="/C=FI/O=w1.fi/CN=example.com",
1584 wait_connect=False, scan_freq="2412")
1586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1588 raise Exception("Association and EAP start timed out")
1590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1591 "EAP: Failed to initialize EAP method"], timeout=10)
1593 raise Exception("EAP method selection timed out")
1594 if "EAP: Failed to initialize EAP method" in ev:
1595 tls = dev[0].request("GET tls_library")
1596 if tls.startswith("OpenSSL"):
1597 raise Exception("Failed to select EAP method")
1598 logger.info("subject_match not supported - connection failed, so test succeeded")
1600 if "TTLS" not in ev:
1601 raise Exception("Unexpected EAP method")
1603 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1604 "CTRL-EVENT-EAP-SUCCESS",
1605 "CTRL-EVENT-EAP-FAILURE",
1606 "CTRL-EVENT-CONNECTED",
1607 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1609 raise Exception("EAP result timed out")
1610 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1611 raise Exception("TLS certificate error not reported")
1612 if "Subject mismatch" not in ev:
1613 raise Exception("Subject mismatch not reported")
1615 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1616 "CTRL-EVENT-EAP-FAILURE",
1617 "CTRL-EVENT-CONNECTED",
1618 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1620 raise Exception("EAP result(2) timed out")
1621 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1622 raise Exception("EAP failure not reported")
1624 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1625 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1627 raise Exception("EAP result(3) timed out")
1628 if "CTRL-EVENT-DISCONNECTED" not in ev:
1629 raise Exception("Disconnection not reported")
1631 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1633 raise Exception("Network block disabling not reported")
1635 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1636 """WPA2-Enterprise negative test - altsubject mismatch"""
1637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638 hostapd.add_ap(apdev[0]['ifname'], params)
1640 tests = [ "incorrect.example.com",
1641 "DNS:incorrect.example.com",
1645 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1647 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1648 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1649 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1650 password="password", phase2="auth=MSCHAPV2",
1651 ca_cert="auth_serv/ca.pem",
1652 altsubject_match=match,
1653 wait_connect=False, scan_freq="2412")
1655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1657 raise Exception("Association and EAP start timed out")
1659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1660 "EAP: Failed to initialize EAP method"], timeout=10)
1662 raise Exception("EAP method selection timed out")
1663 if "EAP: Failed to initialize EAP method" in ev:
1664 tls = dev[0].request("GET tls_library")
1665 if tls.startswith("OpenSSL"):
1666 raise Exception("Failed to select EAP method")
1667 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1669 if "TTLS" not in ev:
1670 raise Exception("Unexpected EAP method")
1672 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1673 "CTRL-EVENT-EAP-SUCCESS",
1674 "CTRL-EVENT-EAP-FAILURE",
1675 "CTRL-EVENT-CONNECTED",
1676 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1678 raise Exception("EAP result timed out")
1679 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1680 raise Exception("TLS certificate error not reported")
1681 if "AltSubject mismatch" not in ev:
1682 raise Exception("altsubject mismatch not reported")
1684 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1685 "CTRL-EVENT-EAP-FAILURE",
1686 "CTRL-EVENT-CONNECTED",
1687 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1689 raise Exception("EAP result(2) timed out")
1690 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1691 raise Exception("EAP failure not reported")
1693 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1694 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1696 raise Exception("EAP result(3) timed out")
1697 if "CTRL-EVENT-DISCONNECTED" not in ev:
1698 raise Exception("Disconnection not reported")
1700 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1702 raise Exception("Network block disabling not reported")
1704 dev[0].request("REMOVE_NETWORK all")
1706 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1707 """WPA2-Enterprise connection using UNAUTH-TLS"""
1708 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1709 hostapd.add_ap(apdev[0]['ifname'], params)
1710 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1711 ca_cert="auth_serv/ca.pem")
1712 eap_reauth(dev[0], "UNAUTH-TLS")
1714 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1715 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1716 check_cert_probe_support(dev[0])
1717 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1719 hostapd.add_ap(apdev[0]['ifname'], params)
1720 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1721 identity="probe", ca_cert="probe://",
1722 wait_connect=False, scan_freq="2412")
1723 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1725 raise Exception("Association and EAP start timed out")
1726 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1728 raise Exception("No peer server certificate event seen")
1729 if "hash=" + srv_cert_hash not in ev:
1730 raise Exception("Expected server certificate hash not reported")
1731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1733 raise Exception("EAP result timed out")
1734 if "Server certificate chain probe" not in ev:
1735 raise Exception("Server certificate probe not reported")
1736 dev[0].wait_disconnected(timeout=10)
1737 dev[0].request("REMOVE_NETWORK all")
1739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1740 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1741 password="password", phase2="auth=MSCHAPV2",
1742 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1743 wait_connect=False, scan_freq="2412")
1744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1746 raise Exception("Association and EAP start timed out")
1747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1749 raise Exception("EAP result timed out")
1750 if "Server certificate mismatch" not in ev:
1751 raise Exception("Server certificate mismatch not reported")
1752 dev[0].wait_disconnected(timeout=10)
1753 dev[0].request("REMOVE_NETWORK all")
1755 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1756 anonymous_identity="ttls", password="password",
1757 ca_cert="hash://server/sha256/" + srv_cert_hash,
1758 phase2="auth=MSCHAPV2")
1760 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1761 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1762 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1763 hostapd.add_ap(apdev[0]['ifname'], params)
1764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1765 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1766 password="password", phase2="auth=MSCHAPV2",
1767 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1768 wait_connect=False, scan_freq="2412")
1769 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1770 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1771 password="password", phase2="auth=MSCHAPV2",
1772 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1773 wait_connect=False, scan_freq="2412")
1774 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1775 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1776 password="password", phase2="auth=MSCHAPV2",
1777 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1778 wait_connect=False, scan_freq="2412")
1779 for i in range(0, 3):
1780 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1782 raise Exception("Association and EAP start timed out")
1783 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1785 raise Exception("Did not report EAP method initialization failure")
1787 def test_ap_wpa2_eap_pwd(dev, apdev):
