1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status:
180 logger.info("Status: " + str(status))
181 raise Exception("No selectedMethod in status")
182 if method not in status["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e = "WPA2-EAP-SHA256"
187 e = "WPA2/IEEE 802.1X/EAP"
189 e = "WPA/IEEE 802.1X/EAP"
190 if status["key_mgmt"] != e:
191 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
194 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
195 dev.request("REAUTHENTICATE")
196 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
197 expect_failure=expect_failure)
199 def test_ap_wpa2_eap_sim(dev, apdev):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
204 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
205 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils.test_connectivity(dev[0], hapd)
207 eap_reauth(dev[0], "SIM")
209 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger.info("Negative test with incorrect key")
216 dev[0].request("REMOVE_NETWORK all")
217 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
218 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger.info("Invalid GSM-Milenage key")
222 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger.info("Invalid GSM-Milenage key(2)")
228 dev[0].request("REMOVE_NETWORK all")
229 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
230 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger.info("Invalid GSM-Milenage key(3)")
234 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger.info("Invalid GSM-Milenage key(4)")
240 dev[0].request("REMOVE_NETWORK all")
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger.info("Missing key configuration")
246 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
259 params['auth_server_port'] = "1814"
260 hostapd.add_ap(apdev[0]['ifname'], params)
261 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger.info("SIM fast re-authentication")
265 eap_reauth(dev[0], "SIM")
267 logger.info("SIM full auth with pseudonym")
270 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev[0], "SIM")
273 logger.info("SIM full auth with permanent identity")
276 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev[0], "SIM")
280 logger.info("SIM reauth with mismatching MK")
283 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev[0], "SIM", expect_failure=True)
285 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev[0], "SIM")
295 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger.info("SIM reauth with mismatching counter")
297 eap_reauth(dev[0], "SIM")
298 dev[0].request("REMOVE_NETWORK all")
300 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev, apdev):
309 """EAP-SIM configuration options"""
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
313 identity="1232010000000000",
314 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1="sim_min_num_chal=1",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
319 raise Exception("No EAP error message seen")
320 dev[0].request("REMOVE_NETWORK all")
322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
323 identity="1232010000000000",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1="sim_min_num_chal=4",
326 wait_connect=False, scan_freq="2412")
327 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
329 raise Exception("No EAP error message seen (2)")
330 dev[0].request("REMOVE_NETWORK all")
332 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=2")
335 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity="345678")
339 def test_ap_wpa2_eap_sim_ext(dev, apdev):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev, apdev)
344 dev[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
347 check_hlr_auc_gw_support()
348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
349 hostapd.add_ap(apdev[0]['ifname'], params)
350 dev[0].request("SET external_sim 1")
351 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
352 identity="1232010000000000",
353 wait_connect=False, scan_freq="2412")
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
356 raise Exception("Network connected timed out")
358 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid = p[0].split('-')[3]
367 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 raise Exception("EAP failure not reported")
373 dev[0].request("DISCONNECT")
374 dev[0].wait_disconnected()
377 dev[0].select_network(id, freq="2412")
378 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid = p[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 raise Exception("EAP failure not reported")
391 dev[0].request("DISCONNECT")
392 dev[0].wait_disconnected()
395 dev[0].select_network(id, freq="2412")
396 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid = p[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 raise Exception("EAP failure not reported")
409 dev[0].request("DISCONNECT")
410 dev[0].wait_disconnected()
413 dev[0].select_network(id, freq="2412")
414 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid = p[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 raise Exception("EAP failure not reported")
427 dev[0].request("DISCONNECT")
428 dev[0].wait_disconnected()
431 dev[0].select_network(id, freq="2412")
432 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid = p[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 raise Exception("EAP failure not reported")
445 dev[0].request("DISCONNECT")
446 dev[0].wait_disconnected()
449 dev[0].select_network(id, freq="2412")
450 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid = p[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 raise Exception("EAP failure not reported")
463 dev[0].request("DISCONNECT")
464 dev[0].wait_disconnected()
467 dev[0].select_network(id, freq="2412")
468 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid = p[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
487 dev[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
490 check_hlr_auc_gw_support()
491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
492 hostapd.add_ap(apdev[0]['ifname'], params)
493 dev[0].request("SET external_sim 1")
494 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
495 identity="1232010000000000",
496 wait_connect=False, scan_freq="2412")
498 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid = p[0].split('-')[3]
505 rand = p[2].split(' ')[0]
507 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand])
511 if "GSM-AUTH-RESP" not in res:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp = res.split(' ')[2].rstrip()
515 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
516 dev[0].wait_connected(timeout=15)
517 dev[0].request("DISCONNECT")
518 dev[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev[0].select_network(id, freq="2412")
524 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid = p[0].split('-')[3]
531 rand = p[2].split(' ')[0]
533 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand])
537 if "GSM-AUTH-RESP" not in res:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp = res.split(' ')[2].rstrip()
541 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 raise Exception("EAP-Failure not reported")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
553 dev[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
556 check_hlr_auc_gw_support()
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 hostapd.add_ap(apdev[0]['ifname'], params)
559 dev[0].request("SET external_sim 1")
560 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
561 identity="1232010000000000",
562 wait_connect=False, scan_freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 rand = p[2].split(' ')[0]
573 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand])
577 if "GSM-AUTH-RESP" not in res:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp = res.split(' ')[2].rstrip()
581 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
582 dev[0].wait_connected(timeout=15)
583 dev[0].request("DISCONNECT")
584 dev[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev[0].set_network(id, "anonymous_identity", "NULL")
589 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 rand = p[2].split(' ')[0]
600 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand])
604 if "GSM-AUTH-RESP" not in res:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp = res.split(' ')[2].rstrip()
608 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
609 dev[0].wait_connected()
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
618 dev[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
621 check_hlr_auc_gw_support()
622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
623 hostapd.add_ap(apdev[0]['ifname'], params)
624 dev[0].request("SET external_sim 1")
625 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
626 wait_connect=False, scan_freq="2412")
628 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid = ev.split(':')[0].split('-')[-1]
632 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
634 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid = p[0].split('-')[3]
641 rand = p[2].split(' ')[0]
643 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand])
647 if "GSM-AUTH-RESP" not in res:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp = res.split(' ')[2].rstrip()
651 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
652 dev[0].wait_connected(timeout=15)
653 dev[0].request("DISCONNECT")
654 dev[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev[0].set_network(id, "identity", "NULL")
658 dev[0].set_network(id, "anonymous_identity", "NULL")
659 dev[0].select_network(id, freq="2412")
661 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid = ev.split(':')[0].split('-')[-1]
665 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
667 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid = p[0].split('-')[3]
674 rand = p[2].split(' ')[0]
676 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand])
680 if "GSM-AUTH-RESP" not in res:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp = res.split(' ')[2].rstrip()
684 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
685 dev[0].wait_connected()
686 dev[0].request("DISCONNECT")
687 dev[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
694 dev[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
697 check_hlr_auc_gw_support()
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hostapd.add_ap(apdev[0]['ifname'], params)
700 dev[0].request("SET external_sim 1")
701 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
702 identity="1232010000000000",
703 wait_connect=False, scan_freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid = p[0].split('-')[3]
710 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
713 raise Exception("EAP failure not reported")
714 dev[0].request("REMOVE_NETWORK all")
715 dev[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
718 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
720 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
722 dev[0].request("SET external_sim 0")
724 def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
725 check_hlr_auc_gw_support()
726 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
727 hostapd.add_ap(apdev[0]['ifname'], params)
728 dev[0].request("SET external_sim 1")
729 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
730 identity="1232010000000000",
731 wait_connect=False, scan_freq="2412")
733 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
735 raise Exception("Wait for external SIM processing request timed out")
737 if p[1] != "GSM-AUTH":
738 raise Exception("Unexpected CTRL-REQ-SIM type")
739 rid = p[0].split('-')[3]
740 rand = p[2].split(' ')[0]
742 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
744 "auth_serv/hlr_auc_gw.milenage_db",
745 "GSM-AUTH-REQ 232010000000000 " + rand])
746 if "GSM-AUTH-RESP" not in res:
747 raise Exception("Unexpected hlr_auc_gw response")
748 resp = res.split(' ')[2].rstrip()
750 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
751 dev[0].wait_connected(timeout=15)
753 # Verify that EAP-SIM Reauthentication can be used after a profile change
754 # that does not affect EAP parameters.
755 dev[0].set_network(id, "bssid", "any")
756 eap_reauth(dev[0], "SIM")
758 def test_ap_wpa2_eap_sim_oom(dev, apdev):
759 """EAP-SIM and OOM"""
760 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
761 hostapd.add_ap(apdev[0]['ifname'], params)
762 tests = [ (1, "milenage_f2345"),
763 (2, "milenage_f2345"),
764 (3, "milenage_f2345"),
765 (4, "milenage_f2345"),
766 (5, "milenage_f2345"),
767 (6, "milenage_f2345"),
768 (7, "milenage_f2345"),
769 (8, "milenage_f2345"),
770 (9, "milenage_f2345"),
771 (10, "milenage_f2345"),
772 (11, "milenage_f2345"),
773 (12, "milenage_f2345") ]
774 for count, func in tests:
775 with fail_test(dev[0], count, func):
776 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
777 identity="1232010000000000",
778 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
779 wait_connect=False, scan_freq="2412")
780 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
782 raise Exception("EAP method not selected")
783 dev[0].wait_disconnected()
784 dev[0].request("REMOVE_NETWORK all")
786 def test_ap_wpa2_eap_aka(dev, apdev):
787 """WPA2-Enterprise connection using EAP-AKA"""
788 check_hlr_auc_gw_support()
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
790 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
791 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
792 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
793 hwsim_utils.test_connectivity(dev[0], hapd)
794 eap_reauth(dev[0], "AKA")
796 logger.info("Negative test with incorrect key")
797 dev[0].request("REMOVE_NETWORK all")
798 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
799 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
802 logger.info("Invalid Milenage key")
803 dev[0].request("REMOVE_NETWORK all")
804 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
805 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
808 logger.info("Invalid Milenage key(2)")
809 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
810 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
813 logger.info("Invalid Milenage key(3)")
814 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
815 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
818 logger.info("Invalid Milenage key(4)")
819 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
820 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
823 logger.info("Invalid Milenage key(5)")
824 dev[0].request("REMOVE_NETWORK all")
825 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
826 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
829 logger.info("Invalid Milenage key(6)")
830 dev[0].request("REMOVE_NETWORK all")
831 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
832 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
835 logger.info("Missing key configuration")
836 dev[0].request("REMOVE_NETWORK all")
837 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
840 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
841 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
842 check_hlr_auc_gw_support()
846 raise HwsimSkip("No sqlite3 module available")
847 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 params['auth_server_port'] = "1814"
850 hostapd.add_ap(apdev[0]['ifname'], params)
851 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
852 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
854 logger.info("AKA fast re-authentication")
855 eap_reauth(dev[0], "AKA")
857 logger.info("AKA full auth with pseudonym")
860 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
861 eap_reauth(dev[0], "AKA")
863 logger.info("AKA full auth with permanent identity")
866 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
867 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
868 eap_reauth(dev[0], "AKA")
870 logger.info("AKA reauth with mismatching MK")
873 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
874 eap_reauth(dev[0], "AKA", expect_failure=True)
875 dev[0].request("REMOVE_NETWORK all")
877 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
878 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
881 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
882 eap_reauth(dev[0], "AKA")
885 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
886 logger.info("AKA reauth with mismatching counter")
887 eap_reauth(dev[0], "AKA")
888 dev[0].request("REMOVE_NETWORK all")
890 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
891 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
894 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
895 logger.info("AKA reauth with max reauth count reached")
896 eap_reauth(dev[0], "AKA")
898 def test_ap_wpa2_eap_aka_config(dev, apdev):
899 """EAP-AKA configuration options"""
900 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
901 hostapd.add_ap(apdev[0]['ifname'], params)
902 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
903 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
904 anonymous_identity="2345678")
906 def test_ap_wpa2_eap_aka_ext(dev, apdev):
907 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
909 _test_ap_wpa2_eap_aka_ext(dev, apdev)
911 dev[0].request("SET external_sim 0")
913 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
914 check_hlr_auc_gw_support()
915 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
916 hostapd.add_ap(apdev[0]['ifname'], params)
917 dev[0].request("SET external_sim 1")
918 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
919 identity="0232010000000000",
920 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
921 wait_connect=False, scan_freq="2412")
922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
924 raise Exception("Network connected timed out")
926 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
928 raise Exception("Wait for external SIM processing request timed out")
930 if p[1] != "UMTS-AUTH":
931 raise Exception("Unexpected CTRL-REQ-SIM type")
932 rid = p[0].split('-')[3]
935 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
936 # This will fail during processing, but the ctrl_iface command succeeds
937 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
938 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
940 raise Exception("EAP failure not reported")
941 dev[0].request("DISCONNECT")
942 dev[0].wait_disconnected()
944 dev[0].dump_monitor()
946 dev[0].select_network(id, freq="2412")
947 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
949 raise Exception("Wait for external SIM processing request timed out")
951 if p[1] != "UMTS-AUTH":
952 raise Exception("Unexpected CTRL-REQ-SIM type")
953 rid = p[0].split('-')[3]
954 # This will fail during UMTS auth validation
955 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
956 raise Exception("CTRL-RSP-SIM failed")
957 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
959 raise Exception("Wait for external SIM processing request timed out")
961 if p[1] != "UMTS-AUTH":
962 raise Exception("Unexpected CTRL-REQ-SIM type")
963 rid = p[0].split('-')[3]
964 # This will fail during UMTS auth validation
965 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
966 raise Exception("CTRL-RSP-SIM failed")
967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
969 raise Exception("EAP failure not reported")
970 dev[0].request("DISCONNECT")
971 dev[0].wait_disconnected()
973 dev[0].dump_monitor()
975 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
977 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
978 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
979 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
980 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
981 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
983 dev[0].select_network(id, freq="2412")
984 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
986 raise Exception("Wait for external SIM processing request timed out")
988 if p[1] != "UMTS-AUTH":
989 raise Exception("Unexpected CTRL-REQ-SIM type")
990 rid = p[0].split('-')[3]
991 # This will fail during UMTS auth validation
992 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
993 raise Exception("CTRL-RSP-SIM failed")
994 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
996 raise Exception("EAP failure not reported")
997 dev[0].request("DISCONNECT")
998 dev[0].wait_disconnected()
1000 dev[0].dump_monitor()
1002 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1003 """EAP-AKA with external UMTS auth and auth failing"""
1005 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1007 dev[0].request("SET external_sim 0")
1009 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1010 check_hlr_auc_gw_support()
1011 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1012 hostapd.add_ap(apdev[0]['ifname'], params)
1013 dev[0].request("SET external_sim 1")
1014 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1015 identity="0232010000000000",
1016 wait_connect=False, scan_freq="2412")
1018 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1020 raise Exception("Wait for external SIM processing request timed out")
1021 p = ev.split(':', 2)
1022 rid = p[0].split('-')[3]
1023 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1024 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1026 raise Exception("EAP failure not reported")
1027 dev[0].request("REMOVE_NETWORK all")
1028 dev[0].wait_disconnected()
1030 def test_ap_wpa2_eap_aka_prime(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-AKA'"""
1032 check_hlr_auc_gw_support()
1033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1034 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1035 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1036 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1037 hwsim_utils.test_connectivity(dev[0], hapd)
1038 eap_reauth(dev[0], "AKA'")
1040 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1041 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1042 identity="6555444333222111@both",
1043 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1044 wait_connect=False, scan_freq="2412")
1045 dev[1].wait_connected(timeout=15)
1047 logger.info("Negative test with incorrect key")
1048 dev[0].request("REMOVE_NETWORK all")
1049 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1050 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1051 expect_failure=True)
1053 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1054 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1055 check_hlr_auc_gw_support()
1059 raise HwsimSkip("No sqlite3 module available")
1060 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1061 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1062 params['auth_server_port'] = "1814"
1063 hostapd.add_ap(apdev[0]['ifname'], params)
1064 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1065 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1067 logger.info("AKA' fast re-authentication")
1068 eap_reauth(dev[0], "AKA'")
1070 logger.info("AKA' full auth with pseudonym")
1073 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1074 eap_reauth(dev[0], "AKA'")
1076 logger.info("AKA' full auth with permanent identity")
1079 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1080 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1081 eap_reauth(dev[0], "AKA'")
1083 logger.info("AKA' reauth with mismatching k_aut")
1086 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1087 eap_reauth(dev[0], "AKA'", expect_failure=True)
1088 dev[0].request("REMOVE_NETWORK all")
1090 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1091 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1094 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1095 eap_reauth(dev[0], "AKA'")
1098 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1099 logger.info("AKA' reauth with mismatching counter")
1100 eap_reauth(dev[0], "AKA'")
1101 dev[0].request("REMOVE_NETWORK all")
1103 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1104 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1107 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1108 logger.info("AKA' reauth with max reauth count reached")
1109 eap_reauth(dev[0], "AKA'")
1111 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1112 """EAP-AKA' with external UMTS auth and auth failing"""
1114 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1116 dev[0].request("SET external_sim 0")
1118 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1119 check_hlr_auc_gw_support()
1120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1121 hostapd.add_ap(apdev[0]['ifname'], params)
1122 dev[0].request("SET external_sim 1")
1123 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1124 identity="6555444333222111",
1125 wait_connect=False, scan_freq="2412")
1127 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1129 raise Exception("Wait for external SIM processing request timed out")
1130 p = ev.split(':', 2)
1131 rid = p[0].split('-')[3]
1132 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1133 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1135 raise Exception("EAP failure not reported")
1136 dev[0].request("REMOVE_NETWORK all")
1137 dev[0].wait_disconnected()
1139 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1140 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1141 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1142 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1143 key_mgmt = hapd.get_config()['key_mgmt']
1144 if key_mgmt.split(' ')[0] != "WPA-EAP":
1145 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1146 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1147 anonymous_identity="ttls", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "TTLS")
1151 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1152 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1154 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1155 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1156 check_subject_match_support(dev[0])
1157 check_altsubject_match_support(dev[0])
1158 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1159 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1160 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1161 anonymous_identity="ttls", password="password",
1162 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1163 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1164 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1165 eap_reauth(dev[0], "TTLS")
1167 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1168 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1169 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1170 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1171 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1172 anonymous_identity="ttls", password="wrong",
1173 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1174 expect_failure=True)
1175 eap_connect(dev[1], apdev[0], "TTLS", "user",
1176 anonymous_identity="ttls", password="password",
1177 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1178 expect_failure=True)
1180 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1181 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1182 skip_with_fips(dev[0])
1183 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1184 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1185 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1186 anonymous_identity="ttls", password="password",
1187 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1188 hwsim_utils.test_connectivity(dev[0], hapd)
1189 eap_reauth(dev[0], "TTLS")
1191 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1192 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1193 skip_with_fips(dev[0])
1194 check_altsubject_match_support(dev[0])
1195 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1196 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1197 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1198 anonymous_identity="ttls", password="password",
1199 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1200 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1201 eap_reauth(dev[0], "TTLS")
1203 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1205 skip_with_fips(dev[0])
1206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1208 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1209 anonymous_identity="ttls", password="wrong",
1210 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1211 expect_failure=True)
1212 eap_connect(dev[1], apdev[0], "TTLS", "user",
1213 anonymous_identity="ttls", password="password",
1214 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1215 expect_failure=True)
1217 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1218 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1219 skip_with_fips(dev[0])
1220 check_domain_suffix_match(dev[0])
1221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1223 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1224 anonymous_identity="ttls", password="password",
1225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1226 domain_suffix_match="server.w1.fi")
1227 hwsim_utils.test_connectivity(dev[0], hapd)
1228 eap_reauth(dev[0], "TTLS")
1229 dev[0].request("REMOVE_NETWORK all")
1230 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1231 anonymous_identity="ttls", password="password",
1232 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1233 fragment_size="200")
1234 dev[0].request("REMOVE_NETWORK all")
1235 dev[0].wait_disconnected()
1236 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1237 anonymous_identity="ttls",
1238 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1239 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1241 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1242 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1243 skip_with_fips(dev[0])
1244 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1245 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1246 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1247 anonymous_identity="ttls", password="wrong",
1248 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1249 expect_failure=True)
1250 eap_connect(dev[1], apdev[0], "TTLS", "user",
1251 anonymous_identity="ttls", password="password",
1252 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1253 expect_failure=True)
1254 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
1255 anonymous_identity="ttls", password="password",
1256 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1257 expect_failure=True)
1259 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1260 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1261 check_domain_suffix_match(dev[0])
1262 check_eap_capa(dev[0], "MSCHAPV2")
1263 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1264 hostapd.add_ap(apdev[0]['ifname'], params)
1265 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1266 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1267 anonymous_identity="ttls", password="password",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1269 domain_suffix_match="server.w1.fi")
1270 hwsim_utils.test_connectivity(dev[0], hapd)
1271 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1272 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1273 eap_reauth(dev[0], "TTLS")
1274 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1275 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1276 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1277 raise Exception("dot1xAuthEapolFramesRx did not increase")
1278 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1279 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1280 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1281 raise Exception("backendAuthSuccesses did not increase")
1283 logger.info("Password as hash value")
1284 dev[0].request("REMOVE_NETWORK all")
1285 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1286 anonymous_identity="ttls",
1287 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1288 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1290 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1291 """EAP-TTLS with invalid phase2 parameter values"""
1292 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1293 hostapd.add_ap(apdev[0]['ifname'], params)
1294 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1295 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1296 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1299 identity="DOMAIN\mschapv2 user",
1300 anonymous_identity="ttls", password="password",
1301 ca_cert="auth_serv/ca.pem", phase2=t,
1302 wait_connect=False, scan_freq="2412")
1303 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1304 if ev is None or "method=21" not in ev:
1305 raise Exception("EAP-TTLS not started")
1306 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1307 "CTRL-EVENT-CONNECTED"], timeout=5)
1308 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1309 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1310 dev[0].request("REMOVE_NETWORK all")
1311 dev[0].wait_disconnected()
1312 dev[0].dump_monitor()
1314 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1315 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1316 check_domain_match_full(dev[0])
1317 skip_with_fips(dev[0])
1318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1319 hostapd.add_ap(apdev[0]['ifname'], params)
1320 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1321 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1322 anonymous_identity="ttls", password="password",
1323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1324 domain_suffix_match="w1.fi")
1325 hwsim_utils.test_connectivity(dev[0], hapd)
1326 eap_reauth(dev[0], "TTLS")
1328 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1329 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1330 check_domain_match(dev[0])
1331 skip_with_fips(dev[0])
1332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1333 hostapd.add_ap(apdev[0]['ifname'], params)
1334 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1335 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1336 anonymous_identity="ttls", password="password",
1337 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1338 domain_match="Server.w1.fi")
1339 hwsim_utils.test_connectivity(dev[0], hapd)
1340 eap_reauth(dev[0], "TTLS")
1342 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1343 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1344 skip_with_fips(dev[0])
1345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1346 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1347 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1348 anonymous_identity="ttls", password="password1",
1349 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1350 expect_failure=True)
1351 eap_connect(dev[1], apdev[0], "TTLS", "user",
1352 anonymous_identity="ttls", password="password",
1353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1354 expect_failure=True)
1356 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1357 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1358 skip_with_fips(dev[0])
1359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1360 hostapd.add_ap(apdev[0]['ifname'], params)
1361 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1362 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1363 anonymous_identity="ttls", password="secret-åäö-€-password",
1364 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1365 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1366 anonymous_identity="ttls",
1367 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1368 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1369 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1370 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1371 eap="TTLS", identity="utf8-user-hash",
1372 anonymous_identity="ttls", password_hex=p,
1373 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1374 wait_connect=False, scan_freq="2412")
1375 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1377 raise Exception("No failure reported")
1378 dev[2].request("REMOVE_NETWORK all")
1379 dev[2].wait_disconnected()
1381 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1382 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1385 eap_connect(dev[0], apdev[0], "TTLS", "user",
1386 anonymous_identity="ttls", password="password",
1387 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1388 hwsim_utils.test_connectivity(dev[0], hapd)
1389 eap_reauth(dev[0], "TTLS")
1391 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1392 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1395 eap_connect(dev[0], apdev[0], "TTLS", "user",
1396 anonymous_identity="ttls", password="wrong",
1397 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1398 expect_failure=True)
1400 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1401 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1402 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1403 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1404 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1405 anonymous_identity="ttls", password="password",
1406 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1407 expect_failure=True)
1409 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1410 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1411 params = int_eap_server_params()
1412 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1413 with alloc_fail(hapd, 1, "eap_gtc_init"):
1414 eap_connect(dev[0], apdev[0], "TTLS", "user",
1415 anonymous_identity="ttls", password="password",
1416 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1417 expect_failure=True)
1418 dev[0].request("REMOVE_NETWORK all")
1420 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1421 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1422 eap="TTLS", identity="user",
1423 anonymous_identity="ttls", password="password",
1424 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1425 wait_connect=False, scan_freq="2412")
1426 # This would eventually time out, but we can stop after having reached
1427 # the allocation failure.
