1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
18 from utils import HwsimSkip, alloc_fail, fail_test
19 from wpasupplicant import WpaSupplicant
20 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
22 def check_hlr_auc_gw_support():
23 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
24 raise HwsimSkip("No hlr_auc_gw available")
26 def check_eap_capa(dev, method):
27 res = dev.get_capability("eap")
29 raise HwsimSkip("EAP method %s not supported in the build" % method)
31 def check_subject_match_support(dev):
32 tls = dev.request("GET tls_library")
33 if not tls.startswith("OpenSSL"):
34 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
36 def check_altsubject_match_support(dev):
37 tls = dev.request("GET tls_library")
38 if not tls.startswith("OpenSSL"):
39 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
41 def check_domain_match_full(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
46 def check_cert_probe_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
52 with open(fname, "r") as f:
63 return base64.b64decode(cert)
65 def eap_connect(dev, ap, method, identity,
66 sha256=False, expect_failure=False, local_error_report=False,
68 hapd = hostapd.Hostapd(ap['ifname'])
69 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
70 eap=method, identity=identity,
71 wait_connect=False, scan_freq="2412", ieee80211w="1",
73 eap_check_auth(dev, method, True, sha256=sha256,
74 expect_failure=expect_failure,
75 local_error_report=local_error_report)
78 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
80 raise Exception("No connection event received from hostapd")
83 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
84 expect_failure=False, local_error_report=False):
85 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
87 raise Exception("Association and EAP start timed out")
88 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
90 raise Exception("EAP method selection timed out")
92 raise Exception("Unexpected EAP method")
94 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
96 raise Exception("EAP failure timed out")
97 ev = dev.wait_disconnected(timeout=10)
98 if not local_error_report:
99 if "reason=23" not in ev:
100 raise Exception("Proper reason code for disconnection not reported")
102 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
104 raise Exception("EAP success timed out")
107 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
109 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
111 raise Exception("Association with the AP timed out")
112 status = dev.get_status()
113 if status["wpa_state"] != "COMPLETED":
114 raise Exception("Connection not completed")
116 if status["suppPortStatus"] != "Authorized":
117 raise Exception("Port not authorized")
118 if method not in status["selectedMethod"]:
119 raise Exception("Incorrect EAP method status")
121 e = "WPA2-EAP-SHA256"
123 e = "WPA2/IEEE 802.1X/EAP"
125 e = "WPA/IEEE 802.1X/EAP"
126 if status["key_mgmt"] != e:
127 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
130 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
131 dev.request("REAUTHENTICATE")
132 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
133 expect_failure=expect_failure)
135 def test_ap_wpa2_eap_sim(dev, apdev):
136 """WPA2-Enterprise connection using EAP-SIM"""
137 check_hlr_auc_gw_support()
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
140 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
141 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
142 hwsim_utils.test_connectivity(dev[0], hapd)
143 eap_reauth(dev[0], "SIM")
145 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
146 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
147 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
148 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
151 logger.info("Negative test with incorrect key")
152 dev[0].request("REMOVE_NETWORK all")
153 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
154 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
157 logger.info("Invalid GSM-Milenage key")
158 dev[0].request("REMOVE_NETWORK all")
159 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
160 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
163 logger.info("Invalid GSM-Milenage key(2)")
164 dev[0].request("REMOVE_NETWORK all")
165 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
166 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
169 logger.info("Invalid GSM-Milenage key(3)")
170 dev[0].request("REMOVE_NETWORK all")
171 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
172 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
175 logger.info("Invalid GSM-Milenage key(4)")
176 dev[0].request("REMOVE_NETWORK all")
177 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
178 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
181 logger.info("Missing key configuration")
182 dev[0].request("REMOVE_NETWORK all")
183 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
186 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
187 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
188 check_hlr_auc_gw_support()
192 raise HwsimSkip("No sqlite3 module available")
193 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
194 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
195 params['auth_server_port'] = "1814"
196 hostapd.add_ap(apdev[0]['ifname'], params)
197 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
198 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
200 logger.info("SIM fast re-authentication")
201 eap_reauth(dev[0], "SIM")
203 logger.info("SIM full auth with pseudonym")
206 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
207 eap_reauth(dev[0], "SIM")
209 logger.info("SIM full auth with permanent identity")
212 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
213 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
214 eap_reauth(dev[0], "SIM")
216 logger.info("SIM reauth with mismatching MK")
219 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
220 eap_reauth(dev[0], "SIM", expect_failure=True)
221 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
227 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
228 eap_reauth(dev[0], "SIM")
231 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
232 logger.info("SIM reauth with mismatching counter")
233 eap_reauth(dev[0], "SIM")
234 dev[0].request("REMOVE_NETWORK all")
236 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
237 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
240 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
241 logger.info("SIM reauth with max reauth count reached")
242 eap_reauth(dev[0], "SIM")
244 def test_ap_wpa2_eap_sim_config(dev, apdev):
245 """EAP-SIM configuration options"""
246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
247 hostapd.add_ap(apdev[0]['ifname'], params)
248 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
249 identity="1232010000000000",
250 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
251 phase1="sim_min_num_chal=1",
252 wait_connect=False, scan_freq="2412")
253 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
255 raise Exception("No EAP error message seen")
256 dev[0].request("REMOVE_NETWORK all")
258 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
259 identity="1232010000000000",
260 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
261 phase1="sim_min_num_chal=4",
262 wait_connect=False, scan_freq="2412")
263 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
265 raise Exception("No EAP error message seen (2)")
266 dev[0].request("REMOVE_NETWORK all")
268 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
269 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
270 phase1="sim_min_num_chal=2")
271 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
272 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
273 anonymous_identity="345678")
275 def test_ap_wpa2_eap_sim_ext(dev, apdev):
276 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
278 _test_ap_wpa2_eap_sim_ext(dev, apdev)
280 dev[0].request("SET external_sim 0")
282 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
283 check_hlr_auc_gw_support()
284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
285 hostapd.add_ap(apdev[0]['ifname'], params)
286 dev[0].request("SET external_sim 1")
287 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
288 identity="1232010000000000",
289 wait_connect=False, scan_freq="2412")
290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
292 raise Exception("Network connected timed out")
294 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
296 raise Exception("Wait for external SIM processing request timed out")
298 if p[1] != "GSM-AUTH":
299 raise Exception("Unexpected CTRL-REQ-SIM type")
300 rid = p[0].split('-')[3]
303 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
304 # This will fail during processing, but the ctrl_iface command succeeds
305 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
306 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 raise Exception("EAP failure not reported")
309 dev[0].request("DISCONNECT")
310 dev[0].wait_disconnected()
313 dev[0].select_network(id, freq="2412")
314 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
316 raise Exception("Wait for external SIM processing request timed out")
318 if p[1] != "GSM-AUTH":
319 raise Exception("Unexpected CTRL-REQ-SIM type")
320 rid = p[0].split('-')[3]
321 # This will fail during GSM auth validation