1788 """WPA2-Enterprise connection using EAP-pwd"""
1789 check_eap_capa(dev[0], "PWD")
1790 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1791 hostapd.add_ap(apdev[0]['ifname'], params)
1792 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1793 eap_reauth(dev[0], "PWD")
1794 dev[0].request("REMOVE_NETWORK all")
1796 eap_connect(dev[1], apdev[0], "PWD",
1797 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1798 password="secret password",
1801 logger.info("Negative test with incorrect password")
1802 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1803 expect_failure=True, local_error_report=True)
1805 eap_connect(dev[0], apdev[0], "PWD",
1806 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1807 password="secret password",
1810 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1811 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1812 check_eap_capa(dev[0], "PWD")
1813 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1814 hostapd.add_ap(apdev[0]['ifname'], params)
1815 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1816 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1817 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1818 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1819 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1820 expect_failure=True, local_error_report=True)
1822 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1823 """WPA2-Enterprise connection using various EAP-pwd groups"""
1824 check_eap_capa(dev[0], "PWD")
1825 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1826 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1827 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1828 for i in [ 19, 20, 21, 25, 26 ]:
1829 params['pwd_group'] = str(i)
1830 hostapd.add_ap(apdev[0]['ifname'], params)
1831 dev[0].request("REMOVE_NETWORK all")
1832 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1834 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1835 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1836 check_eap_capa(dev[0], "PWD")
1837 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1838 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1839 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1840 params['pwd_group'] = "0"
1841 hostapd.add_ap(apdev[0]['ifname'], params)
1842 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1843 identity="pwd user", password="secret password",
1844 scan_freq="2412", wait_connect=False)
1845 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1847 raise Exception("Timeout on EAP failure report")
1849 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1850 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1851 check_eap_capa(dev[0], "PWD")
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1854 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1855 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1856 "pwd_group": "19", "fragment_size": "40" }
1857 hostapd.add_ap(apdev[0]['ifname'], params)
1858 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1860 def test_ap_wpa2_eap_gpsk(dev, apdev):
1861 """WPA2-Enterprise connection using EAP-GPSK"""
1862 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1863 hostapd.add_ap(apdev[0]['ifname'], params)
1864 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1865 password="abcdefghijklmnop0123456789abcdef")
1866 eap_reauth(dev[0], "GPSK")
1868 logger.info("Test forced algorithm selection")
1869 for phase1 in [ "cipher=1", "cipher=2" ]:
1870 dev[0].set_network_quoted(id, "phase1", phase1)
1871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1873 raise Exception("EAP success timed out")
1874 dev[0].wait_connected(timeout=10)
1876 logger.info("Test failed algorithm negotiation")
1877 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1880 raise Exception("EAP failure timed out")
1882 logger.info("Negative test with incorrect password")
1883 dev[0].request("REMOVE_NETWORK all")
1884 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1885 password="ffcdefghijklmnop0123456789abcdef",
1886 expect_failure=True)
1888 def test_ap_wpa2_eap_sake(dev, apdev):
1889 """WPA2-Enterprise connection using EAP-SAKE"""
1890 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1891 hostapd.add_ap(apdev[0]['ifname'], params)
1892 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1893 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1894 eap_reauth(dev[0], "SAKE")
1896 logger.info("Negative test with incorrect password")
1897 dev[0].request("REMOVE_NETWORK all")
1898 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1899 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1900 expect_failure=True)
1902 def test_ap_wpa2_eap_eke(dev, apdev):
1903 """WPA2-Enterprise connection using EAP-EKE"""
1904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1905 hostapd.add_ap(apdev[0]['ifname'], params)
1906 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1907 eap_reauth(dev[0], "EKE")
1909 logger.info("Test forced algorithm selection")
1910 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1911 "dhgroup=4 encr=1 prf=2 mac=2",
1912 "dhgroup=3 encr=1 prf=2 mac=2",
1913 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1914 dev[0].set_network_quoted(id, "phase1", phase1)
1915 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1917 raise Exception("EAP success timed out")
1918 dev[0].wait_connected(timeout=10)
1920 logger.info("Test failed algorithm negotiation")
1921 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1924 raise Exception("EAP failure timed out")
1926 logger.info("Negative test with incorrect password")
1927 dev[0].request("REMOVE_NETWORK all")
1928 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1929 expect_failure=True)
1931 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1932 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1933 params = int_eap_server_params()
1934 params['server_id'] = 'example.server@w1.fi'
1935 hostapd.add_ap(apdev[0]['ifname'], params)
1936 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1938 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1939 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1940 params = int_eap_server_params()
1941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1942 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1944 for count,func in [ (1, "eap_eke_build_commit"),
1945 (2, "eap_eke_build_commit"),
1946 (3, "eap_eke_build_commit"),
1947 (1, "eap_eke_build_confirm"),
1948 (2, "eap_eke_build_confirm"),
1949 (1, "eap_eke_process_commit"),
1950 (2, "eap_eke_process_commit"),
1951 (1, "eap_eke_process_confirm"),
1952 (1, "eap_eke_process_identity"),
1953 (2, "eap_eke_process_identity"),
1954 (3, "eap_eke_process_identity"),
1955 (4, "eap_eke_process_identity") ]:
1956 with alloc_fail(hapd, count, func):
1957 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1958 expect_failure=True)
1959 dev[0].request("REMOVE_NETWORK all")
1961 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1962 (1, "eap_eke_get_session_id", "hello"),
1963 (1, "eap_eke_getKey", "hello"),
1964 (1, "eap_eke_build_msg", "hello"),
1965 (1, "eap_eke_build_failure", "wrong"),
1966 (1, "eap_eke_build_identity", "hello"),
1967 (2, "eap_eke_build_identity", "hello") ]:
1968 with alloc_fail(hapd, count, func):
1969 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1970 eap="EKE", identity="eke user", password=pw,
1971 wait_connect=False, scan_freq="2412")
1972 # This would eventually time out, but we can stop after having
1973 # reached the allocation failure.
1976 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1978 dev[0].request("REMOVE_NETWORK all")
1980 for count in range(1, 1000):
1982 with alloc_fail(hapd, count, "eap_server_sm_step"):
1983 dev[0].connect("test-wpa2-eap",
1984 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1985 eap="EKE", identity="eke user", password=pw,
1986 wait_connect=False, scan_freq="2412")
1987 # This would eventually time out, but we can stop after having
1988 # reached the allocation failure.