1430 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1433 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1434 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1435 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1436 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1438 tests = [ "eap_gtc_init",
1439 "eap_msg_alloc;eap_gtc_process" ]
1441 with alloc_fail(dev[0], 1, func):
1442 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1444 eap="TTLS", identity="user",
1445 anonymous_identity="ttls", password="password",
1446 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1448 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1449 dev[0].request("REMOVE_NETWORK all")
1450 dev[0].wait_disconnected()
1452 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1453 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1454 check_eap_capa(dev[0], "MD5")
1455 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1456 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1457 eap_connect(dev[0], apdev[0], "TTLS", "user",
1458 anonymous_identity="ttls", password="password",
1459 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1460 hwsim_utils.test_connectivity(dev[0], hapd)
1461 eap_reauth(dev[0], "TTLS")
1463 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1464 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1465 check_eap_capa(dev[0], "MD5")
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1468 eap_connect(dev[0], apdev[0], "TTLS", "user",
1469 anonymous_identity="ttls", password="wrong",
1470 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1471 expect_failure=True)
1473 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1474 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1475 check_eap_capa(dev[0], "MD5")
1476 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1477 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1478 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1479 anonymous_identity="ttls", password="password",
1480 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1481 expect_failure=True)
1483 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1484 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1485 check_eap_capa(dev[0], "MD5")
1486 params = int_eap_server_params()
1487 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1488 with alloc_fail(hapd, 1, "eap_md5_init"):
1489 eap_connect(dev[0], apdev[0], "TTLS", "user",
1490 anonymous_identity="ttls", password="password",
1491 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1492 expect_failure=True)
1493 dev[0].request("REMOVE_NETWORK all")
1495 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1496 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1497 eap="TTLS", identity="user",
1498 anonymous_identity="ttls", password="password",
1499 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1500 wait_connect=False, scan_freq="2412")
1501 # This would eventually time out, but we can stop after having reached
1502 # the allocation failure.
1505 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1508 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1509 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1510 check_eap_capa(dev[0], "MSCHAPV2")
1511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1512 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1513 eap_connect(dev[0], apdev[0], "TTLS", "user",
1514 anonymous_identity="ttls", password="password",
1515 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1516 hwsim_utils.test_connectivity(dev[0], hapd)
1517 eap_reauth(dev[0], "TTLS")
1519 logger.info("Negative test with incorrect password")
1520 dev[0].request("REMOVE_NETWORK all")
1521 eap_connect(dev[0], apdev[0], "TTLS", "user",
1522 anonymous_identity="ttls", password="password1",
1523 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1524 expect_failure=True)
1526 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1527 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1528 check_eap_capa(dev[0], "MSCHAPV2")
1529 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1530 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1531 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1532 anonymous_identity="ttls", password="password",
1533 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1534 expect_failure=True)
1536 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1537 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1538 check_eap_capa(dev[0], "MSCHAPV2")
1539 params = int_eap_server_params()
1540 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1541 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1542 eap_connect(dev[0], apdev[0], "TTLS", "user",
1543 anonymous_identity="ttls", password="password",
1544 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1545 expect_failure=True)
1546 dev[0].request("REMOVE_NETWORK all")
1548 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1549 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1550 eap="TTLS", identity="user",
1551 anonymous_identity="ttls", password="password",
1552 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1553 wait_connect=False, scan_freq="2412")
1554 # This would eventually time out, but we can stop after having reached
1555 # the allocation failure.
1558 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1560 dev[0].request("REMOVE_NETWORK all")
1562 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1563 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1564 eap="TTLS", identity="user",
1565 anonymous_identity="ttls", password="password",
1566 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1567 wait_connect=False, scan_freq="2412")
1568 # This would eventually time out, but we can stop after having reached
1569 # the allocation failure.
1572 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1574 dev[0].request("REMOVE_NETWORK all")
1576 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1577 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1578 eap="TTLS", identity="user",
1579 anonymous_identity="ttls", password="wrong",
1580 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1581 wait_connect=False, scan_freq="2412")
1582 # This would eventually time out, but we can stop after having reached
1583 # the allocation failure.
1586 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1588 dev[0].request("REMOVE_NETWORK all")
1590 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1591 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1592 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1593 hostapd.add_ap(apdev[0]['ifname'], params)
1594 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1595 anonymous_identity="0232010000000000@ttls",
1596 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1597 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1599 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1600 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1601 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1602 hostapd.add_ap(apdev[0]['ifname'], params)
1603 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1604 anonymous_identity="0232010000000000@peap",
1605 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1606 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1608 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1609 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1610 check_eap_capa(dev[0], "FAST")
1611 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1612 hostapd.add_ap(apdev[0]['ifname'], params)
1613 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1614 anonymous_identity="0232010000000000@fast",
1615 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1616 phase1="fast_provisioning=2",
1617 pac_file="blob://fast_pac_auth_aka",
1618 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1620 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1621 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1622 check_eap_capa(dev[0], "MSCHAPV2")
1623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1624 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1625 eap_connect(dev[0], apdev[0], "PEAP", "user",
1626 anonymous_identity="peap", password="password",
1627 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1628 hwsim_utils.test_connectivity(dev[0], hapd)
1629 eap_reauth(dev[0], "PEAP")
1630 dev[0].request("REMOVE_NETWORK all")
1631 eap_connect(dev[0], apdev[0], "PEAP", "user",
1632 anonymous_identity="peap", password="password",
1633 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1634 fragment_size="200")
1636 logger.info("Password as hash value")
1637 dev[0].request("REMOVE_NETWORK all")
1638 eap_connect(dev[0], apdev[0], "PEAP", "user",
1639 anonymous_identity="peap",
1640 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1641 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1643 logger.info("Negative test with incorrect password")
1644 dev[0].request("REMOVE_NETWORK all")
1645 eap_connect(dev[0], apdev[0], "PEAP", "user",
1646 anonymous_identity="peap", password="password1",
1647 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1648 expect_failure=True)
1650 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1651 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1652 check_eap_capa(dev[0], "MSCHAPV2")
1653 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1654 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1655 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1656 anonymous_identity="peap", password="password",
1657 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1658 hwsim_utils.test_connectivity(dev[0], hapd)
1659 eap_reauth(dev[0], "PEAP")
1661 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1662 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1663 check_eap_capa(dev[0], "MSCHAPV2")
1664 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1665 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1666 eap_connect(dev[0], apdev[0], "PEAP", "user",
1667 anonymous_identity="peap", password="wrong",
1668 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1669 expect_failure=True)
1671 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1672 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1673 check_eap_capa(dev[0], "MSCHAPV2")
1674 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1675 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1676 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1677 ca_cert="auth_serv/ca.pem",
1678 phase1="peapver=0 crypto_binding=2",
1679 phase2="auth=MSCHAPV2")
1680 hwsim_utils.test_connectivity(dev[0], hapd)
1681 eap_reauth(dev[0], "PEAP")
1683 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1684 ca_cert="auth_serv/ca.pem",
1685 phase1="peapver=0 crypto_binding=1",
1686 phase2="auth=MSCHAPV2")
1687 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1688 ca_cert="auth_serv/ca.pem",
1689 phase1="peapver=0 crypto_binding=0",
1690 phase2="auth=MSCHAPV2")
1692 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1693 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1694 check_eap_capa(dev[0], "MSCHAPV2")
1695 params = int_eap_server_params()
1696 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1697 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1698 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1699 ca_cert="auth_serv/ca.pem",
1700 phase1="peapver=0 crypto_binding=2",
1701 phase2="auth=MSCHAPV2",
1702 expect_failure=True, local_error_report=True)
1704 def test_ap_wpa2_eap_peap_params(dev, apdev):
1705 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1706 check_eap_capa(dev[0], "MSCHAPV2")
1707 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1708 hostapd.add_ap(apdev[0]['ifname'], params)
1709 eap_connect(dev[0], apdev[0], "PEAP", "user",
1710 anonymous_identity="peap", password="password",
1711 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1712 phase1="peapver=0 peaplabel=1",
1713 expect_failure=True)
1714 dev[0].request("REMOVE_NETWORK all")
1715 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1717 anonymous_identity="peap", password="password",
1718 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1719 phase1="peap_outer_success=0",
1720 wait_connect=False, scan_freq="2412")
1721 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1723 raise Exception("No EAP success seen")
1724 # This won't succeed to connect with peap_outer_success=0, so stop here.
1725 dev[0].request("REMOVE_NETWORK all")
1726 dev[0].wait_disconnected()
1727 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1728 ca_cert="auth_serv/ca.pem",
1729 phase1="peap_outer_success=1",
1730 phase2="auth=MSCHAPV2")
1731 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1732 ca_cert="auth_serv/ca.pem",
1733 phase1="peap_outer_success=2",
1734 phase2="auth=MSCHAPV2")
1735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1737 anonymous_identity="peap", password="password",
1738 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1739 phase1="peapver=1 peaplabel=1",
1740 wait_connect=False, scan_freq="2412")
1741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1743 raise Exception("No EAP success seen")
1744 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1746 raise Exception("Unexpected connection")
1748 tests = [ ("peap-ver0", ""),
1750 ("peap-ver0", "peapver=0"),
1751 ("peap-ver1", "peapver=1") ]
1752 for anon,phase1 in tests:
1753 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1754 identity="user", anonymous_identity=anon,
1755 password="password", phase1=phase1,
1756 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1758 dev[0].request("REMOVE_NETWORK all")
1759 dev[0].wait_disconnected()
1761 tests = [ ("peap-ver0", "peapver=1"),
1762 ("peap-ver1", "peapver=0") ]
1763 for anon,phase1 in tests:
1764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1765 identity="user", anonymous_identity=anon,
1766 password="password", phase1=phase1,
1767 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1768 wait_connect=False, scan_freq="2412")
1769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1771 raise Exception("No EAP-Failure seen")
1772 dev[0].request("REMOVE_NETWORK all")
1773 dev[0].wait_disconnected()
1775 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1776 ca_cert="auth_serv/ca.pem",
1777 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1778 phase2="auth=MSCHAPV2")
1780 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1781 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1782 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1783 hostapd.add_ap(apdev[0]['ifname'], params)
1784 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1785 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1786 ca_cert2="auth_serv/ca.pem",
1787 client_cert2="auth_serv/user.pem",
1788 private_key2="auth_serv/user.key")
1789 eap_reauth(dev[0], "PEAP")
1791 def test_ap_wpa2_eap_tls(dev, apdev):
1792 """WPA2-Enterprise connection using EAP-TLS"""
1793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1794 hostapd.add_ap(apdev[0]['ifname'], params)
1795 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1796 client_cert="auth_serv/user.pem",
1797 private_key="auth_serv/user.key")
1798 eap_reauth(dev[0], "TLS")
1800 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1801 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1802 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1803 hostapd.add_ap(apdev[0]['ifname'], params)
1804 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1805 client_cert="auth_serv/user.pem",
1806 private_key="auth_serv/user.key.pkcs8",
1807 private_key_passwd="whatever")
1809 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1810 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1812 hostapd.add_ap(apdev[0]['ifname'], params)
1813 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1814 client_cert="auth_serv/user.pem",
1815 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1816 private_key_passwd="whatever")
1818 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1819 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1820 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1821 hostapd.add_ap(apdev[0]['ifname'], params)
1822 cert = read_pem("auth_serv/ca.pem")
1823 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1824 raise Exception("Could not set cacert blob")
1825 cert = read_pem("auth_serv/user.pem")
1826 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1827 raise Exception("Could not set usercert blob")
1828 key = read_pem("auth_serv/user.rsa-key")
1829 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1830 raise Exception("Could not set cacert blob")
1831 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1832 client_cert="blob://usercert",
1833 private_key="blob://userkey")
1835 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1836 """EAP-TLS and config blob missing"""
1837 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1838 hostapd.add_ap(apdev[0]['ifname'], params)
1839 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1840 identity="tls user",
1841 ca_cert="blob://testing-blob-does-not-exist",
1842 client_cert="blob://testing-blob-does-not-exist",
1843 private_key="blob://testing-blob-does-not-exist",
1844 wait_connect=False, scan_freq="2412")
1845 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1847 raise Exception("EAP failure not reported")
1848 dev[0].request("REMOVE_NETWORK all")
1849 dev[0].wait_disconnected()
1851 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1852 """EAP-TLS and TLS Message Length in unfragmented packets"""
1853 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1854 hostapd.add_ap(apdev[0]['ifname'], params)
1855 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1856 phase1="include_tls_length=1",
1857 client_cert="auth_serv/user.pem",
1858 private_key="auth_serv/user.key")
1860 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1861 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1862 check_pkcs12_support(dev[0])
1863 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1864 hostapd.add_ap(apdev[0]['ifname'], params)
1865 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1866 private_key="auth_serv/user.pkcs12",
1867 private_key_passwd="whatever")
1868 dev[0].request("REMOVE_NETWORK all")
1869 dev[0].wait_disconnected()
1871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1872 identity="tls user",
1873 ca_cert="auth_serv/ca.pem",
1874 private_key="auth_serv/user.pkcs12",
1875 wait_connect=False, scan_freq="2412")
1876 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1878 raise Exception("Request for private key passphrase timed out")
1879 id = ev.split(':')[0].split('-')[-1]
1880 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1881 dev[0].wait_connected(timeout=10)
1882 dev[0].request("REMOVE_NETWORK all")
1883 dev[0].wait_disconnected()
1885 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1886 # different files to cover both cases of the extra certificate being the
1887 # one that signed the client certificate and it being unrelated to the
1888 # client certificate.