322 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
323 raise Exception("CTRL-RSP-SIM failed")
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
326 raise Exception("EAP failure not reported")
327 dev[0].request("DISCONNECT")
328 dev[0].wait_disconnected()
331 dev[0].select_network(id, freq="2412")
332 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
334 raise Exception("Wait for external SIM processing request timed out")
336 if p[1] != "GSM-AUTH":
337 raise Exception("Unexpected CTRL-REQ-SIM type")
338 rid = p[0].split('-')[3]
339 # This will fail during GSM auth validation
340 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
341 raise Exception("CTRL-RSP-SIM failed")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
344 raise Exception("EAP failure not reported")
345 dev[0].request("DISCONNECT")
346 dev[0].wait_disconnected()
349 dev[0].select_network(id, freq="2412")
350 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
352 raise Exception("Wait for external SIM processing request timed out")
354 if p[1] != "GSM-AUTH":
355 raise Exception("Unexpected CTRL-REQ-SIM type")
356 rid = p[0].split('-')[3]
357 # This will fail during GSM auth validation
358 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
359 raise Exception("CTRL-RSP-SIM failed")
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
362 raise Exception("EAP failure not reported")
363 dev[0].request("DISCONNECT")
364 dev[0].wait_disconnected()
367 dev[0].select_network(id, freq="2412")
368 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
370 raise Exception("Wait for external SIM processing request timed out")
372 if p[1] != "GSM-AUTH":
373 raise Exception("Unexpected CTRL-REQ-SIM type")
374 rid = p[0].split('-')[3]
375 # This will fail during GSM auth validation
376 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
377 raise Exception("CTRL-RSP-SIM failed")
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 raise Exception("EAP failure not reported")
381 dev[0].request("DISCONNECT")
382 dev[0].wait_disconnected()
385 dev[0].select_network(id, freq="2412")
386 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
388 raise Exception("Wait for external SIM processing request timed out")
390 if p[1] != "GSM-AUTH":
391 raise Exception("Unexpected CTRL-REQ-SIM type")
392 rid = p[0].split('-')[3]
393 # This will fail during GSM auth validation
394 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
395 raise Exception("CTRL-RSP-SIM failed")
396 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
398 raise Exception("EAP failure not reported")
399 dev[0].request("DISCONNECT")
400 dev[0].wait_disconnected()
403 dev[0].select_network(id, freq="2412")
404 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
406 raise Exception("Wait for external SIM processing request timed out")
408 if p[1] != "GSM-AUTH":
409 raise Exception("Unexpected CTRL-REQ-SIM type")
410 rid = p[0].split('-')[3]
411 # This will fail during GSM auth validation
412 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
413 raise Exception("CTRL-RSP-SIM failed")
414 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
416 raise Exception("EAP failure not reported")
418 def test_ap_wpa2_eap_sim_oom(dev, apdev):
419 """EAP-SIM and OOM"""
420 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
421 hostapd.add_ap(apdev[0]['ifname'], params)
422 tests = [ (1, "milenage_f2345"),
423 (2, "milenage_f2345"),
424 (3, "milenage_f2345"),
425 (4, "milenage_f2345"),
426 (5, "milenage_f2345"),
427 (6, "milenage_f2345"),
428 (7, "milenage_f2345"),
429 (8, "milenage_f2345"),
430 (9, "milenage_f2345"),
431 (10, "milenage_f2345"),
432 (11, "milenage_f2345"),
433 (12, "milenage_f2345") ]
434 for count, func in tests:
435 with alloc_fail(dev[0], count, func):
436 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
437 identity="1232010000000000",
438 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
439 wait_connect=False, scan_freq="2412")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
442 raise Exception("EAP method not selected")
443 dev[0].wait_disconnected()
444 dev[0].request("REMOVE_NETWORK all")
446 def test_ap_wpa2_eap_aka(dev, apdev):
447 """WPA2-Enterprise connection using EAP-AKA"""
448 check_hlr_auc_gw_support()
449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
450 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
451 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
452 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
453 hwsim_utils.test_connectivity(dev[0], hapd)
454 eap_reauth(dev[0], "AKA")
456 logger.info("Negative test with incorrect key")
457 dev[0].request("REMOVE_NETWORK all")
458 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
459 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
462 logger.info("Invalid Milenage key")
463 dev[0].request("REMOVE_NETWORK all")
464 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
465 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
468 logger.info("Invalid Milenage key(2)")
469 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
470 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
473 logger.info("Invalid Milenage key(3)")
474 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
475 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
478 logger.info("Invalid Milenage key(4)")
479 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
480 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
483 logger.info("Invalid Milenage key(5)")
484 dev[0].request("REMOVE_NETWORK all")
485 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
486 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
489 logger.info("Invalid Milenage key(6)")
490 dev[0].request("REMOVE_NETWORK all")
491 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
492 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
495 logger.info("Missing key configuration")
496 dev[0].request("REMOVE_NETWORK all")
497 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
500 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
501 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
502 check_hlr_auc_gw_support()
506 raise HwsimSkip("No sqlite3 module available")
507 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
509 params['auth_server_port'] = "1814"
510 hostapd.add_ap(apdev[0]['ifname'], params)
511 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
512 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
514 logger.info("AKA fast re-authentication")
515 eap_reauth(dev[0], "AKA")
517 logger.info("AKA full auth with pseudonym")
520 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
521 eap_reauth(dev[0], "AKA")
523 logger.info("AKA full auth with permanent identity")
526 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
527 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
528 eap_reauth(dev[0], "AKA")
530 logger.info("AKA reauth with mismatching MK")
533 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
534 eap_reauth(dev[0], "AKA", expect_failure=True)
535 dev[0].request("REMOVE_NETWORK all")
537 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
538 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
541 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
542 eap_reauth(dev[0], "AKA")
545 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
546 logger.info("AKA reauth with mismatching counter")
547 eap_reauth(dev[0], "AKA")
548 dev[0].request("REMOVE_NETWORK all")
550 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
551 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
554 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
555 logger.info("AKA reauth with max reauth count reached")
556 eap_reauth(dev[0], "AKA")
558 def test_ap_wpa2_eap_aka_config(dev, apdev):
559 """EAP-AKA configuration options"""
560 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
561 hostapd.add_ap(apdev[0]['ifname'], params)
562 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
563 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
564 anonymous_identity="2345678")
566 def test_ap_wpa2_eap_aka_ext(dev, apdev):
567 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
569 _test_ap_wpa2_eap_aka_ext(dev, apdev)
571 dev[0].request("SET external_sim 0")
573 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
574 check_hlr_auc_gw_support()
575 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
576 hostapd.add_ap(apdev[0]['ifname'], params)
577 dev[0].request("SET external_sim 1")
578 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
579 identity="0232010000000000",
580 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
581 wait_connect=False, scan_freq="2412")
582 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
584 raise Exception("Network connected timed out")
586 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
588 raise Exception("Wait for external SIM processing request timed out")
590 if p[1] != "UMTS-AUTH":
591 raise Exception("Unexpected CTRL-REQ-SIM type")
592 rid = p[0].split('-')[3]
595 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
596 # This will fail during processing, but the ctrl_iface command succeeds
597 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
598 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
600 raise Exception("EAP failure not reported")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected()
605 dev[0].select_network(id, freq="2412")
606 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 raise Exception("Wait for external SIM processing request timed out")