1991 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1993 dev[0].request("REMOVE_NETWORK all")
1994 except Exception, e:
1995 if str(e) == "Allocation failure did not trigger":
1997 raise Exception("Too few allocation failures")
1998 logger.info("%d allocation failures tested" % (count - 1))
2002 def test_ap_wpa2_eap_ikev2(dev, apdev):
2003 """WPA2-Enterprise connection using EAP-IKEv2"""
2004 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2005 hostapd.add_ap(apdev[0]['ifname'], params)
2006 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2007 password="ike password")
2008 eap_reauth(dev[0], "IKEV2")
2009 dev[0].request("REMOVE_NETWORK all")
2010 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2011 password="ike password", fragment_size="50")
2013 logger.info("Negative test with incorrect password")
2014 dev[0].request("REMOVE_NETWORK all")
2015 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2016 password="ike-password", expect_failure=True)
2018 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2019 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2021 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2022 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2023 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2024 "fragment_size": "50" }
2025 hostapd.add_ap(apdev[0]['ifname'], params)
2026 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2027 password="ike password")
2028 eap_reauth(dev[0], "IKEV2")
2030 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2031 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2033 hostapd.add_ap(apdev[0]['ifname'], params)
2035 tests = [ (1, "dh_init"),
2037 (1, "dh_derive_shared") ]
2038 for count, func in tests:
2039 with alloc_fail(dev[0], count, func):
2040 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2041 identity="ikev2 user", password="ike password",
2042 wait_connect=False, scan_freq="2412")
2043 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2045 raise Exception("EAP method not selected")
2047 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2050 dev[0].request("REMOVE_NETWORK all")
2052 tests = [ (1, "os_get_random;dh_init") ]
2053 for count, func in tests:
2054 with fail_test(dev[0], count, func):
2055 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2056 identity="ikev2 user", password="ike password",
2057 wait_connect=False, scan_freq="2412")
2058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2060 raise Exception("EAP method not selected")
2062 if "0:" in dev[0].request("GET_FAIL"):
2065 dev[0].request("REMOVE_NETWORK all")
2067 def test_ap_wpa2_eap_pax(dev, apdev):
2068 """WPA2-Enterprise connection using EAP-PAX"""
2069 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2070 hostapd.add_ap(apdev[0]['ifname'], params)
2071 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2072 password_hex="0123456789abcdef0123456789abcdef")
2073 eap_reauth(dev[0], "PAX")
2075 logger.info("Negative test with incorrect password")
2076 dev[0].request("REMOVE_NETWORK all")
2077 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2078 password_hex="ff23456789abcdef0123456789abcdef",
2079 expect_failure=True)
2081 def test_ap_wpa2_eap_psk(dev, apdev):
2082 """WPA2-Enterprise connection using EAP-PSK"""
2083 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2084 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2085 params["ieee80211w"] = "2"
2086 hostapd.add_ap(apdev[0]['ifname'], params)
2087 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2088 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2089 eap_reauth(dev[0], "PSK", sha256=True)
2090 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2091 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2093 bss = dev[0].get_bss(apdev[0]['bssid'])
2094 if 'flags' not in bss:
2095 raise Exception("Could not get BSS flags from BSS table")
2096 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2097 raise Exception("Unexpected BSS flags: " + bss['flags'])
2099 logger.info("Negative test with incorrect password")
2100 dev[0].request("REMOVE_NETWORK all")
2101 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2102 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2103 expect_failure=True)
2105 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2106 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2107 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2108 hostapd.add_ap(apdev[0]['ifname'], params)
2109 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2110 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2111 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2112 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2113 (1, "=aes_128_eax_encrypt"),
2114 (1, "omac1_aes_vector"),
2115 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2116 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2117 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2118 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2119 (1, "=aes_128_eax_decrypt") ]
2120 for count, func in tests:
2121 with alloc_fail(dev[0], count, func):
2122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2123 identity="psk.user@example.com",
2124 password_hex="0123456789abcdef0123456789abcdef",
2125 wait_connect=False, scan_freq="2412")
2126 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2128 raise Exception("EAP method not selected")
2130 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2133 dev[0].request("REMOVE_NETWORK all")
2135 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2137 identity="psk.user@example.com",
2138 password_hex="0123456789abcdef0123456789abcdef",
2139 wait_connect=False, scan_freq="2412")
2140 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2142 raise Exception("EAP method failure not reported")
2143 dev[0].request("REMOVE_NETWORK all")
2145 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2146 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2147 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2149 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2150 identity="user", password="password", phase2="auth=MSCHAPV2",
2151 ca_cert="auth_serv/ca.pem", wait_connect=False,
2153 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2154 hwsim_utils.test_connectivity(dev[0], hapd)
2155 eap_reauth(dev[0], "PEAP", rsn=False)
2156 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2157 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2158 status = dev[0].get_status(extra="VERBOSE")
2159 if 'portControl' not in status:
2160 raise Exception("portControl missing from STATUS-VERBOSE")
2161 if status['portControl'] != 'Auto':
2162 raise Exception("Unexpected portControl value: " + status['portControl'])
2163 if 'eap_session_id' not in status:
2164 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2165 if not status['eap_session_id'].startswith("19"):
2166 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2168 def test_ap_wpa2_eap_interactive(dev, apdev):
2169 """WPA2-Enterprise connection using interactive identity/password entry"""
2170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2171 hostapd.add_ap(apdev[0]['ifname'], params)
2172 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2174 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2175 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2177 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2178 "TTLS", "ttls", None, "auth=MSCHAPV2",
2179 "DOMAIN\mschapv2 user", "password"),
2180 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2181 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2182 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2183 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2184 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2185 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2186 ("Connection with dynamic PEAP/EAP-GTC password entry",
2187 "PEAP", None, "user", "auth=GTC", None, "password") ]
2188 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2191 anonymous_identity=anon, identity=identity,
2192 ca_cert="auth_serv/ca.pem", phase2=phase2,
2193 wait_connect=False, scan_freq="2412")
2195 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2197 raise Exception("Request for identity timed out")
2198 id = ev.split(':')[0].split('-')[-1]
2199 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2200 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2202 raise Exception("Request for password timed out")
2203 id = ev.split(':')[0].split('-')[-1]
2204 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2205 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2206 dev[0].wait_connected(timeout=10)
2207 dev[0].request("REMOVE_NETWORK all")
2209 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2210 """WPA2-Enterprise connection using EAP vendor test"""
2211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2212 hostapd.add_ap(apdev[0]['ifname'], params)