1889 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1891 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1892 ca_cert="auth_serv/ca.pem",
1894 private_key_passwd="whatever")
1895 dev[0].request("REMOVE_NETWORK all")
1896 dev[0].wait_disconnected()
1898 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1899 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1900 check_pkcs12_support(dev[0])
1901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1902 hostapd.add_ap(apdev[0]['ifname'], params)
1903 cert = read_pem("auth_serv/ca.pem")
1904 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1905 raise Exception("Could not set cacert blob")
1906 with open("auth_serv/user.pkcs12", "rb") as f:
1907 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1908 raise Exception("Could not set pkcs12 blob")
1909 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1910 private_key="blob://pkcs12",
1911 private_key_passwd="whatever")
1913 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1914 """WPA2-Enterprise negative test - incorrect trust root"""
1915 check_eap_capa(dev[0], "MSCHAPV2")
1916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1917 hostapd.add_ap(apdev[0]['ifname'], params)
1918 cert = read_pem("auth_serv/ca-incorrect.pem")
1919 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1920 raise Exception("Could not set cacert blob")
1921 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1922 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1923 password="password", phase2="auth=MSCHAPV2",
1924 ca_cert="blob://cacert",
1925 wait_connect=False, scan_freq="2412")
1926 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1927 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1928 password="password", phase2="auth=MSCHAPV2",
1929 ca_cert="auth_serv/ca-incorrect.pem",
1930 wait_connect=False, scan_freq="2412")
1932 for dev in (dev[0], dev[1]):
1933 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1935 raise Exception("Association and EAP start timed out")
1937 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1939 raise Exception("EAP method selection timed out")
1940 if "TTLS" not in ev:
1941 raise Exception("Unexpected EAP method")
1943 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1944 "CTRL-EVENT-EAP-SUCCESS",
1945 "CTRL-EVENT-EAP-FAILURE",
1946 "CTRL-EVENT-CONNECTED",
1947 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1949 raise Exception("EAP result timed out")
1950 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1951 raise Exception("TLS certificate error not reported")
1953 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1954 "CTRL-EVENT-EAP-FAILURE",
1955 "CTRL-EVENT-CONNECTED",
1956 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1958 raise Exception("EAP result(2) timed out")
1959 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1960 raise Exception("EAP failure not reported")
1962 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1963 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1965 raise Exception("EAP result(3) timed out")
1966 if "CTRL-EVENT-DISCONNECTED" not in ev:
1967 raise Exception("Disconnection not reported")
1969 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1971 raise Exception("Network block disabling not reported")
1973 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1974 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1975 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1976 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1977 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1978 identity="pap user", anonymous_identity="ttls",
1979 password="password", phase2="auth=PAP",
1980 ca_cert="auth_serv/ca.pem",
1981 wait_connect=True, scan_freq="2412")
1982 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1983 identity="pap user", anonymous_identity="ttls",
1984 password="password", phase2="auth=PAP",
1985 ca_cert="auth_serv/ca-incorrect.pem",
1986 only_add_network=True, scan_freq="2412")
1988 dev[0].request("DISCONNECT")
1989 dev[0].wait_disconnected()
1990 dev[0].dump_monitor()
1991 dev[0].select_network(id, freq="2412")
1993 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1995 raise Exception("EAP-TTLS not re-started")
1997 ev = dev[0].wait_disconnected(timeout=15)
1998 if "reason=23" not in ev:
1999 raise Exception("Proper reason code for disconnection not reported")
2001 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2002 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2003 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2004 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2005 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2006 identity="pap user", anonymous_identity="ttls",
2007 password="password", phase2="auth=PAP",
2008 wait_connect=True, scan_freq="2412")
2009 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2010 identity="pap user", anonymous_identity="ttls",
2011 password="password", phase2="auth=PAP",
2012 ca_cert="auth_serv/ca-incorrect.pem",
2013 only_add_network=True, scan_freq="2412")
2015 dev[0].request("DISCONNECT")
2016 dev[0].wait_disconnected()
2017 dev[0].dump_monitor()
2018 dev[0].select_network(id, freq="2412")
2020 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2022 raise Exception("EAP-TTLS not re-started")
2024 ev = dev[0].wait_disconnected(timeout=15)
2025 if "reason=23" not in ev:
2026 raise Exception("Proper reason code for disconnection not reported")
2028 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2029 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2030 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2031 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2032 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2033 identity="pap user", anonymous_identity="ttls",
2034 password="password", phase2="auth=PAP",
2035 ca_cert="auth_serv/ca.pem",
2036 wait_connect=True, scan_freq="2412")
2037 dev[0].request("DISCONNECT")
2038 dev[0].wait_disconnected()
2039 dev[0].dump_monitor()
2040 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2041 dev[0].select_network(id, freq="2412")
2043 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2045 raise Exception("EAP-TTLS not re-started")
2047 ev = dev[0].wait_disconnected(timeout=15)
2048 if "reason=23" not in ev:
2049 raise Exception("Proper reason code for disconnection not reported")
2051 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2052 """WPA2-Enterprise negative test - domain suffix mismatch"""
2053 check_domain_suffix_match(dev[0])
2054 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2055 hostapd.add_ap(apdev[0]['ifname'], params)
2056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2057 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2058 password="password", phase2="auth=MSCHAPV2",
2059 ca_cert="auth_serv/ca.pem",
2060 domain_suffix_match="incorrect.example.com",
2061 wait_connect=False, scan_freq="2412")
2063 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2065 raise Exception("Association and EAP start timed out")
2067 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2069 raise Exception("EAP method selection timed out")
2070 if "TTLS" not in ev:
2071 raise Exception("Unexpected EAP method")
2073 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2074 "CTRL-EVENT-EAP-SUCCESS",
2075 "CTRL-EVENT-EAP-FAILURE",
2076 "CTRL-EVENT-CONNECTED",
2077 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2079 raise Exception("EAP result timed out")
2080 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2081 raise Exception("TLS certificate error not reported")
2082 if "Domain suffix mismatch" not in ev:
2083 raise Exception("Domain suffix mismatch not reported")
2085 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2086 "CTRL-EVENT-EAP-FAILURE",
2087 "CTRL-EVENT-CONNECTED",
2088 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2090 raise Exception("EAP result(2) timed out")
2091 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2092 raise Exception("EAP failure not reported")
2094 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2095 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2097 raise Exception("EAP result(3) timed out")
2098 if "CTRL-EVENT-DISCONNECTED" not in ev:
2099 raise Exception("Disconnection not reported")
2101 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2103 raise Exception("Network block disabling not reported")
2105 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2106 """WPA2-Enterprise negative test - domain mismatch"""
2107 check_domain_match(dev[0])
2108 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2109 hostapd.add_ap(apdev[0]['ifname'], params)
2110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2111 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2112 password="password", phase2="auth=MSCHAPV2",
2113 ca_cert="auth_serv/ca.pem",
2114 domain_match="w1.fi",
2115 wait_connect=False, scan_freq="2412")
2117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2119 raise Exception("Association and EAP start timed out")
2121 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2123 raise Exception("EAP method selection timed out")
2124 if "TTLS" not in ev:
2125 raise Exception("Unexpected EAP method")
2127 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2128 "CTRL-EVENT-EAP-SUCCESS",
2129 "CTRL-EVENT-EAP-FAILURE",
2130 "CTRL-EVENT-CONNECTED",
2131 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2133 raise Exception("EAP result timed out")
2134 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2135 raise Exception("TLS certificate error not reported")
2136 if "Domain mismatch" not in ev:
2137 raise Exception("Domain mismatch not reported")
2139 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2140 "CTRL-EVENT-EAP-FAILURE",
2141 "CTRL-EVENT-CONNECTED",
2142 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2144 raise Exception("EAP result(2) timed out")
2145 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2146 raise Exception("EAP failure not reported")
2148 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2149 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2151 raise Exception("EAP result(3) timed out")
2152 if "CTRL-EVENT-DISCONNECTED" not in ev:
2153 raise Exception("Disconnection not reported")
2155 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2157 raise Exception("Network block disabling not reported")
2159 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2160 """WPA2-Enterprise negative test - subject mismatch"""
2161 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2162 hostapd.add_ap(apdev[0]['ifname'], params)
2163 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2164 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2165 password="password", phase2="auth=MSCHAPV2",
2166 ca_cert="auth_serv/ca.pem",
2167 subject_match="/C=FI/O=w1.fi/CN=example.com",
2168 wait_connect=False, scan_freq="2412")
2170 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2172 raise Exception("Association and EAP start timed out")
2174 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2175 "EAP: Failed to initialize EAP method"], timeout=10)
2177 raise Exception("EAP method selection timed out")
2178 if "EAP: Failed to initialize EAP method" in ev:
2179 tls = dev[0].request("GET tls_library")
2180 if tls.startswith("OpenSSL"):
2181 raise Exception("Failed to select EAP method")
2182 logger.info("subject_match not supported - connection failed, so test succeeded")
2184 if "TTLS" not in ev:
2185 raise Exception("Unexpected EAP method")
2187 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2188 "CTRL-EVENT-EAP-SUCCESS",
2189 "CTRL-EVENT-EAP-FAILURE",
2190 "CTRL-EVENT-CONNECTED",
2191 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2193 raise Exception("EAP result timed out")
2194 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2195 raise Exception("TLS certificate error not reported")
2196 if "Subject mismatch" not in ev:
2197 raise Exception("Subject mismatch not reported")
2199 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2200 "CTRL-EVENT-EAP-FAILURE",
2201 "CTRL-EVENT-CONNECTED",
2202 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2204 raise Exception("EAP result(2) timed out")
2205 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2206 raise Exception("EAP failure not reported")
2208 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2209 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2211 raise Exception("EAP result(3) timed out")
2212 if "CTRL-EVENT-DISCONNECTED" not in ev:
2213 raise Exception("Disconnection not reported")
2215 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2217 raise Exception("Network block disabling not reported")
2219 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2220 """WPA2-Enterprise negative test - altsubject mismatch"""
2221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2222 hostapd.add_ap(apdev[0]['ifname'], params)
2224 tests = [ "incorrect.example.com",
2225 "DNS:incorrect.example.com",
2229 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2231 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2232 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2233 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2234 password="password", phase2="auth=MSCHAPV2",
2235 ca_cert="auth_serv/ca.pem",
2236 altsubject_match=match,
2237 wait_connect=False, scan_freq="2412")
2239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2241 raise Exception("Association and EAP start timed out")
2243 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2244 "EAP: Failed to initialize EAP method"], timeout=10)
2246 raise Exception("EAP method selection timed out")
2247 if "EAP: Failed to initialize EAP method" in ev:
2248 tls = dev[0].request("GET tls_library")
2249 if tls.startswith("OpenSSL"):
2250 raise Exception("Failed to select EAP method")
2251 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2253 if "TTLS" not in ev:
2254 raise Exception("Unexpected EAP method")
2256 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2257 "CTRL-EVENT-EAP-SUCCESS",
2258 "CTRL-EVENT-EAP-FAILURE",
2259 "CTRL-EVENT-CONNECTED",
2260 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2262 raise Exception("EAP result timed out")
2263 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2264 raise Exception("TLS certificate error not reported")
2265 if "AltSubject mismatch" not in ev:
2266 raise Exception("altsubject mismatch not reported")
2268 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2269 "CTRL-EVENT-EAP-FAILURE",
2270 "CTRL-EVENT-CONNECTED",
2271 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2273 raise Exception("EAP result(2) timed out")
2274 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2275 raise Exception("EAP failure not reported")
2277 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2278 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2280 raise Exception("EAP result(3) timed out")
2281 if "CTRL-EVENT-DISCONNECTED" not in ev:
2282 raise Exception("Disconnection not reported")
2284 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2286 raise Exception("Network block disabling not reported")
2288 dev[0].request("REMOVE_NETWORK all")
2290 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2291 """WPA2-Enterprise connection using UNAUTH-TLS"""
2292 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2293 hostapd.add_ap(apdev[0]['ifname'], params)
2294 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
2295 ca_cert="auth_serv/ca.pem")
2296 eap_reauth(dev[0], "UNAUTH-TLS")
2298 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2299 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2300 check_cert_probe_support(dev[0])
2301 skip_with_fips(dev[0])
2302 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2303 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2304 hostapd.add_ap(apdev[0]['ifname'], params)
2305 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2306 identity="probe", ca_cert="probe://",
2307 wait_connect=False, scan_freq="2412")
2308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2310 raise Exception("Association and EAP start timed out")
2311 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2313 raise Exception("No peer server certificate event seen")
2314 if "hash=" + srv_cert_hash not in ev:
2315 raise Exception("Expected server certificate hash not reported")
2316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2318 raise Exception("EAP result timed out")
2319 if "Server certificate chain probe" not in ev:
2320 raise Exception("Server certificate probe not reported")
2321 dev[0].wait_disconnected(timeout=10)
2322 dev[0].request("REMOVE_NETWORK all")
2324 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2325 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2326 password="password", phase2="auth=MSCHAPV2",
2327 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2328 wait_connect=False, scan_freq="2412")
2329 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2331 raise Exception("Association and EAP start timed out")
2332 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2334 raise Exception("EAP result timed out")
2335 if "Server certificate mismatch" not in ev:
2336 raise Exception("Server certificate mismatch not reported")
2337 dev[0].wait_disconnected(timeout=10)
2338 dev[0].request("REMOVE_NETWORK all")
2340 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
2341 anonymous_identity="ttls", password="password",
2342 ca_cert="hash://server/sha256/" + srv_cert_hash,
2343 phase2="auth=MSCHAPV2")
2345 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2346 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2348 hostapd.add_ap(apdev[0]['ifname'], params)
2349 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2350 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2351 password="password", phase2="auth=MSCHAPV2",
2352 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2353 wait_connect=False, scan_freq="2412")
2354 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2355 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2356 password="password", phase2="auth=MSCHAPV2",
2357 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2358 wait_connect=False, scan_freq="2412")
2359 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2360 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2361 password="password", phase2="auth=MSCHAPV2",
2362 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2363 wait_connect=False, scan_freq="2412")
2364 for i in range(0, 3):
2365 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2367 raise Exception("Association and EAP start timed out")
2368 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2370 raise Exception("Did not report EAP method initialization failure")
2372 def test_ap_wpa2_eap_pwd(dev, apdev):
2373 """WPA2-Enterprise connection using EAP-pwd"""
2374 check_eap_capa(dev[0], "PWD")
2375 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2376 hostapd.add_ap(apdev[0]['ifname'], params)
2377 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2378 eap_reauth(dev[0], "PWD")
2379 dev[0].request("REMOVE_NETWORK all")
2381 eap_connect(dev[1], apdev[0], "PWD",
2382 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2383 password="secret password",
2386 logger.info("Negative test with incorrect password")
2387 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2388 expect_failure=True, local_error_report=True)
2390 eap_connect(dev[0], apdev[0], "PWD",
2391 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2392 password="secret password",
2395 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2396 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2397 check_eap_capa(dev[0], "PWD")
2398 skip_with_fips(dev[0])
2399 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2400 hostapd.add_ap(apdev[0]['ifname'], params)
2401 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2402 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2403 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2404 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2405 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2406 expect_failure=True, local_error_report=True)
2408 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2409 """WPA2-Enterprise connection using various EAP-pwd groups"""
2410 check_eap_capa(dev[0], "PWD")
2411 tls = dev[0].request("GET tls_library")
2412 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2413 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2414 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2415 groups = [ 19, 20, 21, 25, 26 ]
2416 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2417 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2418 groups += [ 27, 28, 29, 30 ]
2420 logger.info("Group %d" % i)
2421 params['pwd_group'] = str(i)
2422 hostapd.add_ap(apdev[0]['ifname'], params)
2424 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2425 password="secret password")
2426 dev[0].request("REMOVE_NETWORK all")
2427 dev[0].wait_disconnected()
2428 dev[0].dump_monitor()
2430 if "BoringSSL" in tls and i in [ 25 ]:
2431 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2432 dev[0].request("DISCONNECT")
2434 dev[0].request("REMOVE_NETWORK all")
2435 dev[0].dump_monitor()
2439 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2440 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2441 check_eap_capa(dev[0], "PWD")
2442 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2443 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2444 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2445 params['pwd_group'] = "0"
2446 hostapd.add_ap(apdev[0]['ifname'], params)
2447 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2448 identity="pwd user", password="secret password",
2449 scan_freq="2412", wait_connect=False)
2450 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2452 raise Exception("Timeout on EAP failure report")
2454 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2455 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2456 check_eap_capa(dev[0], "PWD")
2457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2458 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2459 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2460 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2461 "pwd_group": "19", "fragment_size": "40" }
2462 hostapd.add_ap(apdev[0]['ifname'], params)
2463 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2465 def test_ap_wpa2_eap_gpsk(dev, apdev):
2466 """WPA2-Enterprise connection using EAP-GPSK"""
2467 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2468 hostapd.add_ap(apdev[0]['ifname'], params)
2469 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2470 password="abcdefghijklmnop0123456789abcdef")
2471 eap_reauth(dev[0], "GPSK")
2473 logger.info("Test forced algorithm selection")
2474 for phase1 in [ "cipher=1", "cipher=2" ]:
2475 dev[0].set_network_quoted(id, "phase1", phase1)
2476 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2478 raise Exception("EAP success timed out")
2479 dev[0].wait_connected(timeout=10)
2481 logger.info("Test failed algorithm negotiation")
2482 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2485 raise Exception("EAP failure timed out")
2487 logger.info("Negative test with incorrect password")
2488 dev[0].request("REMOVE_NETWORK all")
2489 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2490 password="ffcdefghijklmnop0123456789abcdef",
2491 expect_failure=True)
2493 def test_ap_wpa2_eap_sake(dev, apdev):
2494 """WPA2-Enterprise connection using EAP-SAKE"""
2495 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2496 hostapd.add_ap(apdev[0]['ifname'], params)
2497 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2498 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2499 eap_reauth(dev[0], "SAKE")
2501 logger.info("Negative test with incorrect password")
2502 dev[0].request("REMOVE_NETWORK all")
2503 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2504 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2505 expect_failure=True)
2507 def test_ap_wpa2_eap_eke(dev, apdev):
2508 """WPA2-Enterprise connection using EAP-EKE"""
2509 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2510 hostapd.add_ap(apdev[0]['ifname'], params)
2511 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2512 eap_reauth(dev[0], "EKE")
2514 logger.info("Test forced algorithm selection")
2515 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2516 "dhgroup=4 encr=1 prf=2 mac=2",
2517 "dhgroup=3 encr=1 prf=2 mac=2",
2518 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2519 dev[0].set_network_quoted(id, "phase1", phase1)
2520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2522 raise Exception("EAP success timed out")
2523 dev[0].wait_connected(timeout=10)
2525 logger.info("Test failed algorithm negotiation")
2526 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2527 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2529 raise Exception("EAP failure timed out")
2531 logger.info("Negative test with incorrect password")
2532 dev[0].request("REMOVE_NETWORK all")
2533 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2534 expect_failure=True)
2536 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2537 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2538 if not params['long']:
2539 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2540 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2541 hostapd.add_ap(apdev[0]['ifname'], params)
2544 for i in range(100):
2546 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2547 identity="eke user", password="hello",
2548 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2549 scan_freq="2412", wait_connect=False)
2551 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2552 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2554 raise Exception("No connected/disconnected event")
2555 if "CTRL-EVENT-DISCONNECTED" in ev:
2557 # The RADIUS server limits on active sessions can be hit when
2558 # going through this test case, so try to give some more time
2559 # for the server to remove sessions.
2560 logger.info("Failed to connect i=%d j=%d" % (i, j))
2561 dev[j].request("REMOVE_NETWORK all")
2565 dev[j].request("REMOVE_NETWORK all")
2566 dev[j].wait_disconnected()
2567 dev[j].dump_monitor()
2568 logger.info("Total success=%d failure=%d" % (success, fail))
2570 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2571 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2572 params = int_eap_server_params()
2573 params['server_id'] = 'example.server@w1.fi'
2574 hostapd.add_ap(apdev[0]['ifname'], params)
2575 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2577 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2578 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2579 params = int_eap_server_params()
2580 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2581 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2583 for count,func in [ (1, "eap_eke_build_commit"),
2584 (2, "eap_eke_build_commit"),
2585 (3, "eap_eke_build_commit"),
2586 (1, "eap_eke_build_confirm"),
2587 (2, "eap_eke_build_confirm"),
2588 (1, "eap_eke_process_commit"),
2589 (2, "eap_eke_process_commit"),
2590 (1, "eap_eke_process_confirm"),
2591 (1, "eap_eke_process_identity"),
2592 (2, "eap_eke_process_identity"),
2593 (3, "eap_eke_process_identity"),
2594 (4, "eap_eke_process_identity") ]:
2595 with alloc_fail(hapd, count, func):
2596 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2597 expect_failure=True)
2598 dev[0].request("REMOVE_NETWORK all")
2600 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2601 (1, "eap_eke_get_session_id", "hello"),
2602 (1, "eap_eke_getKey", "hello"),
2603 (1, "eap_eke_build_msg", "hello"),
2604 (1, "eap_eke_build_failure", "wrong"),
2605 (1, "eap_eke_build_identity", "hello"),
2606 (2, "eap_eke_build_identity", "hello") ]:
2607 with alloc_fail(hapd, count, func):
2608 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2609 eap="EKE", identity="eke user", password=pw,
2610 wait_connect=False, scan_freq="2412")
2611 # This would eventually time out, but we can stop after having
2612 # reached the allocation failure.