610 if p[1] != "UMTS-AUTH":
611 raise Exception("Unexpected CTRL-REQ-SIM type")
612 rid = p[0].split('-')[3]
613 # This will fail during UMTS auth validation
614 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
615 raise Exception("CTRL-RSP-SIM failed")
616 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
618 raise Exception("Wait for external SIM processing request timed out")
620 if p[1] != "UMTS-AUTH":
621 raise Exception("Unexpected CTRL-REQ-SIM type")
622 rid = p[0].split('-')[3]
623 # This will fail during UMTS auth validation
624 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
625 raise Exception("CTRL-RSP-SIM failed")
626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
628 raise Exception("EAP failure not reported")
629 dev[0].request("DISCONNECT")
630 dev[0].wait_disconnected()
633 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
635 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
636 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
637 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
638 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
639 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
641 dev[0].select_network(id, freq="2412")
642 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
644 raise Exception("Wait for external SIM processing request timed out")
646 if p[1] != "UMTS-AUTH":
647 raise Exception("Unexpected CTRL-REQ-SIM type")
648 rid = p[0].split('-')[3]
649 # This will fail during UMTS auth validation
650 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
651 raise Exception("CTRL-RSP-SIM failed")
652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
654 raise Exception("EAP failure not reported")
655 dev[0].request("DISCONNECT")
656 dev[0].wait_disconnected()
659 def test_ap_wpa2_eap_aka_prime(dev, apdev):
660 """WPA2-Enterprise connection using EAP-AKA'"""
661 check_hlr_auc_gw_support()
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
664 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
665 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
666 hwsim_utils.test_connectivity(dev[0], hapd)
667 eap_reauth(dev[0], "AKA'")
669 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
670 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
671 identity="6555444333222111@both",
672 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
673 wait_connect=False, scan_freq="2412")
674 dev[1].wait_connected(timeout=15)
676 logger.info("Negative test with incorrect key")
677 dev[0].request("REMOVE_NETWORK all")
678 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
679 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
682 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
683 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
684 check_hlr_auc_gw_support()
688 raise HwsimSkip("No sqlite3 module available")
689 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
691 params['auth_server_port'] = "1814"
692 hostapd.add_ap(apdev[0]['ifname'], params)
693 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
694 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
696 logger.info("AKA' fast re-authentication")
697 eap_reauth(dev[0], "AKA'")
699 logger.info("AKA' full auth with pseudonym")
702 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
703 eap_reauth(dev[0], "AKA'")
705 logger.info("AKA' full auth with permanent identity")
708 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
709 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
710 eap_reauth(dev[0], "AKA'")
712 logger.info("AKA' reauth with mismatching k_aut")
715 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
716 eap_reauth(dev[0], "AKA'", expect_failure=True)
717 dev[0].request("REMOVE_NETWORK all")
719 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
720 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
723 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
724 eap_reauth(dev[0], "AKA'")
727 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
728 logger.info("AKA' reauth with mismatching counter")
729 eap_reauth(dev[0], "AKA'")
730 dev[0].request("REMOVE_NETWORK all")
732 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
733 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
736 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
737 logger.info("AKA' reauth with max reauth count reached")
738 eap_reauth(dev[0], "AKA'")
740 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
741 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
742 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
743 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
744 key_mgmt = hapd.get_config()['key_mgmt']
745 if key_mgmt.split(' ')[0] != "WPA-EAP":
746 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
747 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
748 anonymous_identity="ttls", password="password",
749 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
750 hwsim_utils.test_connectivity(dev[0], hapd)
751 eap_reauth(dev[0], "TTLS")
752 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
753 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
755 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
756 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
757 check_subject_match_support(dev[0])
758 check_altsubject_match_support(dev[0])
759 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
760 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
761 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
762 anonymous_identity="ttls", password="password",
763 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
764 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
765 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
766 eap_reauth(dev[0], "TTLS")
768 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
769 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
770 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
771 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
772 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
773 anonymous_identity="ttls", password="wrong",
774 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
776 eap_connect(dev[1], apdev[0], "TTLS", "user",
777 anonymous_identity="ttls", password="password",
778 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
781 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
782 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
783 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
784 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
785 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
786 anonymous_identity="ttls", password="password",
787 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
788 hwsim_utils.test_connectivity(dev[0], hapd)
789 eap_reauth(dev[0], "TTLS")
791 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
792 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
793 check_altsubject_match_support(dev[0])
794 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
795 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
796 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
797 anonymous_identity="ttls", password="password",
798 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
799 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
800 eap_reauth(dev[0], "TTLS")
802 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
805 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
806 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
807 anonymous_identity="ttls", password="wrong",
808 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
810 eap_connect(dev[1], apdev[0], "TTLS", "user",
811 anonymous_identity="ttls", password="password",
812 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
815 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
816 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
817 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
818 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
819 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
820 anonymous_identity="ttls", password="password",
821 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
822 domain_suffix_match="server.w1.fi")
823 hwsim_utils.test_connectivity(dev[0], hapd)
824 eap_reauth(dev[0], "TTLS")
825 dev[0].request("REMOVE_NETWORK all")
826 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
827 anonymous_identity="ttls", password="password",
828 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
831 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
832 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
833 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
834 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
835 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
836 anonymous_identity="ttls", password="wrong",
837 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
839 eap_connect(dev[1], apdev[0], "TTLS", "user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
843 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
844 anonymous_identity="ttls", password="password",
845 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
848 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
851 hostapd.add_ap(apdev[0]['ifname'], params)
852 hapd = hostapd.Hostapd(apdev[0]['ifname'])
853 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
854 anonymous_identity="ttls", password="password",
855 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