2213 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2214 eap_reauth(dev[0], "VENDOR-TEST")
2215 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2218 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2219 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2220 check_eap_capa(dev[0], "FAST")
2221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2223 eap_connect(dev[0], apdev[0], "FAST", "user",
2224 anonymous_identity="FAST", password="password",
2225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2226 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2227 hwsim_utils.test_connectivity(dev[0], hapd)
2228 res = eap_reauth(dev[0], "FAST")
2229 if res['tls_session_reused'] != '1':
2230 raise Exception("EAP-FAST could not use PAC session ticket")
2232 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2233 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2234 check_eap_capa(dev[0], "FAST")
2235 pac_file = os.path.join(params['logdir'], "fast.pac")
2236 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2237 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2238 hostapd.add_ap(apdev[0]['ifname'], params)
2241 eap_connect(dev[0], apdev[0], "FAST", "user",
2242 anonymous_identity="FAST", password="password",
2243 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2244 phase1="fast_provisioning=1", pac_file=pac_file)
2245 with open(pac_file, "r") as f:
2247 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2248 raise Exception("PAC file header missing")
2249 if "PAC-Key=" not in data:
2250 raise Exception("PAC-Key missing from PAC file")
2251 dev[0].request("REMOVE_NETWORK all")
2252 eap_connect(dev[0], apdev[0], "FAST", "user",
2253 anonymous_identity="FAST", password="password",
2254 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2257 eap_connect(dev[1], apdev[0], "FAST", "user",
2258 anonymous_identity="FAST", password="password",
2259 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2260 phase1="fast_provisioning=1 fast_pac_format=binary",
2262 dev[1].request("REMOVE_NETWORK all")
2263 eap_connect(dev[1], apdev[0], "FAST", "user",
2264 anonymous_identity="FAST", password="password",
2265 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2266 phase1="fast_pac_format=binary",
2274 os.remove(pac_file2)
2278 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2279 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2280 check_eap_capa(dev[0], "FAST")
2281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2282 hostapd.add_ap(apdev[0]['ifname'], params)
2283 eap_connect(dev[0], apdev[0], "FAST", "user",
2284 anonymous_identity="FAST", password="password",
2285 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2286 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2287 pac_file="blob://fast_pac_bin")
2288 res = eap_reauth(dev[0], "FAST")
2289 if res['tls_session_reused'] != '1':
2290 raise Exception("EAP-FAST could not use PAC session ticket")
2292 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2293 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2294 check_eap_capa(dev[0], "FAST")
2295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2296 hostapd.add_ap(apdev[0]['ifname'], params)
2298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2299 identity="user", anonymous_identity="FAST",
2300 password="password",
2301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2302 pac_file="blob://fast_pac_not_in_use",
2303 wait_connect=False, scan_freq="2412")
2304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2306 raise Exception("Timeout on EAP failure report")
2307 dev[0].request("REMOVE_NETWORK all")
2309 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2310 identity="user", anonymous_identity="FAST",
2311 password="password",
2312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2313 wait_connect=False, scan_freq="2412")
2314 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2316 raise Exception("Timeout on EAP failure report")
2318 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2319 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2320 check_eap_capa(dev[0], "FAST")
2321 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2322 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2323 eap_connect(dev[0], apdev[0], "FAST", "user",
2324 anonymous_identity="FAST", password="password",
2325 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2326 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2327 hwsim_utils.test_connectivity(dev[0], hapd)
2328 res = eap_reauth(dev[0], "FAST")
2329 if res['tls_session_reused'] != '1':
2330 raise Exception("EAP-FAST could not use PAC session ticket")
2332 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2333 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2334 check_eap_capa(dev[0], "FAST")
2335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2336 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2337 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2338 anonymous_identity="FAST", password="password",
2339 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2340 phase1="fast_provisioning=2",
2341 pac_file="blob://fast_pac_auth")
2342 dev[0].set_network_quoted(id, "identity", "user2")
2343 dev[0].wait_disconnected()
2344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2346 raise Exception("EAP-FAST not started")
2347 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2349 raise Exception("EAP failure not reported")
2350 dev[0].wait_disconnected()
2352 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2353 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2354 check_eap_capa(dev[0], "FAST")
2355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2357 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2358 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2359 identity="user", anonymous_identity="FAST",
2360 password="password", ca_cert="auth_serv/ca.pem",
2362 phase1="fast_provisioning=2",
2363 pac_file="blob://fast_pac_auth",
2364 wait_connect=False, scan_freq="2412")
2365 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2367 raise Exception("EAP failure not reported")
2368 dev[0].request("DISCONNECT")
2370 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2371 """EAP-FAST/MSCHAPv2 and server OOM"""
2372 check_eap_capa(dev[0], "FAST")
2374 params = int_eap_server_params()
2375 params['dh_file'] = 'auth_serv/dh.conf'
2376 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2377 params['eap_fast_a_id'] = '1011'
2378 params['eap_fast_a_id_info'] = 'another test server'
2379 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2381 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2382 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2383 anonymous_identity="FAST", password="password",
2384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2385 phase1="fast_provisioning=1",
2386 pac_file="blob://fast_pac",
2387 expect_failure=True)
2388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2390 raise Exception("No EAP failure reported")
2391 dev[0].wait_disconnected()
2392 dev[0].request("DISCONNECT")
2394 dev[0].select_network(id, freq="2412")
2396 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2397 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2398 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2399 hostapd.add_ap(apdev[0]['ifname'], params)
2400 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2401 private_key="auth_serv/user.pkcs12",
2402 private_key_passwd="whatever", ocsp=2)
2404 def int_eap_server_params():
2405 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2406 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2407 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2408 "ca_cert": "auth_serv/ca.pem",
2409 "server_cert": "auth_serv/server.pem",
2410 "private_key": "auth_serv/server.key" }
2413 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2415 params = int_eap_server_params()
2416 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2417 hostapd.add_ap(apdev[0]['ifname'], params)
2418 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2419 identity="tls user", ca_cert="auth_serv/ca.pem",
2420 private_key="auth_serv/user.pkcs12",
2421 private_key_passwd="whatever", ocsp=2,
2422 wait_connect=False, scan_freq="2412")
2425 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2427 raise Exception("Timeout on EAP status")
2428 if 'bad certificate status response' in ev:
2432 raise Exception("Unexpected number of EAP status messages")
2434 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2436 raise Exception("Timeout on EAP failure report")
2438 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2439 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2440 params = int_eap_server_params()
2441 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2442 hostapd.add_ap(apdev[0]['ifname'], params)