2615 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2617 dev[0].request("REMOVE_NETWORK all")
2619 for count in range(1, 1000):
2621 with alloc_fail(hapd, count, "eap_server_sm_step"):
2622 dev[0].connect("test-wpa2-eap",
2623 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2624 eap="EKE", identity="eke user", password=pw,
2625 wait_connect=False, scan_freq="2412")
2626 # This would eventually time out, but we can stop after having
2627 # reached the allocation failure.
2630 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2632 dev[0].request("REMOVE_NETWORK all")
2633 except Exception, e:
2634 if str(e) == "Allocation failure did not trigger":
2636 raise Exception("Too few allocation failures")
2637 logger.info("%d allocation failures tested" % (count - 1))
2641 def test_ap_wpa2_eap_ikev2(dev, apdev):
2642 """WPA2-Enterprise connection using EAP-IKEv2"""
2643 check_eap_capa(dev[0], "IKEV2")
2644 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2645 hostapd.add_ap(apdev[0]['ifname'], params)
2646 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2647 password="ike password")
2648 eap_reauth(dev[0], "IKEV2")
2649 dev[0].request("REMOVE_NETWORK all")
2650 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2651 password="ike password", fragment_size="50")
2653 logger.info("Negative test with incorrect password")
2654 dev[0].request("REMOVE_NETWORK all")
2655 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2656 password="ike-password", expect_failure=True)
2657 dev[0].request("REMOVE_NETWORK all")
2659 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2660 password="ike password", fragment_size="0")
2661 dev[0].request("REMOVE_NETWORK all")
2662 dev[0].wait_disconnected()
2664 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2665 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2666 check_eap_capa(dev[0], "IKEV2")
2667 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2668 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2669 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2670 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2671 "fragment_size": "50" }
2672 hostapd.add_ap(apdev[0]['ifname'], params)
2673 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2674 password="ike password")
2675 eap_reauth(dev[0], "IKEV2")
2677 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2678 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2679 check_eap_capa(dev[0], "IKEV2")
2680 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2681 hostapd.add_ap(apdev[0]['ifname'], params)
2683 tests = [ (1, "dh_init"),
2685 (1, "dh_derive_shared") ]
2686 for count, func in tests:
2687 with alloc_fail(dev[0], count, func):
2688 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2689 identity="ikev2 user", password="ike password",
2690 wait_connect=False, scan_freq="2412")
2691 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2693 raise Exception("EAP method not selected")
2695 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2698 dev[0].request("REMOVE_NETWORK all")
2700 tests = [ (1, "os_get_random;dh_init") ]
2701 for count, func in tests:
2702 with fail_test(dev[0], count, func):
2703 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2704 identity="ikev2 user", password="ike password",
2705 wait_connect=False, scan_freq="2412")
2706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2708 raise Exception("EAP method not selected")
2710 if "0:" in dev[0].request("GET_FAIL"):
2713 dev[0].request("REMOVE_NETWORK all")
2715 def test_ap_wpa2_eap_pax(dev, apdev):
2716 """WPA2-Enterprise connection using EAP-PAX"""
2717 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2718 hostapd.add_ap(apdev[0]['ifname'], params)
2719 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2720 password_hex="0123456789abcdef0123456789abcdef")
2721 eap_reauth(dev[0], "PAX")
2723 logger.info("Negative test with incorrect password")
2724 dev[0].request("REMOVE_NETWORK all")
2725 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2726 password_hex="ff23456789abcdef0123456789abcdef",
2727 expect_failure=True)
2729 def test_ap_wpa2_eap_psk(dev, apdev):
2730 """WPA2-Enterprise connection using EAP-PSK"""
2731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2732 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2733 params["ieee80211w"] = "2"
2734 hostapd.add_ap(apdev[0]['ifname'], params)
2735 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2736 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2737 eap_reauth(dev[0], "PSK", sha256=True)
2738 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2739 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2741 bss = dev[0].get_bss(apdev[0]['bssid'])
2742 if 'flags' not in bss:
2743 raise Exception("Could not get BSS flags from BSS table")
2744 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2745 raise Exception("Unexpected BSS flags: " + bss['flags'])
2747 logger.info("Negative test with incorrect password")
2748 dev[0].request("REMOVE_NETWORK all")
2749 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2750 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2751 expect_failure=True)
2753 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2754 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2755 skip_with_fips(dev[0])
2756 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2757 hostapd.add_ap(apdev[0]['ifname'], params)
2758 tests = [ (1, "=aes_128_eax_encrypt"),
2759 (1, "=aes_128_eax_decrypt") ]
2760 for count, func in tests:
2761 with alloc_fail(dev[0], count, func):
2762 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2763 identity="psk.user@example.com",
2764 password_hex="0123456789abcdef0123456789abcdef",
2765 wait_connect=False, scan_freq="2412")
2766 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2768 raise Exception("EAP method not selected")
2769 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2770 note="Failure not triggered: %d:%s" % (count, func))
2771 dev[0].request("REMOVE_NETWORK all")
2772 dev[0].wait_disconnected()
2774 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2775 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2776 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2777 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2778 (1, "omac1_aes_vector"),
2779 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2780 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2781 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2782 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2783 for count, func in tests:
2784 with fail_test(dev[0], count, func):
2785 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2786 identity="psk.user@example.com",
2787 password_hex="0123456789abcdef0123456789abcdef",
2788 wait_connect=False, scan_freq="2412")
2789 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2791 raise Exception("EAP method not selected")
2792 wait_fail_trigger(dev[0], "GET_FAIL",
2793 note="Failure not triggered: %d:%s" % (count, func))
2794 dev[0].request("REMOVE_NETWORK all")
2795 dev[0].wait_disconnected()
2797 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2799 identity="psk.user@example.com",
2800 password_hex="0123456789abcdef0123456789abcdef",
2801 wait_connect=False, scan_freq="2412")
2802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2804 raise Exception("EAP method failure not reported")
2805 dev[0].request("REMOVE_NETWORK all")
2806 dev[0].wait_disconnected()
2808 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2809 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2810 check_eap_capa(dev[0], "MSCHAPV2")
2811 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2813 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2814 identity="user", password="password", phase2="auth=MSCHAPV2",
2815 ca_cert="auth_serv/ca.pem", wait_connect=False,
2817 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2818 hwsim_utils.test_connectivity(dev[0], hapd)
2819 eap_reauth(dev[0], "PEAP", rsn=False)
2820 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2821 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2822 status = dev[0].get_status(extra="VERBOSE")
2823 if 'portControl' not in status:
2824 raise Exception("portControl missing from STATUS-VERBOSE")
2825 if status['portControl'] != 'Auto':
2826 raise Exception("Unexpected portControl value: " + status['portControl'])
2827 if 'eap_session_id' not in status:
2828 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2829 if not status['eap_session_id'].startswith("19"):
2830 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2832 def test_ap_wpa2_eap_interactive(dev, apdev):
2833 """WPA2-Enterprise connection using interactive identity/password entry"""
2834 check_eap_capa(dev[0], "MSCHAPV2")
2835 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2836 hostapd.add_ap(apdev[0]['ifname'], params)
2837 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2839 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2840 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2842 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2843 "TTLS", "ttls", None, "auth=MSCHAPV2",
2844 "DOMAIN\mschapv2 user", "password"),
2845 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2846 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2847 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2848 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2849 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2850 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2851 ("Connection with dynamic PEAP/EAP-GTC password entry",
2852 "PEAP", None, "user", "auth=GTC", None, "password") ]
2853 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2855 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2856 anonymous_identity=anon, identity=identity,
2857 ca_cert="auth_serv/ca.pem", phase2=phase2,
2858 wait_connect=False, scan_freq="2412")
2860 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2862 raise Exception("Request for identity timed out")
2863 id = ev.split(':')[0].split('-')[-1]
2864 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2865 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2867 raise Exception("Request for password timed out")
2868 id = ev.split(':')[0].split('-')[-1]
2869 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2870 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2871 dev[0].wait_connected(timeout=10)
2872 dev[0].request("REMOVE_NETWORK all")
2874 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2875 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2876 check_eap_capa(dev[0], "MSCHAPV2")
2877 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2878 hostapd.add_ap(apdev[0]['ifname'], params)
2879 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2881 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2882 only_add_network=True)
2884 req_id = "DOMAIN\mschapv2 user"
2885 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2886 anonymous_identity="ttls", identity=None,
2887 password="password",
2888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2889 wait_connect=False, scan_freq="2412")
2890 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2892 raise Exception("Request for identity timed out")
2893 id = ev.split(':')[0].split('-')[-1]
2894 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2895 dev[0].wait_connected(timeout=10)
2897 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2898 raise Exception("Failed to enable network")
2899 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2901 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2902 dev[0].request("REMOVE_NETWORK all")
2904 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2905 """WPA2-Enterprise connection using EAP vendor test"""
2906 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2907 hostapd.add_ap(apdev[0]['ifname'], params)
2908 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2909 eap_reauth(dev[0], "VENDOR-TEST")
2910 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2913 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2914 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2915 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2916 hostapd.add_ap(apdev[0]['ifname'], params)
2918 tests = [ "eap_vendor_test_init",
2919 "eap_msg_alloc;eap_vendor_test_process",
2920 "eap_vendor_test_getKey" ]
2922 with alloc_fail(dev[0], 1, func):
2923 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2925 eap="VENDOR-TEST", identity="vendor-test",
2927 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2928 dev[0].request("REMOVE_NETWORK all")
2929 dev[0].wait_disconnected()
2931 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2932 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2933 check_eap_capa(dev[0], "FAST")
2934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2936 eap_connect(dev[0], apdev[0], "FAST", "user",
2937 anonymous_identity="FAST", password="password",
2938 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2939 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2940 hwsim_utils.test_connectivity(dev[0], hapd)
2941 res = eap_reauth(dev[0], "FAST")
2942 if res['tls_session_reused'] != '1':
2943 raise Exception("EAP-FAST could not use PAC session ticket")
2945 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2946 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2947 check_eap_capa(dev[0], "FAST")
2948 pac_file = os.path.join(params['logdir'], "fast.pac")
2949 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2950 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2951 hostapd.add_ap(apdev[0]['ifname'], params)
2954 eap_connect(dev[0], apdev[0], "FAST", "user",
2955 anonymous_identity="FAST", password="password",
2956 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2957 phase1="fast_provisioning=1", pac_file=pac_file)
2958 with open(pac_file, "r") as f:
2960 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2961 raise Exception("PAC file header missing")
2962 if "PAC-Key=" not in data:
2963 raise Exception("PAC-Key missing from PAC file")
2964 dev[0].request("REMOVE_NETWORK all")
2965 eap_connect(dev[0], apdev[0], "FAST", "user",
2966 anonymous_identity="FAST", password="password",
2967 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2970 eap_connect(dev[1], apdev[0], "FAST", "user",
2971 anonymous_identity="FAST", password="password",
2972 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2973 phase1="fast_provisioning=1 fast_pac_format=binary",
2975 dev[1].request("REMOVE_NETWORK all")
2976 eap_connect(dev[1], apdev[0], "FAST", "user",
2977 anonymous_identity="FAST", password="password",
2978 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2979 phase1="fast_pac_format=binary",
2987 os.remove(pac_file2)
2991 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2992 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2993 check_eap_capa(dev[0], "FAST")
2994 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2995 hostapd.add_ap(apdev[0]['ifname'], params)
2996 eap_connect(dev[0], apdev[0], "FAST", "user",
2997 anonymous_identity="FAST", password="password",
2998 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2999 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3000 pac_file="blob://fast_pac_bin")
3001 res = eap_reauth(dev[0], "FAST")
3002 if res['tls_session_reused'] != '1':
3003 raise Exception("EAP-FAST could not use PAC session ticket")
3005 # Verify fast_max_pac_list_len=0 special case
3006 dev[0].request("REMOVE_NETWORK all")
3007 dev[0].wait_disconnected()
3008 eap_connect(dev[0], apdev[0], "FAST", "user",
3009 anonymous_identity="FAST", password="password",
3010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3011 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3012 pac_file="blob://fast_pac_bin")
3014 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3015 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3016 check_eap_capa(dev[0], "FAST")
3017 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3018 hostapd.add_ap(apdev[0]['ifname'], params)
3020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3021 identity="user", anonymous_identity="FAST",
3022 password="password",
3023 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3024 pac_file="blob://fast_pac_not_in_use",
3025 wait_connect=False, scan_freq="2412")
3026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3028 raise Exception("Timeout on EAP failure report")
3029 dev[0].request("REMOVE_NETWORK all")
3031 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3032 identity="user", anonymous_identity="FAST",
3033 password="password",
3034 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3035 wait_connect=False, scan_freq="2412")
3036 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3038 raise Exception("Timeout on EAP failure report")
3040 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3041 """EAP-FAST and binary PAC errors"""
3042 check_eap_capa(dev[0], "FAST")
3043 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3044 hostapd.add_ap(apdev[0]['ifname'], params)
3046 tests = [ (1, "=eap_fast_save_pac_bin"),
3047 (1, "eap_fast_write_pac"),
3048 (2, "eap_fast_write_pac"), ]
3049 for count, func in tests:
3050 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3051 raise Exception("Could not set blob")
3053 with alloc_fail(dev[0], count, func):
3054 eap_connect(dev[0], apdev[0], "FAST", "user",
3055 anonymous_identity="FAST", password="password",
3056 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3057 phase1="fast_provisioning=1 fast_pac_format=binary",
3058 pac_file="blob://fast_pac_bin_errors")
3059 dev[0].request("REMOVE_NETWORK all")
3060 dev[0].wait_disconnected()
3062 tests = [ "00", "000000000000", "6ae4920c0001",
3064 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3065 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3066 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3067 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3069 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3070 raise Exception("Could not set blob")
3072 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3073 identity="user", anonymous_identity="FAST",
3074 password="password",
3075 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3076 phase1="fast_provisioning=1 fast_pac_format=binary",
3077 pac_file="blob://fast_pac_bin_errors",
3078 scan_freq="2412", wait_connect=False)
3079 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3082 raise Exception("Failure not reported")
3083 dev[0].request("REMOVE_NETWORK all")
3084 dev[0].wait_disconnected()
3086 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3087 tests = [ (1, "eap_fast_load_pac_bin"),
3088 (2, "eap_fast_load_pac_bin"),
3089 (3, "eap_fast_load_pac_bin") ]
3090 for count, func in tests:
3091 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3092 raise Exception("Could not set blob")
3094 with alloc_fail(dev[0], count, func):
3095 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3096 identity="user", anonymous_identity="FAST",
3097 password="password",
3098 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3099 phase1="fast_provisioning=1 fast_pac_format=binary",
3100 pac_file="blob://fast_pac_bin_errors",
3101 scan_freq="2412", wait_connect=False)
3102 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3105 raise Exception("Failure not reported")
3106 dev[0].request("REMOVE_NETWORK all")
3107 dev[0].wait_disconnected()
3109 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3110 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3111 raise Exception("Could not set blob")
3113 eap_connect(dev[0], apdev[0], "FAST", "user",
3114 anonymous_identity="FAST", password="password",
3115 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3116 phase1="fast_provisioning=1 fast_pac_format=binary",
3117 pac_file="blob://fast_pac_bin_errors")
3118 dev[0].request("REMOVE_NETWORK all")
3119 dev[0].wait_disconnected()
3121 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3122 tests = [ (1, "eap_fast_pac_get_a_id"),
3123 (2, "eap_fast_pac_get_a_id") ]
3124 for count, func in tests:
3125 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3126 raise Exception("Could not set blob")
3127 with alloc_fail(dev[0], count, func):
3128 eap_connect(dev[0], apdev[0], "FAST", "user",
3129 anonymous_identity="FAST", password="password",
3130 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3131 phase1="fast_provisioning=1 fast_pac_format=binary",
3132 pac_file="blob://fast_pac_bin_errors")
3133 dev[0].request("REMOVE_NETWORK all")
3134 dev[0].wait_disconnected()
3136 def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3137 """EAP-FAST and text PAC errors"""
3138 check_eap_capa(dev[0], "FAST")
3139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3140 hostapd.add_ap(apdev[0]['ifname'], params)
3142 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3143 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3144 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3145 (1, "eap_fast_parse_start"),
3146 (1, "eap_fast_save_pac") ]
3147 for count, func in tests:
3148 dev[0].request("FLUSH")
3149 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3150 raise Exception("Could not set blob")
3152 with alloc_fail(dev[0], count, func):
3153 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3154 identity="user", anonymous_identity="FAST",
3155 password="password",
3156 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3157 phase1="fast_provisioning=1",
3158 pac_file="blob://fast_pac_text_errors",
3159 scan_freq="2412", wait_connect=False)
3160 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3161 dev[0].request("REMOVE_NETWORK all")
3162 dev[0].wait_disconnected()
3164 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3168 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3169 raise Exception("Could not set blob")
3171 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3172 identity="user", anonymous_identity="FAST",
3173 password="password",
3174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3175 phase1="fast_provisioning=1",
3176 pac_file="blob://fast_pac_text_errors",
3177 scan_freq="2412", wait_connect=False)
3178 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3180 raise Exception("Failure not reported")
3181 dev[0].request("REMOVE_NETWORK all")
3182 dev[0].wait_disconnected()
3184 dev[0].request("FLUSH")
3185 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3186 raise Exception("Could not set blob")
3188 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3190 params = int_eap_server_params()
3191 params['ssid'] = "test-wpa2-eap-2"
3192 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3193 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3194 params['eap_fast_a_id_info'] = "test server %d" % i
3196 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
3198 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3199 identity="user", anonymous_identity="FAST",
3200 password="password",
3201 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3202 phase1="fast_provisioning=1",
3203 pac_file="blob://fast_pac_text_errors",
3204 scan_freq="2412", wait_connect=False)
3205 dev[0].wait_connected()
3206 dev[0].request("REMOVE_NETWORK all")
3207 dev[0].wait_disconnected()
3211 def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3212 """EAP-FAST and PAC list truncation"""
3213 check_eap_capa(dev[0], "FAST")
3214 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3215 raise Exception("Could not set blob")
3217 params = int_eap_server_params()
3218 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3219 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3220 params['eap_fast_a_id_info'] = "test server %d" % i
3221 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3223 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3224 identity="user", anonymous_identity="FAST",
3225 password="password",
3226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3227 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3228 pac_file="blob://fast_pac_truncate",
3229 scan_freq="2412", wait_connect=False)
3230 dev[0].wait_connected()
3231 dev[0].request("REMOVE_NETWORK all")
3232 dev[0].wait_disconnected()
3236 def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3237 """EAP-FAST and PAC refresh"""
3238 check_eap_capa(dev[0], "FAST")
3239 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3240 raise Exception("Could not set blob")
3242 params = int_eap_server_params()
3243 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3244 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3245 params['eap_fast_a_id_info'] = "test server %d" % i
3246 params['pac_key_refresh_time'] = "1"
3247 params['pac_key_lifetime'] = "10"
3248 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3250 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3251 identity="user", anonymous_identity="FAST",
3252 password="password",
3253 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3254 phase1="fast_provisioning=1",
3255 pac_file="blob://fast_pac_refresh",
3256 scan_freq="2412", wait_connect=False)
3257 dev[0].wait_connected()
3258 dev[0].request("REMOVE_NETWORK all")
3259 dev[0].wait_disconnected()
3264 params = int_eap_server_params()
3265 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3266 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3267 params['eap_fast_a_id_info'] = "test server %d" % i