856 domain_suffix_match="server.w1.fi")
857 hwsim_utils.test_connectivity(dev[0], hapd)
858 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
859 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
860 eap_reauth(dev[0], "TTLS")
861 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
862 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
863 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
864 raise Exception("dot1xAuthEapolFramesRx did not increase")
865 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
866 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
867 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
868 raise Exception("backendAuthSuccesses did not increase")
870 logger.info("Password as hash value")
871 dev[0].request("REMOVE_NETWORK all")
872 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
873 anonymous_identity="ttls",
874 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
875 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
877 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
878 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
879 check_domain_match_full(dev[0])
880 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
881 hostapd.add_ap(apdev[0]['ifname'], params)
882 hapd = hostapd.Hostapd(apdev[0]['ifname'])
883 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
884 anonymous_identity="ttls", password="password",
885 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
886 domain_suffix_match="w1.fi")
887 hwsim_utils.test_connectivity(dev[0], hapd)
888 eap_reauth(dev[0], "TTLS")
890 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
891 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
892 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
893 hostapd.add_ap(apdev[0]['ifname'], params)
894 hapd = hostapd.Hostapd(apdev[0]['ifname'])
895 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
896 anonymous_identity="ttls", password="password",
897 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
898 domain_match="Server.w1.fi")
899 hwsim_utils.test_connectivity(dev[0], hapd)
900 eap_reauth(dev[0], "TTLS")
902 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
903 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
905 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
906 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
907 anonymous_identity="ttls", password="password1",
908 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
910 eap_connect(dev[1], apdev[0], "TTLS", "user",
911 anonymous_identity="ttls", password="password",
912 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
915 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
916 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
917 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
918 hostapd.add_ap(apdev[0]['ifname'], params)
919 hapd = hostapd.Hostapd(apdev[0]['ifname'])
920 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
921 anonymous_identity="ttls", password="secret-åäö-€-password",
922 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
923 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
924 anonymous_identity="ttls",
925 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
928 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
930 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
931 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
932 eap_connect(dev[0], apdev[0], "TTLS", "user",
933 anonymous_identity="ttls", password="password",
934 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
935 hwsim_utils.test_connectivity(dev[0], hapd)
936 eap_reauth(dev[0], "TTLS")
938 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
939 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
940 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
942 eap_connect(dev[0], apdev[0], "TTLS", "user",
943 anonymous_identity="ttls", password="wrong",
944 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
947 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
948 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
949 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
950 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
951 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
952 anonymous_identity="ttls", password="password",
953 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
956 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
957 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
958 params = int_eap_server_params()
959 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
960 with alloc_fail(hapd, 1, "eap_gtc_init"):
961 eap_connect(dev[0], apdev[0], "TTLS", "user",
962 anonymous_identity="ttls", password="password",
963 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
965 dev[0].request("REMOVE_NETWORK all")
967 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
968 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
969 eap="TTLS", identity="user",
970 anonymous_identity="ttls", password="password",
971 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
972 wait_connect=False, scan_freq="2412")
973 # This would eventually time out, but we can stop after having reached
974 # the allocation failure.
977 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
980 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
981 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
982 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
983 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
984 eap_connect(dev[0], apdev[0], "TTLS", "user",
985 anonymous_identity="ttls", password="password",
986 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
987 hwsim_utils.test_connectivity(dev[0], hapd)
988 eap_reauth(dev[0], "TTLS")
990 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
991 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
992 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
993 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
994 eap_connect(dev[0], apdev[0], "TTLS", "user",
995 anonymous_identity="ttls", password="wrong",
996 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
999 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1000 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1001 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1002 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1003 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1004 anonymous_identity="ttls", password="password",
1005 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1006 expect_failure=True)
1008 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1009 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1010 params = int_eap_server_params()
1011 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1012 with alloc_fail(hapd, 1, "eap_md5_init"):
1013 eap_connect(dev[0], apdev[0], "TTLS", "user",
1014 anonymous_identity="ttls", password="password",
1015 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1016 expect_failure=True)
1017 dev[0].request("REMOVE_NETWORK all")
1019 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1021 eap="TTLS", identity="user",
1022 anonymous_identity="ttls", password="password",
1023 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1024 wait_connect=False, scan_freq="2412")
1025 # This would eventually time out, but we can stop after having reached
1026 # the allocation failure.
1029 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1032 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1033 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1034 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1036 eap_connect(dev[0], apdev[0], "TTLS", "user",
1037 anonymous_identity="ttls", password="password",
1038 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1039 hwsim_utils.test_connectivity(dev[0], hapd)
1040 eap_reauth(dev[0], "TTLS")
1042 logger.info("Negative test with incorrect password")
1043 dev[0].request("REMOVE_NETWORK all")
1044 eap_connect(dev[0], apdev[0], "TTLS", "user",
1045 anonymous_identity="ttls", password="password1",
1046 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1047 expect_failure=True)
1049 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1050 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1051 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1052 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1053 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1054 anonymous_identity="ttls", password="password",
1055 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1056 expect_failure=True)
1058 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1059 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1060 params = int_eap_server_params()
1061 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1062 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1063 eap_connect(dev[0], apdev[0], "TTLS", "user",
1064 anonymous_identity="ttls", password="password",
1065 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1066 expect_failure=True)
1067 dev[0].request("REMOVE_NETWORK all")
1069 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1070 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1071 eap="TTLS", identity="user",
1072 anonymous_identity="ttls", password="password",
1073 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1074 wait_connect=False, scan_freq="2412")
1075 # This would eventually time out, but we can stop after having reached
1076 # the allocation failure.