2443 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2444 identity="tls user", ca_cert="auth_serv/ca.pem",
2445 private_key="auth_serv/user.pkcs12",
2446 private_key_passwd="whatever", ocsp=2,
2447 wait_connect=False, scan_freq="2412")
2450 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2452 raise Exception("Timeout on EAP status")
2453 if 'bad certificate status response' in ev:
2457 raise Exception("Unexpected number of EAP status messages")
2459 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2461 raise Exception("Timeout on EAP failure report")
2463 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
2464 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2465 params = int_eap_server_params()
2466 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2467 hostapd.add_ap(apdev[0]['ifname'], params)
2468 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2469 identity="tls user", ca_cert="auth_serv/ca.pem",
2470 private_key="auth_serv/user.pkcs12",
2471 private_key_passwd="whatever", ocsp=2,
2472 wait_connect=False, scan_freq="2412")
2475 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2477 raise Exception("Timeout on EAP status")
2478 if 'bad certificate status response' in ev:
2482 raise Exception("Unexpected number of EAP status messages")
2484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2486 raise Exception("Timeout on EAP failure report")
2488 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2489 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2490 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2491 if not os.path.exists(ocsp):
2492 raise HwsimSkip("No OCSP response available")
2493 params = int_eap_server_params()
2494 params["ocsp_stapling_response"] = ocsp
2495 hostapd.add_ap(apdev[0]['ifname'], params)
2496 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2497 identity="pap user", ca_cert="auth_serv/ca.pem",
2498 anonymous_identity="ttls", password="password",
2499 phase2="auth=PAP", ocsp=2,
2500 wait_connect=False, scan_freq="2412")
2503 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2505 raise Exception("Timeout on EAP status")
2506 if 'bad certificate status response' in ev:
2508 if 'certificate revoked' in ev:
2512 raise Exception("Unexpected number of EAP status messages")
2514 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2516 raise Exception("Timeout on EAP failure report")
2518 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2519 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2520 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2521 if not os.path.exists(ocsp):
2522 raise HwsimSkip("No OCSP response available")
2523 params = int_eap_server_params()
2524 params["ocsp_stapling_response"] = ocsp
2525 hostapd.add_ap(apdev[0]['ifname'], params)
2526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2527 identity="pap user", ca_cert="auth_serv/ca.pem",
2528 anonymous_identity="ttls", password="password",
2529 phase2="auth=PAP", ocsp=2,
2530 wait_connect=False, scan_freq="2412")
2533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2535 raise Exception("Timeout on EAP status")
2536 if 'bad certificate status response' in ev:
2540 raise Exception("Unexpected number of EAP status messages")
2542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2544 raise Exception("Timeout on EAP failure report")
2546 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2547 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2548 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2549 if not os.path.exists(ocsp):
2550 raise HwsimSkip("No OCSP response available")
2551 params = int_eap_server_params()
2552 params["ocsp_stapling_response"] = ocsp
2553 hostapd.add_ap(apdev[0]['ifname'], params)
2554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2555 identity="pap user", ca_cert="auth_serv/ca.pem",
2556 anonymous_identity="ttls", password="password",
2557 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2559 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2560 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2561 params = int_eap_server_params()
2562 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2563 params["private_key"] = "auth_serv/server-no-dnsname.key"
2564 hostapd.add_ap(apdev[0]['ifname'], params)
2565 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2566 identity="tls user", ca_cert="auth_serv/ca.pem",
2567 private_key="auth_serv/user.pkcs12",
2568 private_key_passwd="whatever",
2569 domain_suffix_match="server3.w1.fi",
2572 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2573 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2574 params = int_eap_server_params()
2575 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2576 params["private_key"] = "auth_serv/server-no-dnsname.key"
2577 hostapd.add_ap(apdev[0]['ifname'], params)
2578 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2579 identity="tls user", ca_cert="auth_serv/ca.pem",
2580 private_key="auth_serv/user.pkcs12",
2581 private_key_passwd="whatever",
2582 domain_match="server3.w1.fi",
2585 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2586 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2587 check_domain_match_full(dev[0])
2588 params = int_eap_server_params()
2589 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2590 params["private_key"] = "auth_serv/server-no-dnsname.key"
2591 hostapd.add_ap(apdev[0]['ifname'], params)
2592 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2593 identity="tls user", ca_cert="auth_serv/ca.pem",
2594 private_key="auth_serv/user.pkcs12",
2595 private_key_passwd="whatever",
2596 domain_suffix_match="w1.fi",
2599 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2600 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2601 params = int_eap_server_params()
2602 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2603 params["private_key"] = "auth_serv/server-no-dnsname.key"
2604 hostapd.add_ap(apdev[0]['ifname'], params)
2605 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2606 identity="tls user", ca_cert="auth_serv/ca.pem",
2607 private_key="auth_serv/user.pkcs12",
2608 private_key_passwd="whatever",
2609 domain_suffix_match="example.com",
2612 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2613 identity="tls user", ca_cert="auth_serv/ca.pem",
2614 private_key="auth_serv/user.pkcs12",
2615 private_key_passwd="whatever",
2616 domain_suffix_match="erver3.w1.fi",
2619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2621 raise Exception("Timeout on EAP failure report")
2622 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2624 raise Exception("Timeout on EAP failure report (2)")
2626 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2627 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2628 params = int_eap_server_params()
2629 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2630 params["private_key"] = "auth_serv/server-no-dnsname.key"
2631 hostapd.add_ap(apdev[0]['ifname'], params)
2632 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2633 identity="tls user", ca_cert="auth_serv/ca.pem",
2634 private_key="auth_serv/user.pkcs12",
2635 private_key_passwd="whatever",
2636 domain_match="example.com",
2639 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2640 identity="tls user", ca_cert="auth_serv/ca.pem",
2641 private_key="auth_serv/user.pkcs12",
2642 private_key_passwd="whatever",
2643 domain_match="w1.fi",
2646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2648 raise Exception("Timeout on EAP failure report")
2649 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2651 raise Exception("Timeout on EAP failure report (2)")
2653 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2654 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2655 params = int_eap_server_params()
2656 params["server_cert"] = "auth_serv/server-expired.pem"
2657 params["private_key"] = "auth_serv/server-expired.key"
2658 hostapd.add_ap(apdev[0]['ifname'], params)
2659 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2660 identity="mschap user", password="password",
2661 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2664 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2666 raise Exception("Timeout on EAP certificate error report")
2667 if "reason=4" not in ev or "certificate has expired" not in ev:
2668 raise Exception("Unexpected failure reason: " + ev)
2669 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2671 raise Exception("Timeout on EAP failure report")
2673 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2674 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2675 params = int_eap_server_params()
2676 params["server_cert"] = "auth_serv/server-expired.pem"
2677 params["private_key"] = "auth_serv/server-expired.key"
2678 hostapd.add_ap(apdev[0]['ifname'], params)
2679 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2680 identity="mschap user", password="password",