3268 params['pac_key_refresh_time'] = "10"
3269 params['pac_key_lifetime'] = "10"
3270 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3273 identity="user", anonymous_identity="FAST",
3274 password="password",
3275 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3276 phase1="fast_provisioning=1",
3277 pac_file="blob://fast_pac_refresh",
3278 scan_freq="2412", wait_connect=False)
3279 dev[0].wait_connected()
3280 dev[0].request("REMOVE_NETWORK all")
3281 dev[0].wait_disconnected()
3285 def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3286 """EAP-FAST and PAC lifetime"""
3287 check_eap_capa(dev[0], "FAST")
3288 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3289 raise Exception("Could not set blob")
3292 params = int_eap_server_params()
3293 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3294 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3295 params['eap_fast_a_id_info'] = "test server %d" % i
3296 params['pac_key_refresh_time'] = "0"
3297 params['pac_key_lifetime'] = "2"
3298 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3300 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3301 identity="user", anonymous_identity="FAST",
3302 password="password",
3303 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3304 phase1="fast_provisioning=2",
3305 pac_file="blob://fast_pac_refresh",
3306 scan_freq="2412", wait_connect=False)
3307 dev[0].wait_connected()
3308 dev[0].request("DISCONNECT")
3309 dev[0].wait_disconnected()
3312 dev[0].request("PMKSA_FLUSH")
3313 dev[0].request("RECONNECT")
3314 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3316 raise Exception("No EAP-Failure seen after expired PAC")
3317 dev[0].request("DISCONNECT")
3318 dev[0].wait_disconnected()
3320 dev[0].select_network(id)
3321 dev[0].wait_connected()
3322 dev[0].request("REMOVE_NETWORK all")
3323 dev[0].wait_disconnected()
3325 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3326 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3327 check_eap_capa(dev[0], "FAST")
3328 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3329 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3330 eap_connect(dev[0], apdev[0], "FAST", "user",
3331 anonymous_identity="FAST", password="password",
3332 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3333 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3334 hwsim_utils.test_connectivity(dev[0], hapd)
3335 res = eap_reauth(dev[0], "FAST")
3336 if res['tls_session_reused'] != '1':
3337 raise Exception("EAP-FAST could not use PAC session ticket")
3339 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3340 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3341 check_eap_capa(dev[0], "FAST")
3342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3343 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3344 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3345 anonymous_identity="FAST", password="password",
3346 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3347 phase1="fast_provisioning=2",
3348 pac_file="blob://fast_pac_auth")
3349 dev[0].set_network_quoted(id, "identity", "user2")
3350 dev[0].wait_disconnected()
3351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3353 raise Exception("EAP-FAST not started")
3354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3356 raise Exception("EAP failure not reported")
3357 dev[0].wait_disconnected()
3359 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3360 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3361 check_eap_capa(dev[0], "FAST")
3362 tls = dev[0].request("GET tls_library")
3363 if tls.startswith("OpenSSL"):
3364 func = "openssl_tls_prf"
3366 elif tls.startswith("internal"):
3367 func = "tls_connection_prf"
3370 raise HwsimSkip("Unsupported TLS library")
3371 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3372 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3373 with alloc_fail(dev[0], count, func):
3374 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3375 identity="user", anonymous_identity="FAST",
3376 password="password", ca_cert="auth_serv/ca.pem",
3378 phase1="fast_provisioning=2",
3379 pac_file="blob://fast_pac_auth",
3380 wait_connect=False, scan_freq="2412")
3381 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3383 raise Exception("EAP failure not reported")
3384 dev[0].request("DISCONNECT")
3386 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3387 """EAP-FAST/MSCHAPv2 and server OOM"""
3388 check_eap_capa(dev[0], "FAST")
3390 params = int_eap_server_params()
3391 params['dh_file'] = 'auth_serv/dh.conf'
3392 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3393 params['eap_fast_a_id'] = '1011'
3394 params['eap_fast_a_id_info'] = 'another test server'
3395 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3397 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3398 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3399 anonymous_identity="FAST", password="password",
3400 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3401 phase1="fast_provisioning=1",
3402 pac_file="blob://fast_pac",
3403 expect_failure=True)
3404 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3406 raise Exception("No EAP failure reported")
3407 dev[0].wait_disconnected()
3408 dev[0].request("DISCONNECT")
3410 dev[0].select_network(id, freq="2412")
3412 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3413 """EAP-FAST and different TLS cipher suites"""
3414 check_eap_capa(dev[0], "FAST")
3415 tls = dev[0].request("GET tls_library")
3416 if not tls.startswith("OpenSSL"):
3417 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3419 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3420 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3422 dev[0].request("SET blob fast_pac_ciphers ")
3423 eap_connect(dev[0], apdev[0], "FAST", "user",
3424 anonymous_identity="FAST", password="password",
3425 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3426 phase1="fast_provisioning=2",
3427 pac_file="blob://fast_pac_ciphers")
3428 res = dev[0].get_status_field('EAP TLS cipher')
3429 dev[0].request("REMOVE_NETWORK all")
3430 dev[0].wait_disconnected()
3431 if res != "DHE-RSA-AES256-SHA":
3432 raise Exception("Unexpected cipher suite for provisioning: " + res)
3434 tests = [ "DHE-RSA-AES128-SHA",
3438 "DHE-RSA-AES256-SHA" ]
3439 for cipher in tests:
3440 eap_connect(dev[0], apdev[0], "FAST", "user",
3441 openssl_ciphers=cipher,
3442 anonymous_identity="FAST", password="password",
3443 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3444 pac_file="blob://fast_pac_ciphers")
3445 res = dev[0].get_status_field('EAP TLS cipher')
3446 dev[0].request("REMOVE_NETWORK all")
3447 dev[0].wait_disconnected()
3449 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3451 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3452 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3453 check_ocsp_support(dev[0])
3454 check_pkcs12_support(dev[0])
3455 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3456 hostapd.add_ap(apdev[0]['ifname'], params)
3457 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3458 private_key="auth_serv/user.pkcs12",
3459 private_key_passwd="whatever", ocsp=2)
3461 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3462 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3463 check_ocsp_multi_support(dev[0])
3464 check_pkcs12_support(dev[0])
3466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3467 hostapd.add_ap(apdev[0]['ifname'], params)
3468 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3469 private_key="auth_serv/user.pkcs12",
3470 private_key_passwd="whatever", ocsp=2)
3472 def int_eap_server_params():
3473 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3474 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3475 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3476 "ca_cert": "auth_serv/ca.pem",
3477 "server_cert": "auth_serv/server.pem",
3478 "private_key": "auth_serv/server.key",
3479 "dh_file": "auth_serv/dh.conf" }
3482 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3483 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3484 check_ocsp_support(dev[0])
3485 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3486 if not os.path.exists(ocsp):
3487 raise HwsimSkip("No OCSP response available")
3488 params = int_eap_server_params()
3489 params["ocsp_stapling_response"] = ocsp
3490 hostapd.add_ap(apdev[0]['ifname'], params)
3491 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3492 identity="tls user", ca_cert="auth_serv/ca.pem",
3493 private_key="auth_serv/user.pkcs12",
3494 private_key_passwd="whatever", ocsp=2,
3497 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3498 """EAP-TLS and CA signed OCSP response (good)"""
3499 check_ocsp_support(dev[0])
3500 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3501 if not os.path.exists(ocsp):
3502 raise HwsimSkip("No OCSP response available")
3503 params = int_eap_server_params()
3504 params["ocsp_stapling_response"] = ocsp
3505 hostapd.add_ap(apdev[0]['ifname'], params)
3506 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3507 identity="tls user", ca_cert="auth_serv/ca.pem",
3508 private_key="auth_serv/user.pkcs12",
3509 private_key_passwd="whatever", ocsp=2,
3512 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3513 """EAP-TLS and CA signed OCSP response (revoked)"""
3514 check_ocsp_support(dev[0])
3515 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3516 if not os.path.exists(ocsp):
3517 raise HwsimSkip("No OCSP response available")
3518 params = int_eap_server_params()
3519 params["ocsp_stapling_response"] = ocsp
3520 hostapd.add_ap(apdev[0]['ifname'], params)
3521 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3522 identity="tls user", ca_cert="auth_serv/ca.pem",
3523 private_key="auth_serv/user.pkcs12",
3524 private_key_passwd="whatever", ocsp=2,
3525 wait_connect=False, scan_freq="2412")
3528 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3530 raise Exception("Timeout on EAP status")
3531 if 'bad certificate status response' in ev:
3533 if 'certificate revoked' in ev:
3537 raise Exception("Unexpected number of EAP status messages")
3539 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3541 raise Exception("Timeout on EAP failure report")
3543 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3544 """EAP-TLS and CA signed OCSP response (unknown)"""
3545 check_ocsp_support(dev[0])
3546 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3547 if not os.path.exists(ocsp):
3548 raise HwsimSkip("No OCSP response available")
3549 params = int_eap_server_params()
3550 params["ocsp_stapling_response"] = ocsp
3551 hostapd.add_ap(apdev[0]['ifname'], params)
3552 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3553 identity="tls user", ca_cert="auth_serv/ca.pem",
3554 private_key="auth_serv/user.pkcs12",
3555 private_key_passwd="whatever", ocsp=2,
3556 wait_connect=False, scan_freq="2412")
3559 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3561 raise Exception("Timeout on EAP status")
3562 if 'bad certificate status response' in ev:
3566 raise Exception("Unexpected number of EAP status messages")
3568 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3570 raise Exception("Timeout on EAP failure report")
3572 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3573 """EAP-TLS and server signed OCSP response"""
3574 check_ocsp_support(dev[0])
3575 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3576 if not os.path.exists(ocsp):
3577 raise HwsimSkip("No OCSP response available")
3578 params = int_eap_server_params()
3579 params["ocsp_stapling_response"] = ocsp
3580 hostapd.add_ap(apdev[0]['ifname'], params)
3581 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3582 identity="tls user", ca_cert="auth_serv/ca.pem",
3583 private_key="auth_serv/user.pkcs12",
3584 private_key_passwd="whatever", ocsp=2,
3585 wait_connect=False, scan_freq="2412")
3588 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3590 raise Exception("Timeout on EAP status")
3591 if 'bad certificate status response' in ev:
3595 raise Exception("Unexpected number of EAP status messages")
3597 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3599 raise Exception("Timeout on EAP failure report")
3601 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3602 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3603 check_ocsp_support(dev[0])
3604 params = int_eap_server_params()
3605 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3606 hostapd.add_ap(apdev[0]['ifname'], params)
3607 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3608 identity="tls user", ca_cert="auth_serv/ca.pem",
3609 private_key="auth_serv/user.pkcs12",
3610 private_key_passwd="whatever", ocsp=2,
3611 wait_connect=False, scan_freq="2412")
3614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3616 raise Exception("Timeout on EAP status")
3617 if 'bad certificate status response' in ev:
3621 raise Exception("Unexpected number of EAP status messages")
3623 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3625 raise Exception("Timeout on EAP failure report")
3627 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3628 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3629 check_ocsp_support(dev[0])
3630 params = int_eap_server_params()
3631 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3632 hostapd.add_ap(apdev[0]['ifname'], params)
3633 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3634 identity="tls user", ca_cert="auth_serv/ca.pem",
3635 private_key="auth_serv/user.pkcs12",
3636 private_key_passwd="whatever", ocsp=2,
3637 wait_connect=False, scan_freq="2412")
3640 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3642 raise Exception("Timeout on EAP status")
3643 if 'bad certificate status response' in ev:
3647 raise Exception("Unexpected number of EAP status messages")
3649 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3651 raise Exception("Timeout on EAP failure report")
3653 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3654 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3655 check_ocsp_support(dev[0])
3656 params = int_eap_server_params()
3657 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3658 hostapd.add_ap(apdev[0]['ifname'], params)
3659 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3660 identity="tls user", ca_cert="auth_serv/ca.pem",
3661 private_key="auth_serv/user.pkcs12",
3662 private_key_passwd="whatever", ocsp=2,
3663 wait_connect=False, scan_freq="2412")
3666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3668 raise Exception("Timeout on EAP status")
3669 if 'bad certificate status response' in ev:
3673 raise Exception("Unexpected number of EAP status messages")
3675 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3677 raise Exception("Timeout on EAP failure report")
3679 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3680 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3681 check_ocsp_support(dev[0])
3682 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3683 if not os.path.exists(ocsp):
3684 raise HwsimSkip("No OCSP response available")
3685 params = int_eap_server_params()
3686 params["ocsp_stapling_response"] = ocsp
3687 hostapd.add_ap(apdev[0]['ifname'], params)
3688 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3689 identity="pap user", ca_cert="auth_serv/ca.pem",
3690 anonymous_identity="ttls", password="password",
3691 phase2="auth=PAP", ocsp=2,
3692 wait_connect=False, scan_freq="2412")
3695 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3697 raise Exception("Timeout on EAP status")
3698 if 'bad certificate status response' in ev:
3700 if 'certificate revoked' in ev:
3704 raise Exception("Unexpected number of EAP status messages")
3706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3708 raise Exception("Timeout on EAP failure report")
3710 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3711 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3712 check_ocsp_support(dev[0])
3713 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3714 if not os.path.exists(ocsp):
3715 raise HwsimSkip("No OCSP response available")
3716 params = int_eap_server_params()
3717 params["ocsp_stapling_response"] = ocsp
3718 hostapd.add_ap(apdev[0]['ifname'], params)
3719 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3720 identity="pap user", ca_cert="auth_serv/ca.pem",
3721 anonymous_identity="ttls", password="password",
3722 phase2="auth=PAP", ocsp=2,
3723 wait_connect=False, scan_freq="2412")
3726 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3728 raise Exception("Timeout on EAP status")
3729 if 'bad certificate status response' in ev:
3733 raise Exception("Unexpected number of EAP status messages")
3735 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3737 raise Exception("Timeout on EAP failure report")
3739 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3740 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3741 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3742 if not os.path.exists(ocsp):
3743 raise HwsimSkip("No OCSP response available")
3744 params = int_eap_server_params()
3745 params["ocsp_stapling_response"] = ocsp
3746 hostapd.add_ap(apdev[0]['ifname'], params)
3747 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3748 identity="pap user", ca_cert="auth_serv/ca.pem",
3749 anonymous_identity="ttls", password="password",
3750 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3752 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3753 """EAP-TLS with intermediate server/user CA"""
3754 params = int_eap_server_params()
3755 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3756 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3757 params["private_key"] = "auth_serv/iCA-server/server.key"
3758 hostapd.add_ap(apdev[0]['ifname'], params)
3759 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3760 identity="tls user",
3761 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3762 client_cert="auth_serv/iCA-user/user.pem",
3763 private_key="auth_serv/iCA-user/user.key",
3766 def root_ocsp(cert):
3767 ca = "auth_serv/ca.pem"
3769 fd2, fn2 = tempfile.mkstemp()
3772 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3773 "-no_nonce", "-sha256", "-text" ]
3774 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3775 stderr=subprocess.PIPE)
3776 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3779 logger.info("OCSP request:\n" + res)
3781 fd, fn = tempfile.mkstemp()
3783 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
3784 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
3785 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3786 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3788 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3789 stderr=subprocess.PIPE)
3790 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3793 logger.info("OCSP response:\n" + res)
3798 prefix = "auth_serv/iCA-server/"
3799 ca = prefix + "cacert.pem"
3800 cert = prefix + cert
3802 fd2, fn2 = tempfile.mkstemp()
3805 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3806 "-no_nonce", "-sha256", "-text" ]
3807 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3808 stderr=subprocess.PIPE)
3809 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3812 logger.info("OCSP request:\n" + res)
3814 fd, fn = tempfile.mkstemp()
3816 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3817 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3818 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3819 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3821 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3822 stderr=subprocess.PIPE)
3823 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3826 logger.info("OCSP response:\n" + res)
3830 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3831 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3832 params = int_eap_server_params()
3833 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3834 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3835 params["private_key"] = "auth_serv/iCA-server/server.key"
3836 fn = ica_ocsp("server.pem")
3837 params["ocsp_stapling_response"] = fn
3839 hostapd.add_ap(apdev[0]['ifname'], params)
3840 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3841 identity="tls user",
3842 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3843 client_cert="auth_serv/iCA-user/user.pem",
3844 private_key="auth_serv/iCA-user/user.key",
3845 scan_freq="2412", ocsp=2)
3849 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3850 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3851 params = int_eap_server_params()
3852 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3853 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3854 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3855 fn = ica_ocsp("server-revoked.pem")
3856 params["ocsp_stapling_response"] = fn
3858 hostapd.add_ap(apdev[0]['ifname'], params)
3859 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3860 identity="tls user",
3861 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3862 client_cert="auth_serv/iCA-user/user.pem",
3863 private_key="auth_serv/iCA-user/user.key",
3864 scan_freq="2412", ocsp=1, wait_connect=False)
3867 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3868 "CTRL-EVENT-EAP-SUCCESS"])
3870 raise Exception("Timeout on EAP status")
3871 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3872 raise Exception("Unexpected EAP-Success")
3873 if 'bad certificate status response' in ev:
3875 if 'certificate revoked' in ev:
3879 raise Exception("Unexpected number of EAP status messages")
3881 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3883 raise Exception("Timeout on EAP failure report")
3884 dev[0].request("REMOVE_NETWORK all")
3885 dev[0].wait_disconnected()
3889 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3890 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3891 check_ocsp_support(dev[0])
3892 check_ocsp_multi_support(dev[0])
3894 params = int_eap_server_params()
3895 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3896 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3897 params["private_key"] = "auth_serv/iCA-server/server.key"
3898 fn = ica_ocsp("server.pem")
3899 params["ocsp_stapling_response"] = fn
3901 hostapd.add_ap(apdev[0]['ifname'], params)
3902 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3903 identity="tls user",
3904 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3905 client_cert="auth_serv/iCA-user/user.pem",
3906 private_key="auth_serv/iCA-user/user.key",
3907 scan_freq="2412", ocsp=3, wait_connect=False)
3910 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3911 "CTRL-EVENT-EAP-SUCCESS"])
3913 raise Exception("Timeout on EAP status")
3914 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3915 raise Exception("Unexpected EAP-Success")
3916 if 'bad certificate status response' in ev:
3918 if 'certificate revoked' in ev:
3922 raise Exception("Unexpected number of EAP status messages")
3924 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3926 raise Exception("Timeout on EAP failure report")
3927 dev[0].request("REMOVE_NETWORK all")
3928 dev[0].wait_disconnected()
3932 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3933 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3934 check_ocsp_support(dev[0])
3935 check_ocsp_multi_support(dev[0])
3937 params = int_eap_server_params()
3938 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3939 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3940 params["private_key"] = "auth_serv/iCA-server/server.key"
3941 fn = ica_ocsp("server.pem")
3942 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
3943 params["ocsp_stapling_response"] = fn
3945 with open(fn, "r") as f:
3946 resp_server = f.read()
3947 with open(fn2, "r") as f:
3950 fd3, fn3 = tempfile.mkstemp()
3952 f = os.fdopen(fd3, 'w')
3953 f.write(struct.pack(">L", len(resp_server))[1:4])
3954 f.write(resp_server)
3955 f.write(struct.pack(">L", len(resp_ica))[1:4])
3959 params["ocsp_stapling_response_multi"] = fn3
3961 hostapd.add_ap(apdev[0]['ifname'], params)
3962 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3963 identity="tls user",
3964 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3965 client_cert="auth_serv/iCA-user/user.pem",
3966 private_key="auth_serv/iCA-user/user.key",
3967 scan_freq="2412", ocsp=3)
3968 dev[0].request("REMOVE_NETWORK all")
3969 dev[0].wait_disconnected()
3975 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
3976 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3977 check_ocsp_support(dev[0])
3978 check_ocsp_multi_support(dev[0])
3980 ocsp_revoked = os.path.join(params['logdir'],
3981 "ocsp-resp-ca-signed-revoked.der")
3982 if not os.path.exists(ocsp_revoked):
3983 raise HwsimSkip("No OCSP response (revoked) available")
3984 ocsp_unknown = os.path.join(params['logdir'],
3985 "ocsp-resp-ca-signed-unknown.der")
3986 if not os.path.exists(ocsp_unknown):
3987 raise HwsimSkip("No OCSP response(unknown) available")
3989 with open(ocsp_revoked, "r") as f:
3990 resp_revoked = f.read()
3991 with open(ocsp_unknown, "r") as f:
3992 resp_unknown = f.read()
3994 fd, fn = tempfile.mkstemp()
3996 # This is not really a valid order of the OCSPResponse items in the
3997 # list, but this works for now to verify parsing and processing of
3998 # multiple responses.