1079 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1081 dev[0].request("REMOVE_NETWORK all")
1083 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1084 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1085 eap="TTLS", identity="user",
1086 anonymous_identity="ttls", password="password",
1087 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1088 wait_connect=False, scan_freq="2412")
1089 # This would eventually time out, but we can stop after having reached
1090 # the allocation failure.
1093 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1095 dev[0].request("REMOVE_NETWORK all")
1097 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1098 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1099 eap="TTLS", identity="user",
1100 anonymous_identity="ttls", password="wrong",
1101 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1102 wait_connect=False, scan_freq="2412")
1103 # This would eventually time out, but we can stop after having reached
1104 # the allocation failure.
1107 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1109 dev[0].request("REMOVE_NETWORK all")
1111 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1112 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1113 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1114 hostapd.add_ap(apdev[0]['ifname'], params)
1115 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1116 anonymous_identity="0232010000000000@ttls",
1117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1118 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1120 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1121 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1122 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1123 hostapd.add_ap(apdev[0]['ifname'], params)
1124 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1125 anonymous_identity="0232010000000000@peap",
1126 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1127 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1129 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1130 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1131 check_eap_capa(dev[0], "FAST")
1132 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1133 hostapd.add_ap(apdev[0]['ifname'], params)
1134 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1135 anonymous_identity="0232010000000000@fast",
1136 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1137 phase1="fast_provisioning=2",
1138 pac_file="blob://fast_pac_auth_aka",
1139 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1141 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1142 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1143 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1145 eap_connect(dev[0], apdev[0], "PEAP", "user",
1146 anonymous_identity="peap", password="password",
1147 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1148 hwsim_utils.test_connectivity(dev[0], hapd)
1149 eap_reauth(dev[0], "PEAP")
1150 dev[0].request("REMOVE_NETWORK all")
1151 eap_connect(dev[0], apdev[0], "PEAP", "user",
1152 anonymous_identity="peap", password="password",
1153 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1154 fragment_size="200")
1156 logger.info("Password as hash value")
1157 dev[0].request("REMOVE_NETWORK all")
1158 eap_connect(dev[0], apdev[0], "PEAP", "user",
1159 anonymous_identity="peap",
1160 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1161 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1163 logger.info("Negative test with incorrect password")
1164 dev[0].request("REMOVE_NETWORK all")
1165 eap_connect(dev[0], apdev[0], "PEAP", "user",
1166 anonymous_identity="peap", password="password1",
1167 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1168 expect_failure=True)
1170 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1171 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1172 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1173 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1174 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1175 anonymous_identity="peap", password="password",
1176 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1177 hwsim_utils.test_connectivity(dev[0], hapd)
1178 eap_reauth(dev[0], "PEAP")
1180 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1181 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1182 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1183 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1184 eap_connect(dev[0], apdev[0], "PEAP", "user",
1185 anonymous_identity="peap", password="wrong",
1186 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1187 expect_failure=True)
1189 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1190 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1191 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1192 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1193 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1194 ca_cert="auth_serv/ca.pem",
1195 phase1="peapver=0 crypto_binding=2",
1196 phase2="auth=MSCHAPV2")
1197 hwsim_utils.test_connectivity(dev[0], hapd)
1198 eap_reauth(dev[0], "PEAP")
1200 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1201 ca_cert="auth_serv/ca.pem",
1202 phase1="peapver=0 crypto_binding=1",
1203 phase2="auth=MSCHAPV2")
1204 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1205 ca_cert="auth_serv/ca.pem",
1206 phase1="peapver=0 crypto_binding=0",
1207 phase2="auth=MSCHAPV2")
1209 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1210 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1211 params = int_eap_server_params()
1212 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1213 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1214 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1215 ca_cert="auth_serv/ca.pem",
1216 phase1="peapver=0 crypto_binding=2",
1217 phase2="auth=MSCHAPV2",
1218 expect_failure=True, local_error_report=True)
1220 def test_ap_wpa2_eap_peap_params(dev, apdev):
1221 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1223 hostapd.add_ap(apdev[0]['ifname'], params)
1224 eap_connect(dev[0], apdev[0], "PEAP", "user",
1225 anonymous_identity="peap", password="password",
1226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1227 phase1="peapver=0 peaplabel=1",
1228 expect_failure=True)
1229 dev[0].request("REMOVE_NETWORK all")
1230 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1231 ca_cert="auth_serv/ca.pem",
1232 phase1="peap_outer_success=1",
1233 phase2="auth=MSCHAPV2")
1234 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1235 ca_cert="auth_serv/ca.pem",
1236 phase1="peap_outer_success=2",
1237 phase2="auth=MSCHAPV2")
1238 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1240 anonymous_identity="peap", password="password",
1241 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1242 phase1="peapver=1 peaplabel=1",
1243 wait_connect=False, scan_freq="2412")
1244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1246 raise Exception("No EAP success seen")
1247 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1249 raise Exception("Unexpected connection")
1251 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1252 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1254 hostapd.add_ap(apdev[0]['ifname'], params)
1255 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1256 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1257 ca_cert2="auth_serv/ca.pem",
1258 client_cert2="auth_serv/user.pem",
1259 private_key2="auth_serv/user.key")
1260 eap_reauth(dev[0], "PEAP")
1262 def test_ap_wpa2_eap_tls(dev, apdev):
1263 """WPA2-Enterprise connection using EAP-TLS"""
1264 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1265 hostapd.add_ap(apdev[0]['ifname'], params)
1266 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1267 client_cert="auth_serv/user.pem",
1268 private_key="auth_serv/user.key")
1269 eap_reauth(dev[0], "TLS")
1271 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1272 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1273 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1274 hostapd.add_ap(apdev[0]['ifname'], params)
1275 cert = read_pem("auth_serv/ca.pem")
1276 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1277 raise Exception("Could not set cacert blob")
1278 cert = read_pem("auth_serv/user.pem")
1279 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1280 raise Exception("Could not set usercert blob")
1281 key = read_pem("auth_serv/user.rsa-key")
1282 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1283 raise Exception("Could not set cacert blob")