2681 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2682 phase1="tls_disable_time_checks=1",
2685 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2686 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2687 params = int_eap_server_params()
2688 params["server_cert"] = "auth_serv/server-long-duration.pem"
2689 params["private_key"] = "auth_serv/server-long-duration.key"
2690 hostapd.add_ap(apdev[0]['ifname'], params)
2691 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2692 identity="mschap user", password="password",
2693 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2696 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2697 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2698 params = int_eap_server_params()
2699 params["server_cert"] = "auth_serv/server-eku-client.pem"
2700 params["private_key"] = "auth_serv/server-eku-client.key"
2701 hostapd.add_ap(apdev[0]['ifname'], params)
2702 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2703 identity="mschap user", password="password",
2704 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2707 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2709 raise Exception("Timeout on EAP failure report")
2711 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2712 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2713 params = int_eap_server_params()
2714 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2715 params["private_key"] = "auth_serv/server-eku-client-server.key"
2716 hostapd.add_ap(apdev[0]['ifname'], params)
2717 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2718 identity="mschap user", password="password",
2719 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2722 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2723 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2724 params = int_eap_server_params()
2725 del params["server_cert"]
2726 params["private_key"] = "auth_serv/server.pkcs12"
2727 hostapd.add_ap(apdev[0]['ifname'], params)
2728 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2729 identity="mschap user", password="password",
2730 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2733 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2734 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2735 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2736 hostapd.add_ap(apdev[0]['ifname'], params)
2737 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2738 anonymous_identity="ttls", password="password",
2739 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2740 dh_file="auth_serv/dh.conf")
2742 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2743 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2744 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2745 hostapd.add_ap(apdev[0]['ifname'], params)
2746 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2747 anonymous_identity="ttls", password="password",
2748 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2749 dh_file="auth_serv/dsaparam.pem")
2751 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2752 """EAP-TTLS and DH params file not found"""
2753 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2754 hostapd.add_ap(apdev[0]['ifname'], params)
2755 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2756 identity="mschap user", password="password",
2757 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2758 dh_file="auth_serv/dh-no-such-file.conf",
2759 scan_freq="2412", wait_connect=False)
2760 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2762 raise Exception("EAP failure timed out")
2763 dev[0].request("REMOVE_NETWORK all")
2764 dev[0].wait_disconnected()
2766 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2767 """EAP-TTLS and invalid DH params file"""
2768 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2769 hostapd.add_ap(apdev[0]['ifname'], params)
2770 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2771 identity="mschap user", password="password",
2772 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2773 dh_file="auth_serv/ca.pem",
2774 scan_freq="2412", wait_connect=False)
2775 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2777 raise Exception("EAP failure timed out")
2778 dev[0].request("REMOVE_NETWORK all")
2779 dev[0].wait_disconnected()
2781 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2782 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2784 hostapd.add_ap(apdev[0]['ifname'], params)
2785 dh = read_pem("auth_serv/dh2.conf")
2786 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2787 raise Exception("Could not set dhparams blob")
2788 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2789 anonymous_identity="ttls", password="password",
2790 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2791 dh_file="blob://dhparams")
2793 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2794 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2795 params = int_eap_server_params()
2796 params["dh_file"] = "auth_serv/dh2.conf"
2797 hostapd.add_ap(apdev[0]['ifname'], params)
2798 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2799 anonymous_identity="ttls", password="password",
2800 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2802 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2803 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2804 params = int_eap_server_params()
2805 params["dh_file"] = "auth_serv/dsaparam.pem"
2806 hostapd.add_ap(apdev[0]['ifname'], params)
2807 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2808 anonymous_identity="ttls", password="password",
2809 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2811 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2812 """EAP-TLS server and dhparams file not found"""
2813 params = int_eap_server_params()
2814 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2815 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2816 if "FAIL" not in hapd.request("ENABLE"):
2817 raise Exception("Invalid configuration accepted")
2819 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2820 """EAP-TLS server and invalid dhparams file"""
2821 params = int_eap_server_params()
2822 params["dh_file"] = "auth_serv/ca.pem"
2823 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2824 if "FAIL" not in hapd.request("ENABLE"):
2825 raise Exception("Invalid configuration accepted")
2827 def test_ap_wpa2_eap_reauth(dev, apdev):
2828 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2829 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2830 params['eap_reauth_period'] = '2'
2831 hostapd.add_ap(apdev[0]['ifname'], params)
2832 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2833 password_hex="0123456789abcdef0123456789abcdef")
2834 logger.info("Wait for reauthentication")
2835 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2837 raise Exception("Timeout on reauthentication")
2838 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2840 raise Exception("Timeout on reauthentication")
2841 for i in range(0, 20):
2842 state = dev[0].get_status_field("wpa_state")
2843 if state == "COMPLETED":
2846 if state != "COMPLETED":
2847 raise Exception("Reauthentication did not complete")
2849 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2850 """Optional displayable message in EAP Request-Identity"""
2851 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2852 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2853 hostapd.add_ap(apdev[0]['ifname'], params)
2854 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2855 password_hex="0123456789abcdef0123456789abcdef")
2857 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2858 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2859 check_hlr_auc_gw_support()
2860 params = int_eap_server_params()
2861 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2862 params['eap_sim_aka_result_ind'] = "1"
2863 hostapd.add_ap(apdev[0]['ifname'], params)
2865 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2866 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2867 phase1="result_ind=1")
2868 eap_reauth(dev[0], "SIM")
2869 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2870 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2872 dev[0].request("REMOVE_NETWORK all")
2873 dev[1].request("REMOVE_NETWORK all")
2875 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2876 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2877 phase1="result_ind=1")
2878 eap_reauth(dev[0], "AKA")
2879 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2880 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2882 dev[0].request("REMOVE_NETWORK all")
2883 dev[1].request("REMOVE_NETWORK all")
2885 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2886 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2887 phase1="result_ind=1")
2888 eap_reauth(dev[0], "AKA'")