3999 f = os.fdopen(fd, 'w')
4000 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4001 f.write(resp_unknown)
4002 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4003 f.write(resp_revoked)
4004 f.write(struct.pack(">L", 0)[1:4])
4005 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4006 f.write(resp_unknown)
4009 params = int_eap_server_params()
4010 params["ocsp_stapling_response_multi"] = fn
4011 hostapd.add_ap(apdev[0]['ifname'], params)
4012 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4013 identity="tls user", ca_cert="auth_serv/ca.pem",
4014 private_key="auth_serv/user.pkcs12",
4015 private_key_passwd="whatever", ocsp=1,
4016 wait_connect=False, scan_freq="2412")
4019 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4020 "CTRL-EVENT-EAP-SUCCESS"])
4022 raise Exception("Timeout on EAP status")
4023 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4024 raise Exception("Unexpected EAP-Success")
4025 if 'bad certificate status response' in ev:
4027 if 'certificate revoked' in ev:
4031 raise Exception("Unexpected number of EAP status messages")
4035 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
4036 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4037 check_domain_match_full(dev[0])
4038 params = int_eap_server_params()
4039 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4040 params["private_key"] = "auth_serv/server-no-dnsname.key"
4041 hostapd.add_ap(apdev[0]['ifname'], params)
4042 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4043 identity="tls user", ca_cert="auth_serv/ca.pem",
4044 private_key="auth_serv/user.pkcs12",
4045 private_key_passwd="whatever",
4046 domain_suffix_match="server3.w1.fi",
4049 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4050 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4051 check_domain_match(dev[0])
4052 params = int_eap_server_params()
4053 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4054 params["private_key"] = "auth_serv/server-no-dnsname.key"
4055 hostapd.add_ap(apdev[0]['ifname'], params)
4056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4057 identity="tls user", ca_cert="auth_serv/ca.pem",
4058 private_key="auth_serv/user.pkcs12",
4059 private_key_passwd="whatever",
4060 domain_match="server3.w1.fi",
4063 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4064 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4065 check_domain_match_full(dev[0])
4066 params = int_eap_server_params()
4067 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4068 params["private_key"] = "auth_serv/server-no-dnsname.key"
4069 hostapd.add_ap(apdev[0]['ifname'], params)
4070 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4071 identity="tls user", ca_cert="auth_serv/ca.pem",
4072 private_key="auth_serv/user.pkcs12",
4073 private_key_passwd="whatever",
4074 domain_suffix_match="w1.fi",
4077 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4078 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4079 check_domain_suffix_match(dev[0])
4080 params = int_eap_server_params()
4081 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4082 params["private_key"] = "auth_serv/server-no-dnsname.key"
4083 hostapd.add_ap(apdev[0]['ifname'], params)
4084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4085 identity="tls user", ca_cert="auth_serv/ca.pem",
4086 private_key="auth_serv/user.pkcs12",
4087 private_key_passwd="whatever",
4088 domain_suffix_match="example.com",
4091 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4092 identity="tls user", ca_cert="auth_serv/ca.pem",
4093 private_key="auth_serv/user.pkcs12",
4094 private_key_passwd="whatever",
4095 domain_suffix_match="erver3.w1.fi",
4098 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4100 raise Exception("Timeout on EAP failure report")
4101 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4103 raise Exception("Timeout on EAP failure report (2)")
4105 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4106 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4107 check_domain_match(dev[0])
4108 params = int_eap_server_params()
4109 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4110 params["private_key"] = "auth_serv/server-no-dnsname.key"
4111 hostapd.add_ap(apdev[0]['ifname'], params)
4112 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4113 identity="tls user", ca_cert="auth_serv/ca.pem",
4114 private_key="auth_serv/user.pkcs12",
4115 private_key_passwd="whatever",
4116 domain_match="example.com",
4119 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4120 identity="tls user", ca_cert="auth_serv/ca.pem",
4121 private_key="auth_serv/user.pkcs12",
4122 private_key_passwd="whatever",
4123 domain_match="w1.fi",
4126 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4128 raise Exception("Timeout on EAP failure report")
4129 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4131 raise Exception("Timeout on EAP failure report (2)")
4133 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4134 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4135 skip_with_fips(dev[0])
4136 params = int_eap_server_params()
4137 params["server_cert"] = "auth_serv/server-expired.pem"
4138 params["private_key"] = "auth_serv/server-expired.key"
4139 hostapd.add_ap(apdev[0]['ifname'], params)
4140 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4141 identity="mschap user", password="password",
4142 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4145 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4147 raise Exception("Timeout on EAP certificate error report")
4148 if "reason=4" not in ev or "certificate has expired" not in ev:
4149 raise Exception("Unexpected failure reason: " + ev)
4150 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4152 raise Exception("Timeout on EAP failure report")
4154 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4155 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4156 skip_with_fips(dev[0])
4157 params = int_eap_server_params()
4158 params["server_cert"] = "auth_serv/server-expired.pem"
4159 params["private_key"] = "auth_serv/server-expired.key"
4160 hostapd.add_ap(apdev[0]['ifname'], params)
4161 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4162 identity="mschap user", password="password",
4163 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4164 phase1="tls_disable_time_checks=1",
4167 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4168 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4169 skip_with_fips(dev[0])
4170 params = int_eap_server_params()
4171 params["server_cert"] = "auth_serv/server-long-duration.pem"
4172 params["private_key"] = "auth_serv/server-long-duration.key"
4173 hostapd.add_ap(apdev[0]['ifname'], params)
4174 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4175 identity="mschap user", password="password",
4176 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4179 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4180 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4181 skip_with_fips(dev[0])
4182 params = int_eap_server_params()
4183 params["server_cert"] = "auth_serv/server-eku-client.pem"
4184 params["private_key"] = "auth_serv/server-eku-client.key"
4185 hostapd.add_ap(apdev[0]['ifname'], params)
4186 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4187 identity="mschap user", password="password",
4188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4191 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4193 raise Exception("Timeout on EAP failure report")
4195 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4196 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4197 skip_with_fips(dev[0])
4198 params = int_eap_server_params()
4199 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4200 params["private_key"] = "auth_serv/server-eku-client-server.key"
4201 hostapd.add_ap(apdev[0]['ifname'], params)
4202 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4203 identity="mschap user", password="password",
4204 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4207 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4208 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4209 skip_with_fips(dev[0])
4210 params = int_eap_server_params()
4211 del params["server_cert"]
4212 params["private_key"] = "auth_serv/server.pkcs12"
4213 hostapd.add_ap(apdev[0]['ifname'], params)
4214 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4215 identity="mschap user", password="password",
4216 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4219 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4220 """EAP-TTLS and server PKCS#12 file with extra certs"""
4221 skip_with_fips(dev[0])
4222 params = int_eap_server_params()
4223 del params["server_cert"]
4224 params["private_key"] = "auth_serv/server-extra.pkcs12"
4225 params["private_key_passwd"] = "whatever"
4226 hostapd.add_ap(apdev[0]['ifname'], params)
4227 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4228 identity="mschap user", password="password",
4229 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4232 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4233 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4234 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4235 hostapd.add_ap(apdev[0]['ifname'], params)
4236 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4237 anonymous_identity="ttls", password="password",
4238 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4239 dh_file="auth_serv/dh.conf")
4241 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4242 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4243 check_dh_dsa_support(dev[0])
4244 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4245 hostapd.add_ap(apdev[0]['ifname'], params)
4246 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4247 anonymous_identity="ttls", password="password",
4248 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4249 dh_file="auth_serv/dsaparam.pem")
4251 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4252 """EAP-TTLS and DH params file not found"""
4253 skip_with_fips(dev[0])
4254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4255 hostapd.add_ap(apdev[0]['ifname'], params)
4256 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4257 identity="mschap user", password="password",
4258 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4259 dh_file="auth_serv/dh-no-such-file.conf",
4260 scan_freq="2412", wait_connect=False)
4261 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4263 raise Exception("EAP failure timed out")
4264 dev[0].request("REMOVE_NETWORK all")
4265 dev[0].wait_disconnected()
4267 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4268 """EAP-TTLS and invalid DH params file"""
4269 skip_with_fips(dev[0])
4270 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4271 hostapd.add_ap(apdev[0]['ifname'], params)
4272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4273 identity="mschap user", password="password",
4274 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4275 dh_file="auth_serv/ca.pem",
4276 scan_freq="2412", wait_connect=False)
4277 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4279 raise Exception("EAP failure timed out")
4280 dev[0].request("REMOVE_NETWORK all")
4281 dev[0].wait_disconnected()
4283 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4284 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4285 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4286 hostapd.add_ap(apdev[0]['ifname'], params)
4287 dh = read_pem("auth_serv/dh2.conf")
4288 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4289 raise Exception("Could not set dhparams blob")
4290 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4291 anonymous_identity="ttls", password="password",
4292 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4293 dh_file="blob://dhparams")
4295 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4296 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4297 params = int_eap_server_params()
4298 params["dh_file"] = "auth_serv/dh2.conf"
4299 hostapd.add_ap(apdev[0]['ifname'], params)
4300 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4301 anonymous_identity="ttls", password="password",
4302 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4304 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4305 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4306 params = int_eap_server_params()
4307 params["dh_file"] = "auth_serv/dsaparam.pem"
4308 hostapd.add_ap(apdev[0]['ifname'], params)
4309 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4310 anonymous_identity="ttls", password="password",
4311 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4313 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4314 """EAP-TLS server and dhparams file not found"""
4315 params = int_eap_server_params()
4316 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4317 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4318 if "FAIL" not in hapd.request("ENABLE"):
4319 raise Exception("Invalid configuration accepted")
4321 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4322 """EAP-TLS server and invalid dhparams file"""
4323 params = int_eap_server_params()
4324 params["dh_file"] = "auth_serv/ca.pem"
4325 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4326 if "FAIL" not in hapd.request("ENABLE"):
4327 raise Exception("Invalid configuration accepted")
4329 def test_ap_wpa2_eap_reauth(dev, apdev):
4330 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4331 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4332 params['eap_reauth_period'] = '2'
4333 hostapd.add_ap(apdev[0]['ifname'], params)
4334 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4335 password_hex="0123456789abcdef0123456789abcdef")
4336 logger.info("Wait for reauthentication")
4337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4339 raise Exception("Timeout on reauthentication")
4340 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4342 raise Exception("Timeout on reauthentication")
4343 for i in range(0, 20):
4344 state = dev[0].get_status_field("wpa_state")
4345 if state == "COMPLETED":
4348 if state != "COMPLETED":
4349 raise Exception("Reauthentication did not complete")
4351 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4352 """Optional displayable message in EAP Request-Identity"""
4353 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4354 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4355 hostapd.add_ap(apdev[0]['ifname'], params)
4356 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4357 password_hex="0123456789abcdef0123456789abcdef")
4359 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4360 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4361 check_hlr_auc_gw_support()
4362 params = int_eap_server_params()
4363 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4364 params['eap_sim_aka_result_ind'] = "1"
4365 hostapd.add_ap(apdev[0]['ifname'], params)
4367 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
4368 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4369 phase1="result_ind=1")
4370 eap_reauth(dev[0], "SIM")
4371 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
4372 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4374 dev[0].request("REMOVE_NETWORK all")
4375 dev[1].request("REMOVE_NETWORK all")
4377 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
4378 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4379 phase1="result_ind=1")
4380 eap_reauth(dev[0], "AKA")
4381 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
4382 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4384 dev[0].request("REMOVE_NETWORK all")
4385 dev[1].request("REMOVE_NETWORK all")
4387 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
4388 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4389 phase1="result_ind=1")
4390 eap_reauth(dev[0], "AKA'")
4391 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
4392 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4394 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4395 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4396 skip_with_fips(dev[0])
4397 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4398 hostapd.add_ap(apdev[0]['ifname'], params)
4399 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4400 eap="TTLS", identity="mschap user",
4401 wait_connect=False, scan_freq="2412", ieee80211w="1",
4402 anonymous_identity="ttls", password="password",
4403 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4405 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4407 raise Exception("EAP roundtrip limit not reached")
4409 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4410 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4411 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4412 hostapd.add_ap(apdev[0]['ifname'], params)
4413 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4414 eap="PSK", identity="vendor-test",
4415 password_hex="ff23456789abcdef0123456789abcdef",
4419 for i in range(0, 5):
4420 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4422 raise Exception("Association and EAP start timed out")
4423 if "refuse proposed method" in ev:
4427 raise Exception("Unexpected EAP status: " + ev)
4429 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4431 raise Exception("EAP failure timed out")
4433 def test_ap_wpa2_eap_sql(dev, apdev, params):
4434 """WPA2-Enterprise connection using SQLite for user DB"""
4435 skip_with_fips(dev[0])
4439 raise HwsimSkip("No sqlite3 module available")
4440 dbfile = os.path.join(params['logdir'], "eap-user.db")
4445 con = sqlite3.connect(dbfile)
4448 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4449 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4450 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4451 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4452 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4453 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4454 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4455 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4458 params = int_eap_server_params()
4459 params["eap_user_file"] = "sqlite:" + dbfile
4460 hostapd.add_ap(apdev[0]['ifname'], params)
4461 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
4462 anonymous_identity="ttls", password="password",
4463 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4464 dev[0].request("REMOVE_NETWORK all")
4465 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
4466 anonymous_identity="ttls", password="password",
4467 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4468 dev[1].request("REMOVE_NETWORK all")
4469 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
4470 anonymous_identity="ttls", password="password",
4471 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4472 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
4473 anonymous_identity="ttls", password="password",
4474 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4478 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4479 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4480 params = int_eap_server_params()
4481 hostapd.add_ap(apdev[0]['ifname'], params)
4482 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4483 identity="\x80", password="password", wait_connect=False)
4484 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4485 identity="a\x80", password="password", wait_connect=False)
4486 for i in range(0, 2):
4487 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4489 raise Exception("Association and EAP start timed out")
4490 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4492 raise Exception("EAP method selection timed out")
4494 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4495 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4496 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4497 hostapd.add_ap(apdev[0]['ifname'], params)
4498 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4499 identity="\x80", password="password", wait_connect=False)
4500 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4501 identity="a\x80", password="password", wait_connect=False)
4502 for i in range(0, 2):
4503 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4505 raise Exception("Association and EAP start timed out")
4506 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4508 raise Exception("EAP method selection timed out")
4510 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4511 """OpenSSL cipher suite configuration on wpa_supplicant"""
4512 tls = dev[0].request("GET tls_library")
4513 if not tls.startswith("OpenSSL"):
4514 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4515 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4516 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4517 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4518 anonymous_identity="ttls", password="password",
4519 openssl_ciphers="AES128",
4520 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4521 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4522 anonymous_identity="ttls", password="password",
4523 openssl_ciphers="EXPORT",
4524 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4525 expect_failure=True, maybe_local_error=True)
4526 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4527 identity="pap user", anonymous_identity="ttls",
4528 password="password",
4529 openssl_ciphers="FOO",
4530 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4532 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4534 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4535 dev[2].request("DISCONNECT")
4537 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4538 """OpenSSL cipher suite configuration on hostapd"""
4539 tls = dev[0].request("GET tls_library")
4540 if not tls.startswith("OpenSSL"):
4541 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4542 params = int_eap_server_params()
4543 params['openssl_ciphers'] = "AES256"
4544 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4545 tls = hapd.request("GET tls_library")
4546 if not tls.startswith("OpenSSL"):
4547 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4548 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4549 anonymous_identity="ttls", password="password",
4550 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4551 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4552 anonymous_identity="ttls", password="password",
4553 openssl_ciphers="AES128",
4554 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4555 expect_failure=True)
4556 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
4557 anonymous_identity="ttls", password="password",
4558 openssl_ciphers="HIGH:!ADH",
4559 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4561 params['openssl_ciphers'] = "FOO"
4562 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
4563 if "FAIL" not in hapd2.request("ENABLE"):
4564 raise Exception("Invalid openssl_ciphers value accepted")
4566 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4567 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4568 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4569 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
4570 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4571 pid = find_wpas_process(dev[0])
4572 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
4573 anonymous_identity="ttls", password=password,
4574 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4575 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4576 # event has been delivered, so verify that wpa_supplicant has returned to
4577 # eloop before reading process memory.