1284 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1285 client_cert="blob://usercert",
1286 private_key="blob://userkey")
1288 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1289 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1290 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1291 hostapd.add_ap(apdev[0]['ifname'], params)
1292 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1293 private_key="auth_serv/user.pkcs12",
1294 private_key_passwd="whatever")
1295 dev[0].request("REMOVE_NETWORK all")
1296 dev[0].wait_disconnected()
1298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1299 identity="tls user",
1300 ca_cert="auth_serv/ca.pem",
1301 private_key="auth_serv/user.pkcs12",
1302 wait_connect=False, scan_freq="2412")
1303 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1305 raise Exception("Request for private key passphrase timed out")
1306 id = ev.split(':')[0].split('-')[-1]
1307 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1308 dev[0].wait_connected(timeout=10)
1309 dev[0].request("REMOVE_NETWORK all")
1310 dev[0].wait_disconnected()
1312 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1313 private_key="auth_serv/user2.pkcs12",
1314 private_key_passwd="whatever")
1315 dev[0].request("REMOVE_NETWORK all")
1316 dev[0].wait_disconnected()
1318 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1319 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1320 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1321 hostapd.add_ap(apdev[0]['ifname'], params)
1322 cert = read_pem("auth_serv/ca.pem")
1323 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1324 raise Exception("Could not set cacert blob")
1325 with open("auth_serv/user.pkcs12", "rb") as f:
1326 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1327 raise Exception("Could not set pkcs12 blob")
1328 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1329 private_key="blob://pkcs12",
1330 private_key_passwd="whatever")
1332 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1333 """WPA2-Enterprise negative test - incorrect trust root"""
1334 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1335 hostapd.add_ap(apdev[0]['ifname'], params)
1336 cert = read_pem("auth_serv/ca-incorrect.pem")
1337 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1338 raise Exception("Could not set cacert blob")
1339 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1340 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1341 password="password", phase2="auth=MSCHAPV2",
1342 ca_cert="blob://cacert",
1343 wait_connect=False, scan_freq="2412")
1344 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1345 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1346 password="password", phase2="auth=MSCHAPV2",
1347 ca_cert="auth_serv/ca-incorrect.pem",
1348 wait_connect=False, scan_freq="2412")
1350 for dev in (dev[0], dev[1]):
1351 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1353 raise Exception("Association and EAP start timed out")
1355 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1357 raise Exception("EAP method selection timed out")
1358 if "TTLS" not in ev:
1359 raise Exception("Unexpected EAP method")
1361 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1362 "CTRL-EVENT-EAP-SUCCESS",
1363 "CTRL-EVENT-EAP-FAILURE",
1364 "CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1367 raise Exception("EAP result timed out")
1368 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1369 raise Exception("TLS certificate error not reported")
1371 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1372 "CTRL-EVENT-EAP-FAILURE",
1373 "CTRL-EVENT-CONNECTED",
1374 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1376 raise Exception("EAP result(2) timed out")
1377 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1378 raise Exception("EAP failure not reported")
1380 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1381 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1383 raise Exception("EAP result(3) timed out")
1384 if "CTRL-EVENT-DISCONNECTED" not in ev:
1385 raise Exception("Disconnection not reported")
1387 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1389 raise Exception("Network block disabling not reported")
1391 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1392 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1395 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1396 identity="pap user", anonymous_identity="ttls",
1397 password="password", phase2="auth=PAP",
1398 ca_cert="auth_serv/ca.pem",
1399 wait_connect=True, scan_freq="2412")
1400 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1401 identity="pap user", anonymous_identity="ttls",
1402 password="password", phase2="auth=PAP",
1403 ca_cert="auth_serv/ca-incorrect.pem",
1404 only_add_network=True, scan_freq="2412")
1406 dev[0].request("DISCONNECT")
1407 dev[0].wait_disconnected()
1408 dev[0].dump_monitor()
1409 dev[0].select_network(id, freq="2412")
1411 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1413 raise Exception("EAP-TTLS not re-started")
1415 ev = dev[0].wait_disconnected(timeout=15)
1416 if "reason=23" not in ev:
1417 raise Exception("Proper reason code for disconnection not reported")
1419 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1423 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1424 identity="pap user", anonymous_identity="ttls",
1425 password="password", phase2="auth=PAP",
1426 wait_connect=True, scan_freq="2412")
1427 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1428 identity="pap user", anonymous_identity="ttls",
1429 password="password", phase2="auth=PAP",
1430 ca_cert="auth_serv/ca-incorrect.pem",
1431 only_add_network=True, scan_freq="2412")
1433 dev[0].request("DISCONNECT")
1434 dev[0].wait_disconnected()
1435 dev[0].dump_monitor()
1436 dev[0].select_network(id, freq="2412")
1438 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1440 raise Exception("EAP-TTLS not re-started")
1442 ev = dev[0].wait_disconnected(timeout=15)
1443 if "reason=23" not in ev:
1444 raise Exception("Proper reason code for disconnection not reported")
1446 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1447 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1448 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1449 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1450 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1451 identity="pap user", anonymous_identity="ttls",
1452 password="password", phase2="auth=PAP",
1453 ca_cert="auth_serv/ca.pem",
1454 wait_connect=True, scan_freq="2412")
1455 dev[0].request("DISCONNECT")
1456 dev[0].wait_disconnected()
1457 dev[0].dump_monitor()
1458 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1459 dev[0].select_network(id, freq="2412")
1461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1463 raise Exception("EAP-TTLS not re-started")
1465 ev = dev[0].wait_disconnected(timeout=15)
1466 if "reason=23" not in ev:
1467 raise Exception("Proper reason code for disconnection not reported")
1469 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1470 """WPA2-Enterprise negative test - domain suffix mismatch"""
1471 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1474 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1475 password="password", phase2="auth=MSCHAPV2",
1476 ca_cert="auth_serv/ca.pem",
1477 domain_suffix_match="incorrect.example.com",
1478 wait_connect=False, scan_freq="2412")
1480 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1482 raise Exception("Association and EAP start timed out")
1484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1486 raise Exception("EAP method selection timed out")
1487 if "TTLS" not in ev:
1488 raise Exception("Unexpected EAP method")
1490 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1491 "CTRL-EVENT-EAP-SUCCESS",
1492 "CTRL-EVENT-EAP-FAILURE",
1493 "CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1496 raise Exception("EAP result timed out")
1497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1498 raise Exception("TLS certificate error not reported")
1499 if "Domain suffix mismatch" not in ev:
1500 raise Exception("Domain suffix mismatch not reported")
1502 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1503 "CTRL-EVENT-EAP-FAILURE",
1504 "CTRL-EVENT-CONNECTED",
1505 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1507 raise Exception("EAP result(2) timed out")
1508 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1509 raise Exception("EAP failure not reported")
1511 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1512 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1514 raise Exception("EAP result(3) timed out")