2889 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2890 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2892 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2893 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2895 hostapd.add_ap(apdev[0]['ifname'], params)
2896 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2897 eap="TTLS", identity="mschap user",
2898 wait_connect=False, scan_freq="2412", ieee80211w="1",
2899 anonymous_identity="ttls", password="password",
2900 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2902 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2904 raise Exception("EAP roundtrip limit not reached")
2906 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2907 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2908 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2909 hostapd.add_ap(apdev[0]['ifname'], params)
2910 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2911 eap="PSK", identity="vendor-test",
2912 password_hex="ff23456789abcdef0123456789abcdef",
2916 for i in range(0, 5):
2917 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2919 raise Exception("Association and EAP start timed out")
2920 if "refuse proposed method" in ev:
2924 raise Exception("Unexpected EAP status: " + ev)
2926 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2928 raise Exception("EAP failure timed out")
2930 def test_ap_wpa2_eap_sql(dev, apdev, params):
2931 """WPA2-Enterprise connection using SQLite for user DB"""
2935 raise HwsimSkip("No sqlite3 module available")
2936 dbfile = os.path.join(params['logdir'], "eap-user.db")
2941 con = sqlite3.connect(dbfile)
2944 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2945 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2946 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2947 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2948 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2949 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2950 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2951 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2954 params = int_eap_server_params()
2955 params["eap_user_file"] = "sqlite:" + dbfile
2956 hostapd.add_ap(apdev[0]['ifname'], params)
2957 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2958 anonymous_identity="ttls", password="password",
2959 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2960 dev[0].request("REMOVE_NETWORK all")
2961 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2962 anonymous_identity="ttls", password="password",
2963 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2964 dev[1].request("REMOVE_NETWORK all")
2965 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2966 anonymous_identity="ttls", password="password",
2967 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2968 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2969 anonymous_identity="ttls", password="password",
2970 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2974 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2975 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2976 params = int_eap_server_params()
2977 hostapd.add_ap(apdev[0]['ifname'], params)
2978 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2979 identity="\x80", password="password", wait_connect=False)
2980 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2981 identity="a\x80", password="password", wait_connect=False)
2982 for i in range(0, 2):
2983 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2985 raise Exception("Association and EAP start timed out")
2986 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2988 raise Exception("EAP method selection timed out")
2990 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2991 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2993 hostapd.add_ap(apdev[0]['ifname'], params)
2994 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2995 identity="\x80", password="password", wait_connect=False)
2996 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2997 identity="a\x80", password="password", wait_connect=False)
2998 for i in range(0, 2):
2999 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
3001 raise Exception("Association and EAP start timed out")
3002 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
3004 raise Exception("EAP method selection timed out")
3006 def test_openssl_cipher_suite_config_wpas(dev, apdev):
3007 """OpenSSL cipher suite configuration on wpa_supplicant"""
3008 tls = dev[0].request("GET tls_library")
3009 if not tls.startswith("OpenSSL"):
3010 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3011 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3012 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3013 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3014 anonymous_identity="ttls", password="password",
3015 openssl_ciphers="AES128",
3016 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3017 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3018 anonymous_identity="ttls", password="password",
3019 openssl_ciphers="EXPORT",
3020 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3021 expect_failure=True)
3022 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3023 identity="pap user", anonymous_identity="ttls",
3024 password="password",
3025 openssl_ciphers="FOO",
3026 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3028 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3030 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3031 dev[2].request("DISCONNECT")
3033 def test_openssl_cipher_suite_config_hapd(dev, apdev):
3034 """OpenSSL cipher suite configuration on hostapd"""
3035 tls = dev[0].request("GET tls_library")
3036 if not tls.startswith("OpenSSL"):
3037 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
3038 params = int_eap_server_params()
3039 params['openssl_ciphers'] = "AES256"
3040 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3041 tls = hapd.request("GET tls_library")
3042 if not tls.startswith("OpenSSL"):
3043 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
3044 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3045 anonymous_identity="ttls", password="password",
3046 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3047 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
3048 anonymous_identity="ttls", password="password",
3049 openssl_ciphers="AES128",
3050 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
3051 expect_failure=True)
3052 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
3053 anonymous_identity="ttls", password="password",
3054 openssl_ciphers="HIGH:!ADH",
3055 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3057 params['openssl_ciphers'] = "FOO"
3058 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
3059 if "FAIL" not in hapd2.request("ENABLE"):
3060 raise Exception("Invalid openssl_ciphers value accepted")
3062 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
3063 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3064 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3065 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3066 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3067 pid = find_wpas_process(dev[0])
3068 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3069 anonymous_identity="ttls", password=password,
3070 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3072 buf = read_process_memory(pid, password)
3074 dev[0].request("DISCONNECT")
3075 dev[0].wait_disconnected()
3083 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3084 for l in f.readlines():
3085 if "EAP-TTLS: Derived key - hexdump" in l:
3086 val = l.strip().split(':')[3].replace(' ', '')
3087 msk = binascii.unhexlify(val)
3088 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3089 val = l.strip().split(':')[3].replace(' ', '')
3090 emsk = binascii.unhexlify(val)
3091 if "WPA: PMK - hexdump" in l:
3092 val = l.strip().split(':')[3].replace(' ', '')
3093 pmk = binascii.unhexlify(val)
3094 if "WPA: PTK - hexdump" in l:
3095 val = l.strip().split(':')[3].replace(' ', '')
3096 ptk = binascii.unhexlify(val)
3097 if "WPA: Group Key - hexdump" in l:
3098 val = l.strip().split(':')[3].replace(' ', '')
3099 gtk = binascii.unhexlify(val)
3100 if not msk or not emsk or not pmk or not ptk or not gtk:
3101 raise Exception("Could not find keys from debug log")
3103 raise Exception("Unexpected GTK length")
3109 fname = os.path.join(params['logdir'],
3110 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3112 logger.info("Checking keys in memory while associated")
3113 get_key_locations(buf, password, "Password")
3114 get_key_locations(buf, pmk, "PMK")
3115 get_key_locations(buf, msk, "MSK")
3116 get_key_locations(buf, emsk, "EMSK")
3117 if password not in buf:
3118 raise HwsimSkip("Password not found while associated")
3120 raise HwsimSkip("PMK not found while associated")
3122 raise Exception("KCK not found while associated")
3124 raise Exception("KEK not found while associated")
3126 raise Exception("TK found from memory")
3128 raise Exception("GTK found from memory")