4580 buf = read_process_memory(pid, password)
4582 dev[0].request("DISCONNECT")
4583 dev[0].wait_disconnected()
4591 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4592 for l in f.readlines():
4593 if "EAP-TTLS: Derived key - hexdump" in l:
4594 val = l.strip().split(':')[3].replace(' ', '')
4595 msk = binascii.unhexlify(val)
4596 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4597 val = l.strip().split(':')[3].replace(' ', '')
4598 emsk = binascii.unhexlify(val)
4599 if "WPA: PMK - hexdump" in l:
4600 val = l.strip().split(':')[3].replace(' ', '')
4601 pmk = binascii.unhexlify(val)
4602 if "WPA: PTK - hexdump" in l:
4603 val = l.strip().split(':')[3].replace(' ', '')
4604 ptk = binascii.unhexlify(val)
4605 if "WPA: Group Key - hexdump" in l:
4606 val = l.strip().split(':')[3].replace(' ', '')
4607 gtk = binascii.unhexlify(val)
4608 if not msk or not emsk or not pmk or not ptk or not gtk:
4609 raise Exception("Could not find keys from debug log")
4611 raise Exception("Unexpected GTK length")
4617 fname = os.path.join(params['logdir'],
4618 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4620 logger.info("Checking keys in memory while associated")
4621 get_key_locations(buf, password, "Password")
4622 get_key_locations(buf, pmk, "PMK")
4623 get_key_locations(buf, msk, "MSK")
4624 get_key_locations(buf, emsk, "EMSK")
4625 if password not in buf:
4626 raise HwsimSkip("Password not found while associated")
4628 raise HwsimSkip("PMK not found while associated")
4630 raise Exception("KCK not found while associated")
4632 raise Exception("KEK not found while associated")
4634 raise Exception("TK found from memory")
4636 get_key_locations(buf, gtk, "GTK")
4637 raise Exception("GTK found from memory")
4639 logger.info("Checking keys in memory after disassociation")
4640 buf = read_process_memory(pid, password)
4642 # Note: Password is still present in network configuration
4643 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4645 get_key_locations(buf, password, "Password")
4646 get_key_locations(buf, pmk, "PMK")
4647 get_key_locations(buf, msk, "MSK")
4648 get_key_locations(buf, emsk, "EMSK")
4649 verify_not_present(buf, kck, fname, "KCK")
4650 verify_not_present(buf, kek, fname, "KEK")
4651 verify_not_present(buf, tk, fname, "TK")
4652 verify_not_present(buf, gtk, fname, "GTK")
4654 dev[0].request("PMKSA_FLUSH")
4655 dev[0].set_network_quoted(id, "identity", "foo")
4656 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4657 buf = read_process_memory(pid, password)
4658 get_key_locations(buf, password, "Password")
4659 get_key_locations(buf, pmk, "PMK")
4660 get_key_locations(buf, msk, "MSK")
4661 get_key_locations(buf, emsk, "EMSK")
4662 verify_not_present(buf, pmk, fname, "PMK")
4664 dev[0].request("REMOVE_NETWORK all")
4666 logger.info("Checking keys in memory after network profile removal")
4667 buf = read_process_memory(pid, password)
4669 get_key_locations(buf, password, "Password")
4670 get_key_locations(buf, pmk, "PMK")
4671 get_key_locations(buf, msk, "MSK")
4672 get_key_locations(buf, emsk, "EMSK")
4673 verify_not_present(buf, password, fname, "password")
4674 verify_not_present(buf, pmk, fname, "PMK")
4675 verify_not_present(buf, kck, fname, "KCK")
4676 verify_not_present(buf, kek, fname, "KEK")
4677 verify_not_present(buf, tk, fname, "TK")
4678 verify_not_present(buf, gtk, fname, "GTK")
4679 verify_not_present(buf, msk, fname, "MSK")
4680 verify_not_present(buf, emsk, fname, "EMSK")
4682 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4683 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4684 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4685 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4686 bssid = apdev[0]['bssid']
4687 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4688 anonymous_identity="ttls", password="password",
4689 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4691 # Send unexpected WEP EAPOL-Key; this gets dropped
4692 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4694 raise Exception("EAPOL_RX to wpa_supplicant failed")
4696 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4697 """WPA2-EAP and wpas interface in a bridge"""
4701 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4703 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4704 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4705 subprocess.call(['brctl', 'delbr', br_ifname])
4706 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4708 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4709 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4710 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4714 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4715 subprocess.call(['brctl', 'addbr', br_ifname])
4716 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4717 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4718 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4719 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4720 wpas.interface_add(ifname, br_ifname=br_ifname)
4723 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
4724 password_hex="0123456789abcdef0123456789abcdef")
4726 eap_reauth(wpas, "PAX")
4728 # Try again as a regression test for packet socket workaround
4729 eap_reauth(wpas, "PAX")
4731 wpas.request("DISCONNECT")
4732 wpas.wait_disconnected()
4734 wpas.request("RECONNECT")
4735 wpas.wait_connected()
4738 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4739 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4740 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4741 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4742 key_mgmt = hapd.get_config()['key_mgmt']
4743 if key_mgmt.split(' ')[0] != "WPA-EAP":
4744 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4745 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4746 anonymous_identity="ttls", password="password",
4747 ca_cert="auth_serv/ca.pem",
4748 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4749 eap_reauth(dev[0], "TTLS")
4751 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4752 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4753 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4754 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4755 key_mgmt = hapd.get_config()['key_mgmt']
4756 if key_mgmt.split(' ')[0] != "WPA-EAP":
4757 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4758 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4759 anonymous_identity="ttls", password="password",
4760 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4762 eap_reauth(dev[0], "TTLS")
4764 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4765 """EAP-TLS and server checking CRL"""
4766 params = int_eap_server_params()
4767 params['check_crl'] = '1'
4768 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4770 # check_crl=1 and no CRL available --> reject connection
4771 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4772 client_cert="auth_serv/user.pem",
4773 private_key="auth_serv/user.key", expect_failure=True)
4774 dev[0].request("REMOVE_NETWORK all")
4777 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4780 # check_crl=1 and valid CRL --> accept
4781 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4782 client_cert="auth_serv/user.pem",
4783 private_key="auth_serv/user.key")
4784 dev[0].request("REMOVE_NETWORK all")
4787 hapd.set("check_crl", "2")
4790 # check_crl=2 and valid CRL --> accept
4791 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4792 client_cert="auth_serv/user.pem",
4793 private_key="auth_serv/user.key")
4794 dev[0].request("REMOVE_NETWORK all")
4796 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4797 """EAP-TLS and OOM"""
4798 check_subject_match_support(dev[0])
4799 check_altsubject_match_support(dev[0])
4800 check_domain_match(dev[0])
4801 check_domain_match_full(dev[0])
4803 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4804 hostapd.add_ap(apdev[0]['ifname'], params)
4806 tests = [ (1, "tls_connection_set_subject_match"),
4807 (2, "tls_connection_set_subject_match"),
4808 (3, "tls_connection_set_subject_match"),
4809 (4, "tls_connection_set_subject_match") ]
4810 for count, func in tests:
4811 with alloc_fail(dev[0], count, func):
4812 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4813 identity="tls user", ca_cert="auth_serv/ca.pem",
4814 client_cert="auth_serv/user.pem",
4815 private_key="auth_serv/user.key",
4816 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4817 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4818 domain_suffix_match="server.w1.fi",
4819 domain_match="server.w1.fi",
4820 wait_connect=False, scan_freq="2412")
4821 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4822 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4824 raise Exception("No passphrase request")
4825 dev[0].request("REMOVE_NETWORK all")
4826 dev[0].wait_disconnected()
4828 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4829 """WPA2-Enterprise connection using MAC ACL"""
4830 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4831 params["macaddr_acl"] = "2"
4832 hostapd.add_ap(apdev[0]['ifname'], params)
4833 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4834 client_cert="auth_serv/user.pem",
4835 private_key="auth_serv/user.key")
4837 def test_ap_wpa2_eap_oom(dev, apdev):
4838 """EAP server and OOM"""
4839 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4840 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4841 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4843 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4844 # The first attempt fails, but STA will send EAPOL-Start to retry and
4846 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4847 identity="tls user", ca_cert="auth_serv/ca.pem",
4848 client_cert="auth_serv/user.pem",
4849 private_key="auth_serv/user.key",
4852 def check_tls_ver(dev, ap, phase1, expected):
4853 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4854 client_cert="auth_serv/user.pem",
4855 private_key="auth_serv/user.key",
4857 ver = dev.get_status_field("eap_tls_version")
4859 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4861 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4862 """EAP-TLS and TLS version configuration"""
4863 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4864 hostapd.add_ap(apdev[0]['ifname'], params)
4866 tls = dev[0].request("GET tls_library")
4867 if tls.startswith("OpenSSL"):
4868 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4869 check_tls_ver(dev[0], apdev[0],
4870 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4872 elif tls.startswith("internal"):
4873 check_tls_ver(dev[0], apdev[0],
4874 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4875 check_tls_ver(dev[1], apdev[0],
4876 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4877 check_tls_ver(dev[2], apdev[0],
4878 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4880 def test_rsn_ie_proto_eap_sta(dev, apdev):
4881 """RSN element protocol testing for EAP cases on STA side"""
4882 bssid = apdev[0]['bssid']
4883 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4884 # This is the RSN element used normally by hostapd
4885 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4886 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4887 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4888 identity="gpsk user",
4889 password="abcdefghijklmnop0123456789abcdef",
4892 tests = [ ('No RSN Capabilities field',
4893 '30120100000fac040100000fac040100000fac01'),
4894 ('No AKM Suite fields',
4895 '300c0100000fac040100000fac04'),
4896 ('No Pairwise Cipher Suite fields',
4897 '30060100000fac04'),
4898 ('No Group Data Cipher Suite field',
4900 for txt,ie in tests:
4901 dev[0].request("DISCONNECT")
4902 dev[0].wait_disconnected()
4905 hapd.set('own_ie_override', ie)
4907 dev[0].request("BSS_FLUSH 0")
4908 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4909 dev[0].select_network(id, freq=2412)
4910 dev[0].wait_connected()
4912 dev[0].request("DISCONNECT")
4913 dev[0].wait_disconnected()
4914 dev[0].flush_scan_cache()
4916 def check_tls_session_resumption_capa(dev, hapd):
4917 tls = hapd.request("GET tls_library")
4918 if not tls.startswith("OpenSSL"):
4919 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4921 tls = dev.request("GET tls_library")
4922 if not tls.startswith("OpenSSL"):
4923 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4925 def test_eap_ttls_pap_session_resumption(dev, apdev):
4926 """EAP-TTLS/PAP session resumption"""
4927 params = int_eap_server_params()
4928 params['tls_session_lifetime'] = '60'
4929 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4930 check_tls_session_resumption_capa(dev[0], hapd)
4931 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4932 anonymous_identity="ttls", password="password",
4933 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4935 if dev[0].get_status_field("tls_session_reused") != '0':
4936 raise Exception("Unexpected session resumption on the first connection")
4938 dev[0].request("REAUTHENTICATE")
4939 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4941 raise Exception("EAP success timed out")
4942 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4944 raise Exception("Key handshake with the AP timed out")
4945 if dev[0].get_status_field("tls_session_reused") != '1':
4946 raise Exception("Session resumption not used on the second connection")
4948 def test_eap_ttls_chap_session_resumption(dev, apdev):
4949 """EAP-TTLS/CHAP session resumption"""
4950 params = int_eap_server_params()
4951 params['tls_session_lifetime'] = '60'
4952 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4953 check_tls_session_resumption_capa(dev[0], hapd)
4954 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
4955 anonymous_identity="ttls", password="password",
4956 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
4957 if dev[0].get_status_field("tls_session_reused") != '0':
4958 raise Exception("Unexpected session resumption on the first connection")
4960 dev[0].request("REAUTHENTICATE")
4961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4963 raise Exception("EAP success timed out")
4964 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4966 raise Exception("Key handshake with the AP timed out")
4967 if dev[0].get_status_field("tls_session_reused") != '1':
4968 raise Exception("Session resumption not used on the second connection")
4970 def test_eap_ttls_mschap_session_resumption(dev, apdev):
4971 """EAP-TTLS/MSCHAP session resumption"""
4972 check_domain_suffix_match(dev[0])
4973 params = int_eap_server_params()
4974 params['tls_session_lifetime'] = '60'
4975 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4976 check_tls_session_resumption_capa(dev[0], hapd)
4977 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
4978 anonymous_identity="ttls", password="password",
4979 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4980 domain_suffix_match="server.w1.fi")
4981 if dev[0].get_status_field("tls_session_reused") != '0':
4982 raise Exception("Unexpected session resumption on the first connection")
4984 dev[0].request("REAUTHENTICATE")
4985 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4987 raise Exception("EAP success timed out")
4988 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4990 raise Exception("Key handshake with the AP timed out")
4991 if dev[0].get_status_field("tls_session_reused") != '1':
4992 raise Exception("Session resumption not used on the second connection")
4994 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
4995 """EAP-TTLS/MSCHAPv2 session resumption"""
4996 check_domain_suffix_match(dev[0])
4997 check_eap_capa(dev[0], "MSCHAPV2")
4998 params = int_eap_server_params()
4999 params['tls_session_lifetime'] = '60'
5000 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5001 check_tls_session_resumption_capa(dev[0], hapd)
5002 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
5003 anonymous_identity="ttls", password="password",
5004 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5005 domain_suffix_match="server.w1.fi")
5006 if dev[0].get_status_field("tls_session_reused") != '0':
5007 raise Exception("Unexpected session resumption on the first connection")
5009 dev[0].request("REAUTHENTICATE")
5010 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5012 raise Exception("EAP success timed out")
5013 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5015 raise Exception("Key handshake with the AP timed out")
5016 if dev[0].get_status_field("tls_session_reused") != '1':
5017 raise Exception("Session resumption not used on the second connection")
5019 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5020 """EAP-TTLS/EAP-GTC session resumption"""
5021 params = int_eap_server_params()
5022 params['tls_session_lifetime'] = '60'
5023 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5024 check_tls_session_resumption_capa(dev[0], hapd)
5025 eap_connect(dev[0], apdev[0], "TTLS", "user",
5026 anonymous_identity="ttls", password="password",
5027 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5028 if dev[0].get_status_field("tls_session_reused") != '0':
5029 raise Exception("Unexpected session resumption on the first connection")
5031 dev[0].request("REAUTHENTICATE")
5032 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5034 raise Exception("EAP success timed out")
5035 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5037 raise Exception("Key handshake with the AP timed out")
5038 if dev[0].get_status_field("tls_session_reused") != '1':
5039 raise Exception("Session resumption not used on the second connection")
5041 def test_eap_ttls_no_session_resumption(dev, apdev):
5042 """EAP-TTLS session resumption disabled on server"""
5043 params = int_eap_server_params()
5044 params['tls_session_lifetime'] = '0'
5045 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5046 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
5047 anonymous_identity="ttls", password="password",
5048 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5050 if dev[0].get_status_field("tls_session_reused") != '0':
5051 raise Exception("Unexpected session resumption on the first connection")
5053 dev[0].request("REAUTHENTICATE")
5054 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5056 raise Exception("EAP success timed out")
5057 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5059 raise Exception("Key handshake with the AP timed out")
5060 if dev[0].get_status_field("tls_session_reused") != '0':
5061 raise Exception("Unexpected session resumption on the second connection")
5063 def test_eap_peap_session_resumption(dev, apdev):
5064 """EAP-PEAP session resumption"""
5065 params = int_eap_server_params()
5066 params['tls_session_lifetime'] = '60'
5067 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5068 check_tls_session_resumption_capa(dev[0], hapd)
5069 eap_connect(dev[0], apdev[0], "PEAP", "user",
5070 anonymous_identity="peap", password="password",
5071 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5072 if dev[0].get_status_field("tls_session_reused") != '0':
5073 raise Exception("Unexpected session resumption on the first connection")
5075 dev[0].request("REAUTHENTICATE")
5076 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5078 raise Exception("EAP success timed out")
5079 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5081 raise Exception("Key handshake with the AP timed out")
5082 if dev[0].get_status_field("tls_session_reused") != '1':
5083 raise Exception("Session resumption not used on the second connection")
5085 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5086 """EAP-PEAP session resumption with crypto binding"""
5087 params = int_eap_server_params()
5088 params['tls_session_lifetime'] = '60'
5089 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5090 check_tls_session_resumption_capa(dev[0], hapd)
5091 eap_connect(dev[0], apdev[0], "PEAP", "user",
5092 anonymous_identity="peap", password="password",
5093 phase1="peapver=0 crypto_binding=2",
5094 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5095 if dev[0].get_status_field("tls_session_reused") != '0':
5096 raise Exception("Unexpected session resumption on the first connection")
5098 dev[0].request("REAUTHENTICATE")
5099 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5101 raise Exception("EAP success timed out")
5102 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5104 raise Exception("Key handshake with the AP timed out")
5105 if dev[0].get_status_field("tls_session_reused") != '1':
5106 raise Exception("Session resumption not used on the second connection")
5108 def test_eap_peap_no_session_resumption(dev, apdev):
5109 """EAP-PEAP session resumption disabled on server"""
5110 params = int_eap_server_params()
5111 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5112 eap_connect(dev[0], apdev[0], "PEAP", "user",
5113 anonymous_identity="peap", password="password",
5114 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5115 if dev[0].get_status_field("tls_session_reused") != '0':
5116 raise Exception("Unexpected session resumption on the first connection")
5118 dev[0].request("REAUTHENTICATE")
5119 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5121 raise Exception("EAP success timed out")
5122 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5124 raise Exception("Key handshake with the AP timed out")
5125 if dev[0].get_status_field("tls_session_reused") != '0':
5126 raise Exception("Unexpected session resumption on the second connection")
5128 def test_eap_tls_session_resumption(dev, apdev):
5129 """EAP-TLS session resumption"""
5130 params = int_eap_server_params()
5131 params['tls_session_lifetime'] = '60'
5132 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5133 check_tls_session_resumption_capa(dev[0], hapd)
5134 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5135 client_cert="auth_serv/user.pem",
5136 private_key="auth_serv/user.key")
5137 if dev[0].get_status_field("tls_session_reused") != '0':
5138 raise Exception("Unexpected session resumption on the first connection")
5140 dev[0].request("REAUTHENTICATE")
5141 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5143 raise Exception("EAP success timed out")
5144 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5146 raise Exception("Key handshake with the AP timed out")
5147 if dev[0].get_status_field("tls_session_reused") != '1':
5148 raise Exception("Session resumption not used on the second connection")
5150 dev[0].request("REAUTHENTICATE")
5151 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5153 raise Exception("EAP success timed out")
5154 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5156 raise Exception("Key handshake with the AP timed out")
5157 if dev[0].get_status_field("tls_session_reused") != '1':
5158 raise Exception("Session resumption not used on the third connection")
5160 def test_eap_tls_session_resumption_expiration(dev, apdev):
5161 """EAP-TLS session resumption"""
5162 params = int_eap_server_params()
5163 params['tls_session_lifetime'] = '1'
5164 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5165 check_tls_session_resumption_capa(dev[0], hapd)
5166 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5167 client_cert="auth_serv/user.pem",
5168 private_key="auth_serv/user.key")
5169 if dev[0].get_status_field("tls_session_reused") != '0':
5170 raise Exception("Unexpected session resumption on the first connection")
5172 # Allow multiple attempts since OpenSSL may not expire the cached entry
5177 dev[0].request("REAUTHENTICATE")
5178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5180 raise Exception("EAP success timed out")
5181 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5183 raise Exception("Key handshake with the AP timed out")
5184 if dev[0].get_status_field("tls_session_reused") == '0':
5186 if dev[0].get_status_field("tls_session_reused") != '0':
5187 raise Exception("Session resumption used after lifetime expiration")
5189 def test_eap_tls_no_session_resumption(dev, apdev):
5190 """EAP-TLS session resumption disabled on server"""
5191 params = int_eap_server_params()
5192 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5193 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5194 client_cert="auth_serv/user.pem",
5195 private_key="auth_serv/user.key")
5196 if dev[0].get_status_field("tls_session_reused") != '0':
5197 raise Exception("Unexpected session resumption on the first connection")
5199 dev[0].request("REAUTHENTICATE")
5200 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5202 raise Exception("EAP success timed out")
5203 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5205 raise Exception("Key handshake with the AP timed out")
5206 if dev[0].get_status_field("tls_session_reused") != '0':
5207 raise Exception("Unexpected session resumption on the second connection")
5209 def test_eap_tls_session_resumption_radius(dev, apdev):
5210 """EAP-TLS session resumption (RADIUS)"""
5211 params = { "ssid": "as", "beacon_int": "2000",
5212 "radius_server_clients": "auth_serv/radius_clients.conf",
5213 "radius_server_auth_port": '18128',
5215 "eap_user_file": "auth_serv/eap_user.conf",
5216 "ca_cert": "auth_serv/ca.pem",
5217 "server_cert": "auth_serv/server.pem",
5218 "private_key": "auth_serv/server.key",
5219 "tls_session_lifetime": "60" }
5220 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