1515 if "CTRL-EVENT-DISCONNECTED" not in ev:
1516 raise Exception("Disconnection not reported")
1518 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1520 raise Exception("Network block disabling not reported")
1522 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1523 """WPA2-Enterprise negative test - domain mismatch"""
1524 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1525 hostapd.add_ap(apdev[0]['ifname'], params)
1526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1527 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1528 password="password", phase2="auth=MSCHAPV2",
1529 ca_cert="auth_serv/ca.pem",
1530 domain_match="w1.fi",
1531 wait_connect=False, scan_freq="2412")
1533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1535 raise Exception("Association and EAP start timed out")
1537 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1539 raise Exception("EAP method selection timed out")
1540 if "TTLS" not in ev:
1541 raise Exception("Unexpected EAP method")
1543 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1544 "CTRL-EVENT-EAP-SUCCESS",
1545 "CTRL-EVENT-EAP-FAILURE",
1546 "CTRL-EVENT-CONNECTED",
1547 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1549 raise Exception("EAP result timed out")
1550 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1551 raise Exception("TLS certificate error not reported")
1552 if "Domain mismatch" not in ev:
1553 raise Exception("Domain mismatch not reported")
1555 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1556 "CTRL-EVENT-EAP-FAILURE",
1557 "CTRL-EVENT-CONNECTED",
1558 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1560 raise Exception("EAP result(2) timed out")
1561 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1562 raise Exception("EAP failure not reported")
1564 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1565 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1567 raise Exception("EAP result(3) timed out")
1568 if "CTRL-EVENT-DISCONNECTED" not in ev:
1569 raise Exception("Disconnection not reported")
1571 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1573 raise Exception("Network block disabling not reported")
1575 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1576 """WPA2-Enterprise negative test - subject mismatch"""
1577 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1578 hostapd.add_ap(apdev[0]['ifname'], params)
1579 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1580 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1581 password="password", phase2="auth=MSCHAPV2",
1582 ca_cert="auth_serv/ca.pem",
1583 subject_match="/C=FI/O=w1.fi/CN=example.com",
1584 wait_connect=False, scan_freq="2412")
1586 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1588 raise Exception("Association and EAP start timed out")
1590 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1591 "EAP: Failed to initialize EAP method"], timeout=10)
1593 raise Exception("EAP method selection timed out")
1594 if "EAP: Failed to initialize EAP method" in ev:
1595 tls = dev[0].request("GET tls_library")
1596 if tls.startswith("OpenSSL"):
1597 raise Exception("Failed to select EAP method")
1598 logger.info("subject_match not supported - connection failed, so test succeeded")
1600 if "TTLS" not in ev:
1601 raise Exception("Unexpected EAP method")
1603 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1604 "CTRL-EVENT-EAP-SUCCESS",
1605 "CTRL-EVENT-EAP-FAILURE",
1606 "CTRL-EVENT-CONNECTED",
1607 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1609 raise Exception("EAP result timed out")
1610 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1611 raise Exception("TLS certificate error not reported")
1612 if "Subject mismatch" not in ev:
1613 raise Exception("Subject mismatch not reported")
1615 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1616 "CTRL-EVENT-EAP-FAILURE",
1617 "CTRL-EVENT-CONNECTED",
1618 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1620 raise Exception("EAP result(2) timed out")
1621 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1622 raise Exception("EAP failure not reported")
1624 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1625 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1627 raise Exception("EAP result(3) timed out")
1628 if "CTRL-EVENT-DISCONNECTED" not in ev:
1629 raise Exception("Disconnection not reported")
1631 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1633 raise Exception("Network block disabling not reported")
1635 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1636 """WPA2-Enterprise negative test - altsubject mismatch"""
1637 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1638 hostapd.add_ap(apdev[0]['ifname'], params)
1640 tests = [ "incorrect.example.com",
1641 "DNS:incorrect.example.com",
1645 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1647 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1648 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1649 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1650 password="password", phase2="auth=MSCHAPV2",
1651 ca_cert="auth_serv/ca.pem",
1652 altsubject_match=match,
1653 wait_connect=False, scan_freq="2412")
1655 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1657 raise Exception("Association and EAP start timed out")
1659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1660 "EAP: Failed to initialize EAP method"], timeout=10)
1662 raise Exception("EAP method selection timed out")
1663 if "EAP: Failed to initialize EAP method" in ev:
1664 tls = dev[0].request("GET tls_library")
1665 if tls.startswith("OpenSSL"):
1666 raise Exception("Failed to select EAP method")
1667 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1669 if "TTLS" not in ev:
1670 raise Exception("Unexpected EAP method")
1672 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1673 "CTRL-EVENT-EAP-SUCCESS",
1674 "CTRL-EVENT-EAP-FAILURE",
1675 "CTRL-EVENT-CONNECTED",
1676 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1678 raise Exception("EAP result timed out")
1679 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1680 raise Exception("TLS certificate error not reported")
1681 if "AltSubject mismatch" not in ev:
1682 raise Exception("altsubject mismatch not reported")
1684 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1685 "CTRL-EVENT-EAP-FAILURE",
1686 "CTRL-EVENT-CONNECTED",
1687 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1689 raise Exception("EAP result(2) timed out")
1690 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1691 raise Exception("EAP failure not reported")
1693 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1694 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1696 raise Exception("EAP result(3) timed out")
1697 if "CTRL-EVENT-DISCONNECTED" not in ev:
1698 raise Exception("Disconnection not reported")
1700 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1702 raise Exception("Network block disabling not reported")
1704 dev[0].request("REMOVE_NETWORK all")
1706 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1707 """WPA2-Enterprise connection using UNAUTH-TLS"""
1708 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1709 hostapd.add_ap(apdev[0]['ifname'], params)
1710 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1711 ca_cert="auth_serv/ca.pem")
1712 eap_reauth(dev[0], "UNAUTH-TLS")
1714 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1715 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1716 check_cert_probe_support(dev[0])
1717 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1719 hostapd.add_ap(apdev[0]['ifname'], params)
1720 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1721 identity="probe", ca_cert="probe://",
1722 wait_connect=False, scan_freq="2412")
1723 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1725 raise Exception("Association and EAP start timed out")
1726 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1728 raise Exception("No peer server certificate event seen")
1729 if "hash=" + srv_cert_hash not in ev:
1730 raise Exception("Expected server certificate hash not reported")
1731 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1733 raise Exception("EAP result timed out")
1734 if "Server certificate chain probe" not in ev:
1735 raise Exception("Server certificate probe not reported")
1736 dev[0].wait_disconnected(timeout=10)
1737 dev[0].request("REMOVE_NETWORK all")
1739 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1740 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1741 password="password", phase2="auth=MSCHAPV2",