3130 logger.info("Checking keys in memory after disassociation")
3131 buf = read_process_memory(pid, password)
3133 # Note: Password is still present in network configuration
3134 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3136 get_key_locations(buf, password, "Password")
3137 get_key_locations(buf, pmk, "PMK")
3138 get_key_locations(buf, msk, "MSK")
3139 get_key_locations(buf, emsk, "EMSK")
3140 verify_not_present(buf, kck, fname, "KCK")
3141 verify_not_present(buf, kek, fname, "KEK")
3142 verify_not_present(buf, tk, fname, "TK")
3143 verify_not_present(buf, gtk, fname, "GTK")
3145 dev[0].request("PMKSA_FLUSH")
3146 dev[0].set_network_quoted(id, "identity", "foo")
3147 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3148 buf = read_process_memory(pid, password)
3149 get_key_locations(buf, password, "Password")
3150 get_key_locations(buf, pmk, "PMK")
3151 get_key_locations(buf, msk, "MSK")
3152 get_key_locations(buf, emsk, "EMSK")
3153 verify_not_present(buf, pmk, fname, "PMK")
3155 dev[0].request("REMOVE_NETWORK all")
3157 logger.info("Checking keys in memory after network profile removal")
3158 buf = read_process_memory(pid, password)
3160 get_key_locations(buf, password, "Password")
3161 get_key_locations(buf, pmk, "PMK")
3162 get_key_locations(buf, msk, "MSK")
3163 get_key_locations(buf, emsk, "EMSK")
3164 verify_not_present(buf, password, fname, "password")
3165 verify_not_present(buf, pmk, fname, "PMK")
3166 verify_not_present(buf, kck, fname, "KCK")
3167 verify_not_present(buf, kek, fname, "KEK")
3168 verify_not_present(buf, tk, fname, "TK")
3169 verify_not_present(buf, gtk, fname, "GTK")
3170 verify_not_present(buf, msk, fname, "MSK")
3171 verify_not_present(buf, emsk, fname, "EMSK")
3173 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3174 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3175 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3177 bssid = apdev[0]['bssid']
3178 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3179 anonymous_identity="ttls", password="password",
3180 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3182 # Send unexpected WEP EAPOL-Key; this gets dropped
3183 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3185 raise Exception("EAPOL_RX to wpa_supplicant failed")
3187 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3188 """WPA2-EAP and wpas interface in a bridge"""
3192 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3194 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3195 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3196 subprocess.call(['brctl', 'delbr', br_ifname])
3197 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3199 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3201 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3205 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3206 subprocess.call(['brctl', 'addbr', br_ifname])
3207 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3208 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3209 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3210 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3211 wpas.interface_add(ifname, br_ifname=br_ifname)
3213 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3214 password_hex="0123456789abcdef0123456789abcdef")
3215 eap_reauth(wpas, "PAX")
3216 # Try again as a regression test for packet socket workaround
3217 eap_reauth(wpas, "PAX")
3218 wpas.request("DISCONNECT")
3219 wpas.wait_disconnected()
3220 wpas.request("RECONNECT")
3221 wpas.wait_connected()
3223 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3224 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3225 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3226 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3227 key_mgmt = hapd.get_config()['key_mgmt']
3228 if key_mgmt.split(' ')[0] != "WPA-EAP":
3229 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3230 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3231 anonymous_identity="ttls", password="password",
3232 ca_cert="auth_serv/ca.pem",
3233 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3234 eap_reauth(dev[0], "TTLS")
3236 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3237 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3238 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3239 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3240 key_mgmt = hapd.get_config()['key_mgmt']
3241 if key_mgmt.split(' ')[0] != "WPA-EAP":
3242 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3243 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3244 anonymous_identity="ttls", password="password",
3245 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3247 eap_reauth(dev[0], "TTLS")
3249 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3250 """EAP-TLS and server checking CRL"""
3251 params = int_eap_server_params()
3252 params['check_crl'] = '1'
3253 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3255 # check_crl=1 and no CRL available --> reject connection
3256 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3257 client_cert="auth_serv/user.pem",
3258 private_key="auth_serv/user.key", expect_failure=True)
3259 dev[0].request("REMOVE_NETWORK all")
3262 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3265 # check_crl=1 and valid CRL --> accept
3266 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3267 client_cert="auth_serv/user.pem",
3268 private_key="auth_serv/user.key")
3269 dev[0].request("REMOVE_NETWORK all")
3272 hapd.set("check_crl", "2")
3275 # check_crl=2 and valid CRL --> accept
3276 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3277 client_cert="auth_serv/user.pem",
3278 private_key="auth_serv/user.key")
3279 dev[0].request("REMOVE_NETWORK all")
3281 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3282 """EAP-TLS and OOM"""
3283 check_subject_match_support(dev[0])
3284 check_altsubject_match_support(dev[0])
3285 check_domain_match_full(dev[0])
3287 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3288 hostapd.add_ap(apdev[0]['ifname'], params)
3290 tests = [ (1, "tls_connection_set_subject_match"),
3291 (2, "tls_connection_set_subject_match"),
3292 (3, "tls_connection_set_subject_match"),
3293 (4, "tls_connection_set_subject_match") ]
3294 for count, func in tests:
3295 with alloc_fail(dev[0], count, func):
3296 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3297 identity="tls user", ca_cert="auth_serv/ca.pem",
3298 client_cert="auth_serv/user.pem",
3299 private_key="auth_serv/user.key",
3300 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3301 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3302 domain_suffix_match="server.w1.fi",
3303 domain_match="server.w1.fi",
3304 wait_connect=False, scan_freq="2412")
3305 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3306 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3308 raise Exception("No passphrase request")
3309 dev[0].request("REMOVE_NETWORK all")
3310 dev[0].wait_disconnected()
3312 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
3313 """WPA2-Enterprise connection using MAC ACL"""
3314 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3315 params["macaddr_acl"] = "2"
3316 hostapd.add_ap(apdev[0]['ifname'], params)
3317 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3318 client_cert="auth_serv/user.pem",
3319 private_key="auth_serv/user.key")
3321 def test_ap_wpa2_eap_oom(dev, apdev):
3322 """EAP server and OOM"""
3323 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3324 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3325 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
3327 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
3328 # The first attempt fails, but STA will send EAPOL-Start to retry and
3330 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3331 identity="tls user", ca_cert="auth_serv/ca.pem",
3332 client_cert="auth_serv/user.pem",
3333 private_key="auth_serv/user.key",
3336 def check_tls_ver(dev, ap, phase1, expected):
3337 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3338 client_cert="auth_serv/user.pem",
3339 private_key="auth_serv/user.key",
3341 ver = dev.get_status_field("eap_tls_version")
3343 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
3345 def test_ap_wpa2_eap_tls_versions(dev, apdev):
3346 """EAP-TLS and TLS version configuration"""
3347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3348 hostapd.add_ap(apdev[0]['ifname'], params)
3350 tls = dev[0].request("GET tls_library")
3351 if tls.startswith("OpenSSL"):
3352 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
3353 check_tls_ver(dev[0], apdev[0],
3354 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3356 check_tls_ver(dev[1], apdev[0],
3357 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3358 check_tls_ver(dev[2], apdev[0],
3359 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
projects / mech_eap.git / blob