5221 check_tls_session_resumption_capa(dev[0], authsrv)
5223 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5224 params['auth_server_port'] = "18128"
5225 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5226 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5227 client_cert="auth_serv/user.pem",
5228 private_key="auth_serv/user.key")
5229 if dev[0].get_status_field("tls_session_reused") != '0':
5230 raise Exception("Unexpected session resumption on the first connection")
5232 dev[0].request("REAUTHENTICATE")
5233 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5235 raise Exception("EAP success timed out")
5236 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5238 raise Exception("Key handshake with the AP timed out")
5239 if dev[0].get_status_field("tls_session_reused") != '1':
5240 raise Exception("Session resumption not used on the second connection")
5242 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5243 """EAP-TLS session resumption disabled (RADIUS)"""
5244 params = { "ssid": "as", "beacon_int": "2000",
5245 "radius_server_clients": "auth_serv/radius_clients.conf",
5246 "radius_server_auth_port": '18128',
5248 "eap_user_file": "auth_serv/eap_user.conf",
5249 "ca_cert": "auth_serv/ca.pem",
5250 "server_cert": "auth_serv/server.pem",
5251 "private_key": "auth_serv/server.key",
5252 "tls_session_lifetime": "0" }
5253 hostapd.add_ap(apdev[1]['ifname'], params)
5255 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5256 params['auth_server_port'] = "18128"
5257 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5258 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5259 client_cert="auth_serv/user.pem",
5260 private_key="auth_serv/user.key")
5261 if dev[0].get_status_field("tls_session_reused") != '0':
5262 raise Exception("Unexpected session resumption on the first connection")
5264 dev[0].request("REAUTHENTICATE")
5265 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5267 raise Exception("EAP success timed out")
5268 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5270 raise Exception("Key handshake with the AP timed out")
5271 if dev[0].get_status_field("tls_session_reused") != '0':
5272 raise Exception("Unexpected session resumption on the second connection")
5274 def test_eap_mschapv2_errors(dev, apdev):
5275 """EAP-MSCHAPv2 error cases"""
5276 check_eap_capa(dev[0], "MSCHAPV2")
5277 check_eap_capa(dev[0], "FAST")
5279 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5280 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5281 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5282 identity="phase1-user", password="password",
5284 dev[0].request("REMOVE_NETWORK all")
5285 dev[0].wait_disconnected()
5287 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5288 (1, "nt_password_hash;mschapv2_derive_response"),
5289 (1, "nt_password_hash;=mschapv2_derive_response"),
5290 (1, "generate_nt_response;mschapv2_derive_response"),
5291 (1, "generate_authenticator_response;mschapv2_derive_response"),
5292 (1, "nt_password_hash;=mschapv2_derive_response"),
5293 (1, "get_master_key;mschapv2_derive_response"),
5294 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5295 for count, func in tests:
5296 with fail_test(dev[0], count, func):
5297 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5298 identity="phase1-user", password="password",
5299 wait_connect=False, scan_freq="2412")
5300 wait_fail_trigger(dev[0], "GET_FAIL")
5301 dev[0].request("REMOVE_NETWORK all")
5302 dev[0].wait_disconnected()
5304 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5305 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5306 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5307 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5308 for count, func in tests:
5309 with fail_test(dev[0], count, func):
5310 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5311 identity="phase1-user",
5312 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5313 wait_connect=False, scan_freq="2412")
5314 wait_fail_trigger(dev[0], "GET_FAIL")
5315 dev[0].request("REMOVE_NETWORK all")
5316 dev[0].wait_disconnected()
5318 tests = [ (1, "eap_mschapv2_init"),
5319 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5320 (1, "eap_msg_alloc;eap_mschapv2_success"),
5321 (1, "eap_mschapv2_getKey") ]
5322 for count, func in tests:
5323 with alloc_fail(dev[0], count, func):
5324 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5325 identity="phase1-user", password="password",
5326 wait_connect=False, scan_freq="2412")
5327 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5328 dev[0].request("REMOVE_NETWORK all")
5329 dev[0].wait_disconnected()
5331 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5332 for count, func in tests:
5333 with alloc_fail(dev[0], count, func):
5334 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5335 identity="phase1-user", password="wrong password",
5336 wait_connect=False, scan_freq="2412")
5337 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5338 dev[0].request("REMOVE_NETWORK all")
5339 dev[0].wait_disconnected()
5341 tests = [ (2, "eap_mschapv2_init"),
5342 (3, "eap_mschapv2_init") ]
5343 for count, func in tests:
5344 with alloc_fail(dev[0], count, func):
5345 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5346 anonymous_identity="FAST", identity="user",
5347 password="password",
5348 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5349 phase1="fast_provisioning=1",
5350 pac_file="blob://fast_pac",
5351 wait_connect=False, scan_freq="2412")
5352 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5353 dev[0].request("REMOVE_NETWORK all")
5354 dev[0].wait_disconnected()
5356 def test_eap_gpsk_errors(dev, apdev):
5357 """EAP-GPSK error cases"""
5358 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5359 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5360 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5361 identity="gpsk user",
5362 password="abcdefghijklmnop0123456789abcdef",
5364 dev[0].request("REMOVE_NETWORK all")
5365 dev[0].wait_disconnected()
5367 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5368 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5370 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5372 (1, "eap_gpsk_derive_keys_helper", None),
5373 (2, "eap_gpsk_derive_keys_helper", None),
5374 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5376 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5378 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5379 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5380 (1, "eap_gpsk_derive_mid_helper", None) ]
5381 for count, func, phase1 in tests:
5382 with fail_test(dev[0], count, func):
5383 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5384 identity="gpsk user",
5385 password="abcdefghijklmnop0123456789abcdef",
5387 wait_connect=False, scan_freq="2412")
5388 wait_fail_trigger(dev[0], "GET_FAIL")
5389 dev[0].request("REMOVE_NETWORK all")
5390 dev[0].wait_disconnected()
5392 tests = [ (1, "eap_gpsk_init"),
5393 (2, "eap_gpsk_init"),
5394 (3, "eap_gpsk_init"),
5395 (1, "eap_gpsk_process_id_server"),
5396 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5397 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5398 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5399 (1, "eap_gpsk_derive_keys"),
5400 (1, "eap_gpsk_derive_keys_helper"),
5401 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5402 (1, "eap_gpsk_getKey"),
5403 (1, "eap_gpsk_get_emsk"),
5404 (1, "eap_gpsk_get_session_id") ]
5405 for count, func in tests:
5406 with alloc_fail(dev[0], count, func):
5407 dev[0].request("ERP_FLUSH")
5408 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5409 identity="gpsk user", erp="1",
5410 password="abcdefghijklmnop0123456789abcdef",
5411 wait_connect=False, scan_freq="2412")
5412 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5413 dev[0].request("REMOVE_NETWORK all")
5414 dev[0].wait_disconnected()
5416 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5417 """EAP-SIM DB error cases"""
5418 sockpath = '/tmp/hlr_auc_gw.sock-test'
5423 hparams = int_eap_server_params()
5424 hparams['eap_sim_db'] = 'unix:' + sockpath
5425 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
5427 # Initial test with hlr_auc_gw socket not available
5428 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5429 eap="SIM", identity="1232010000000000",
5430 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5431 scan_freq="2412", wait_connect=False)
5432 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5434 raise Exception("EAP-Failure not reported")
5435 dev[0].wait_disconnected()
5436 dev[0].request("DISCONNECT")
5438 # Test with invalid responses and response timeout
5440 class test_handler(SocketServer.DatagramRequestHandler):
5442 data = self.request[0].strip()
5443 socket = self.request[1]
5444 logger.debug("Received hlr_auc_gw request: " + data)
5445 # EAP-SIM DB: Failed to parse response string
5446 socket.sendto("FOO", self.client_address)
5447 # EAP-SIM DB: Failed to parse response string
5448 socket.sendto("FOO 1", self.client_address)
5449 # EAP-SIM DB: Unknown external response
5450 socket.sendto("FOO 1 2", self.client_address)
5451 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5453 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5456 dev[0].select_network(id)
5457 server.handle_request()
5458 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5460 raise Exception("EAP-Failure not reported")
5461 dev[0].wait_disconnected()
5462 dev[0].request("DISCONNECT")
5464 # Test with a valid response
5466 class test_handler2(SocketServer.DatagramRequestHandler):
5468 data = self.request[0].strip()
5469 socket = self.request[1]
5470 logger.debug("Received hlr_auc_gw request: " + data)
5471 fname = os.path.join(params['logdir'],
5472 'hlr_auc_gw.milenage_db')
5473 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5475 stdout=subprocess.PIPE)
5476 res = cmd.stdout.read().strip()
5478 logger.debug("hlr_auc_gw response: " + res)
5479 socket.sendto(res, self.client_address)
5481 server.RequestHandlerClass = test_handler2
5483 dev[0].select_network(id)
5484 server.handle_request()
5485 dev[0].wait_connected()
5486 dev[0].request("DISCONNECT")
5487 dev[0].wait_disconnected()
5489 def test_eap_tls_sha512(dev, apdev, params):
5490 """EAP-TLS with SHA512 signature"""
5491 params = int_eap_server_params()
5492 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5493 params["server_cert"] = "auth_serv/sha512-server.pem"
5494 params["private_key"] = "auth_serv/sha512-server.key"
5495 hostapd.add_ap(apdev[0]['ifname'], params)
5497 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5498 identity="tls user sha512",
5499 ca_cert="auth_serv/sha512-ca.pem",
5500 client_cert="auth_serv/sha512-user.pem",
5501 private_key="auth_serv/sha512-user.key",
5503 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5504 identity="tls user sha512",
5505 ca_cert="auth_serv/sha512-ca.pem",
5506 client_cert="auth_serv/sha384-user.pem",
5507 private_key="auth_serv/sha384-user.key",
5510 def test_eap_tls_sha384(dev, apdev, params):
5511 """EAP-TLS with SHA384 signature"""
5512 params = int_eap_server_params()
5513 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5514 params["server_cert"] = "auth_serv/sha384-server.pem"
5515 params["private_key"] = "auth_serv/sha384-server.key"
5516 hostapd.add_ap(apdev[0]['ifname'], params)
5518 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5519 identity="tls user sha512",
5520 ca_cert="auth_serv/sha512-ca.pem",
5521 client_cert="auth_serv/sha512-user.pem",
5522 private_key="auth_serv/sha512-user.key",
5524 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5525 identity="tls user sha512",
5526 ca_cert="auth_serv/sha512-ca.pem",
5527 client_cert="auth_serv/sha384-user.pem",
5528 private_key="auth_serv/sha384-user.key",
5531 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5532 """WPA2-Enterprise AP and association request RSN IE differences"""
5533 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5534 hostapd.add_ap(apdev[0]['ifname'], params)
5536 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5537 params["ieee80211w"] = "2"
5538 hostapd.add_ap(apdev[1]['ifname'], params)
5540 # Success cases with optional RSN IE fields removed one by one
5541 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5542 "30140100000fac040100000fac040100000fac010000"),
5543 ("Extra PMKIDCount field in RSN IE",
5544 "30160100000fac040100000fac040100000fac0100000000"),
5545 ("Extra Group Management Cipher Suite in RSN IE",
5546 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5547 ("Extra undefined extension field in RSN IE",
5548 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5549 ("RSN IE without RSN Capabilities",
5550 "30120100000fac040100000fac040100000fac01"),
5551 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5552 ("RSN IE without pairwise", "30060100000fac04"),
5553 ("RSN IE without group", "30020100") ]
5554 for title, ie in tests:
5556 set_test_assoc_ie(dev[0], ie)
5557 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5558 identity="gpsk user",
5559 password="abcdefghijklmnop0123456789abcdef",
5561 dev[0].request("REMOVE_NETWORK all")
5562 dev[0].wait_disconnected()
5564 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5565 "30140100000fac040100000fac040100000fac01cc00"),
5566 ("Group management cipher included in assoc req RSN IE",
5567 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5568 for title, ie in tests:
5570 set_test_assoc_ie(dev[0], ie)
5571 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5572 eap="GPSK", identity="gpsk user",
5573 password="abcdefghijklmnop0123456789abcdef",
5575 dev[0].request("REMOVE_NETWORK all")
5576 dev[0].wait_disconnected()
5578 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5579 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5580 for title, ie, status in tests:
5582 set_test_assoc_ie(dev[0], ie)
5583 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5584 identity="gpsk user",
5585 password="abcdefghijklmnop0123456789abcdef",
5586 scan_freq="2412", wait_connect=False)
5587 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5589 raise Exception("Association rejection not reported")
5590 if "status_code=" + str(status) not in ev:
5591 raise Exception("Unexpected status code: " + ev)
5592 dev[0].request("REMOVE_NETWORK all")
5593 dev[0].dump_monitor()
5595 tests = [ ("Management frame protection not enabled",
5596 "30140100000fac040100000fac040100000fac010000", 31),
5597 ("Unsupported management group cipher",
5598 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5599 for title, ie, status in tests:
5601 set_test_assoc_ie(dev[0], ie)
5602 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5603 eap="GPSK", identity="gpsk user",
5604 password="abcdefghijklmnop0123456789abcdef",
5605 scan_freq="2412", wait_connect=False)
5606 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5608 raise Exception("Association rejection not reported")
5609 if "status_code=" + str(status) not in ev:
5610 raise Exception("Unexpected status code: " + ev)
5611 dev[0].request("REMOVE_NETWORK all")
5612 dev[0].dump_monitor()
5614 def test_eap_tls_ext_cert_check(dev, apdev):
5615 """EAP-TLS and external server certification validation"""
5616 # With internal server certificate chain validation
5617 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5618 identity="tls user",
5619 ca_cert="auth_serv/ca.pem",
5620 client_cert="auth_serv/user.pem",
5621 private_key="auth_serv/user.key",
5622 phase1="tls_ext_cert_check=1", scan_freq="2412",
5623 only_add_network=True)
5624 run_ext_cert_check(dev, apdev, id)
5626 def test_eap_ttls_ext_cert_check(dev, apdev):
5627 """EAP-TTLS and external server certification validation"""
5628 # Without internal server certificate chain validation
5629 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5630 identity="pap user", anonymous_identity="ttls",
5631 password="password", phase2="auth=PAP",
5632 phase1="tls_ext_cert_check=1", scan_freq="2412",
5633 only_add_network=True)
5634 run_ext_cert_check(dev, apdev, id)
5636 def test_eap_peap_ext_cert_check(dev, apdev):
5637 """EAP-PEAP and external server certification validation"""
5638 # With internal server certificate chain validation
5639 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5640 identity="user", anonymous_identity="peap",
5641 ca_cert="auth_serv/ca.pem",
5642 password="password", phase2="auth=MSCHAPV2",
5643 phase1="tls_ext_cert_check=1", scan_freq="2412",
5644 only_add_network=True)
5645 run_ext_cert_check(dev, apdev, id)
5647 def test_eap_fast_ext_cert_check(dev, apdev):
5648 """EAP-FAST and external server certification validation"""
5649 check_eap_capa(dev[0], "FAST")
5650 # With internal server certificate chain validation
5651 dev[0].request("SET blob fast_pac_auth_ext ")
5652 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5653 identity="user", anonymous_identity="FAST",
5654 ca_cert="auth_serv/ca.pem",
5655 password="password", phase2="auth=GTC",
5656 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5657 pac_file="blob://fast_pac_auth_ext",
5659 only_add_network=True)
5660 run_ext_cert_check(dev, apdev, id)
5662 def run_ext_cert_check(dev, apdev, net_id):
5663 check_ext_cert_check_support(dev[0])
5664 if not openssl_imported:
5665 raise HwsimSkip("OpenSSL python method not available")
5667 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5668 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5670 dev[0].select_network(net_id)
5673 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5674 "CTRL-REQ-EXT_CERT_CHECK",
5675 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5677 raise Exception("No peer server certificate event seen")
5678 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5681 vals = ev.split(' ')
5683 if v.startswith("depth="):
5684 depth = int(v.split('=')[1])
5685 elif v.startswith("cert="):
5686 cert = v.split('=')[1]
5687 if depth is not None and cert:
5688 certs[depth] = binascii.unhexlify(cert)
5689 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5690 raise Exception("Unexpected EAP-Success")
5691 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5692 id = ev.split(':')[0].split('-')[-1]
5695 raise Exception("Server certificate not received")
5697 raise Exception("Server certificate issuer not received")
5699 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5701 cn = cert.get_subject().commonName
5702 logger.info("Server certificate CN=" + cn)
5704 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5706 icn = issuer.get_subject().commonName
5707 logger.info("Issuer certificate CN=" + icn)
5709 if cn != "server.w1.fi":
5710 raise Exception("Unexpected server certificate CN: " + cn)
5711 if icn != "Root CA":
5712 raise Exception("Unexpected server certificate issuer CN: " + icn)
5714 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5716 raise Exception("Unexpected EAP-Success before external check result indication")
5718 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5719 dev[0].wait_connected()
5721 dev[0].request("DISCONNECT")
5722 dev[0].wait_disconnected()
5723 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5724 raise Exception("PMKSA_FLUSH failed")
5725 dev[0].request("SET blob fast_pac_auth_ext ")
5726 dev[0].request("RECONNECT")
5728 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5730 raise Exception("No peer server certificate event seen (2)")
5731 id = ev.split(':')[0].split('-')[-1]
5732 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5733 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5735 raise Exception("EAP-Failure not reported")
5736 dev[0].request("REMOVE_NETWORK all")
5737 dev[0].wait_disconnected()
5739 def test_eap_tls_errors(dev, apdev):
5740 """EAP-TLS error cases"""
5741 params = int_eap_server_params()
5742 params['fragment_size'] = '100'
5743 hostapd.add_ap(apdev[0]['ifname'], params)
5744 with alloc_fail(dev[0], 1,
5745 "eap_peer_tls_reassemble_fragment"):
5746 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5747 identity="tls user", ca_cert="auth_serv/ca.pem",
5748 client_cert="auth_serv/user.pem",
5749 private_key="auth_serv/user.key",
5750 wait_connect=False, scan_freq="2412")
5751 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5752 dev[0].request("REMOVE_NETWORK all")
5753 dev[0].wait_disconnected()
5755 with alloc_fail(dev[0], 1, "eap_tls_init"):
5756 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5757 identity="tls user", ca_cert="auth_serv/ca.pem",
5758 client_cert="auth_serv/user.pem",
5759 private_key="auth_serv/user.key",
5760 wait_connect=False, scan_freq="2412")
5761 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5762 dev[0].request("REMOVE_NETWORK all")
5763 dev[0].wait_disconnected()
5765 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5766 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5767 identity="tls user", ca_cert="auth_serv/ca.pem",
5768 client_cert="auth_serv/user.pem",
5769 private_key="auth_serv/user.key",
5771 wait_connect=False, scan_freq="2412")
5772 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5773 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5775 raise Exception("No CTRL-REQ-PIN seen")
5776 dev[0].request("REMOVE_NETWORK all")
5777 dev[0].wait_disconnected()
5779 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5780 "eap_peer_tls_derive_session_id;eap_tls_success",
5783 "eap_tls_get_session_id" ]
5785 with alloc_fail(dev[0], 1, func):
5786 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5787 identity="tls user", ca_cert="auth_serv/ca.pem",
5788 client_cert="auth_serv/user.pem",
5789 private_key="auth_serv/user.key",
5791 wait_connect=False, scan_freq="2412")
5792 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5793 dev[0].request("REMOVE_NETWORK all")
5794 dev[0].wait_disconnected()
5796 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5797 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5798 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5799 wait_connect=False, scan_freq="2412")
5800 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5801 dev[0].request("REMOVE_NETWORK all")
5802 dev[0].wait_disconnected()
5804 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5805 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5806 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5807 wait_connect=False, scan_freq="2412")
5808 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5809 dev[0].request("REMOVE_NETWORK all")
5810 dev[0].wait_disconnected()
5812 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5813 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5814 eap="WFA-UNAUTH-TLS",
5815 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5816 wait_connect=False, scan_freq="2412")
5817 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5818 dev[0].request("REMOVE_NETWORK all")
5819 dev[0].wait_disconnected()
5821 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5822 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5823 eap="WFA-UNAUTH-TLS",
5824 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5825 wait_connect=False, scan_freq="2412")
5826 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5827 dev[0].request("REMOVE_NETWORK all")
5828 dev[0].wait_disconnected()
5830 def test_ap_wpa2_eap_status(dev, apdev):
5831 """EAP state machine status information"""
5832 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5833 hostapd.add_ap(apdev[0]['ifname'], params)
5834 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5835 identity="cert user",
5836 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
5837 ca_cert2="auth_serv/ca.pem",
5838 client_cert2="auth_serv/user.pem",
5839 private_key2="auth_serv/user.key",
5840 scan_freq="2412", wait_connect=False)
5846 selected_methods = []
5847 for i in range(100000):
5848 s = dev[0].get_status(extra="VERBOSE")
5849 if 'EAP state' in s:
5850 state = s['EAP state']
5852 if state not in states:
5853 states.append(state)
5854 if state == "SUCCESS":
5857 if 'methodState' in s:
5858 val = s['methodState']
5859 if val not in method_states:
5860 method_states.append(val)
5863 if val not in decisions:
5864 decisions.append(val)
5865 if 'reqMethod' in s:
5866 val = s['reqMethod']
5867 if val not in req_methods:
5868 req_methods.append(val)
5869 if 'selectedMethod' in s:
5870 val = s['selectedMethod']
5871 if val not in selected_methods:
5872 selected_methods.append(val)
5873 logger.info("Iterations: %d" % i)
5874 logger.info("EAP states: " + str(states))
5875 logger.info("methodStates: " + str(method_states))
5876 logger.info("decisions: " + str(decisions))
5877 logger.info("reqMethods: " + str(req_methods))
5878 logger.info("selectedMethods: " + str(selected_methods))
5880 raise Exception("EAP did not succeed")
5881 dev[0].wait_connected()
5882 dev[0].request("REMOVE_NETWORK all")
5883 dev[0].wait_disconnected()
5885 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
5886 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
5887 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5888 params['wpa_ptk_rekey'] = '2'
5889 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5890 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
5891 password="abcdefghijklmnop0123456789abcdef")
5892 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
5894 raise Exception("PTK rekey timed out")
5895 hwsim_utils.test_connectivity(dev[0], hapd)