1742 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1743 wait_connect=False, scan_freq="2412")
1744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1746 raise Exception("Association and EAP start timed out")
1747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1749 raise Exception("EAP result timed out")
1750 if "Server certificate mismatch" not in ev:
1751 raise Exception("Server certificate mismatch not reported")
1752 dev[0].wait_disconnected(timeout=10)
1753 dev[0].request("REMOVE_NETWORK all")
1755 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1756 anonymous_identity="ttls", password="password",
1757 ca_cert="hash://server/sha256/" + srv_cert_hash,
1758 phase2="auth=MSCHAPV2")
1760 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1761 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1762 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1763 hostapd.add_ap(apdev[0]['ifname'], params)
1764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1765 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1766 password="password", phase2="auth=MSCHAPV2",
1767 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1768 wait_connect=False, scan_freq="2412")
1769 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1770 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1771 password="password", phase2="auth=MSCHAPV2",
1772 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1773 wait_connect=False, scan_freq="2412")
1774 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1775 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1776 password="password", phase2="auth=MSCHAPV2",
1777 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1778 wait_connect=False, scan_freq="2412")
1779 for i in range(0, 3):
1780 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1782 raise Exception("Association and EAP start timed out")
1783 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1785 raise Exception("Did not report EAP method initialization failure")
1787 def test_ap_wpa2_eap_pwd(dev, apdev):
1788 """WPA2-Enterprise connection using EAP-pwd"""
1789 check_eap_capa(dev[0], "PWD")
1790 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1791 hostapd.add_ap(apdev[0]['ifname'], params)
1792 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1793 eap_reauth(dev[0], "PWD")
1794 dev[0].request("REMOVE_NETWORK all")
1796 eap_connect(dev[1], apdev[0], "PWD",
1797 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1798 password="secret password",
1801 logger.info("Negative test with incorrect password")
1802 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1803 expect_failure=True, local_error_report=True)
1805 eap_connect(dev[0], apdev[0], "PWD",
1806 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1807 password="secret password",
1810 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
1811 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1812 check_eap_capa(dev[0], "PWD")
1813 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1814 hostapd.add_ap(apdev[0]['ifname'], params)
1815 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
1816 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
1817 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
1818 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
1819 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
1820 expect_failure=True, local_error_report=True)
1822 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1823 """WPA2-Enterprise connection using various EAP-pwd groups"""
1824 check_eap_capa(dev[0], "PWD")
1825 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1826 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1827 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1828 for i in [ 19, 20, 21, 25, 26 ]:
1829 params['pwd_group'] = str(i)
1830 hostapd.add_ap(apdev[0]['ifname'], params)
1831 dev[0].request("REMOVE_NETWORK all")
1832 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1834 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1835 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1836 check_eap_capa(dev[0], "PWD")
1837 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1838 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1839 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1840 params['pwd_group'] = "0"
1841 hostapd.add_ap(apdev[0]['ifname'], params)
1842 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1843 identity="pwd user", password="secret password",
1844 scan_freq="2412", wait_connect=False)
1845 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1847 raise Exception("Timeout on EAP failure report")
1849 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1850 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1851 check_eap_capa(dev[0], "PWD")
1852 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1853 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1854 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1855 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1856 "pwd_group": "19", "fragment_size": "40" }
1857 hostapd.add_ap(apdev[0]['ifname'], params)
1858 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1860 def test_ap_wpa2_eap_gpsk(dev, apdev):
1861 """WPA2-Enterprise connection using EAP-GPSK"""
1862 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1863 hostapd.add_ap(apdev[0]['ifname'], params)
1864 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1865 password="abcdefghijklmnop0123456789abcdef")
1866 eap_reauth(dev[0], "GPSK")
1868 logger.info("Test forced algorithm selection")
1869 for phase1 in [ "cipher=1", "cipher=2" ]:
1870 dev[0].set_network_quoted(id, "phase1", phase1)
1871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1873 raise Exception("EAP success timed out")
1874 dev[0].wait_connected(timeout=10)
1876 logger.info("Test failed algorithm negotiation")
1877 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1878 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1880 raise Exception("EAP failure timed out")
1882 logger.info("Negative test with incorrect password")
1883 dev[0].request("REMOVE_NETWORK all")
1884 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1885 password="ffcdefghijklmnop0123456789abcdef",
1886 expect_failure=True)
1888 def test_ap_wpa2_eap_sake(dev, apdev):
1889 """WPA2-Enterprise connection using EAP-SAKE"""
1890 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1891 hostapd.add_ap(apdev[0]['ifname'], params)
1892 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1893 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1894 eap_reauth(dev[0], "SAKE")
1896 logger.info("Negative test with incorrect password")
1897 dev[0].request("REMOVE_NETWORK all")
1898 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1899 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1900 expect_failure=True)
1902 def test_ap_wpa2_eap_eke(dev, apdev):
1903 """WPA2-Enterprise connection using EAP-EKE"""
1904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1905 hostapd.add_ap(apdev[0]['ifname'], params)
1906 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1907 eap_reauth(dev[0], "EKE")
1909 logger.info("Test forced algorithm selection")
1910 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1911 "dhgroup=4 encr=1 prf=2 mac=2",
1912 "dhgroup=3 encr=1 prf=2 mac=2",
1913 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1914 dev[0].set_network_quoted(id, "phase1", phase1)
1915 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1917 raise Exception("EAP success timed out")
1918 dev[0].wait_connected(timeout=10)
1920 logger.info("Test failed algorithm negotiation")
1921 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1924 raise Exception("EAP failure timed out")
1926 logger.info("Negative test with incorrect password")
1927 dev[0].request("REMOVE_NETWORK all")
1928 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1929 expect_failure=True)
1931 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
1932 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
1933 params = int_eap_server_params()
1934 params['server_id'] = 'example.server@w1.fi'
1935 hostapd.add_ap(apdev[0]['ifname'], params)
1936 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1938 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
1939 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
1940 params = int_eap_server_params()
1941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1942 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
1944 for count,func in [ (1, "eap_eke_build_commit"),
1945 (2, "eap_eke_build_commit"),
1946 (3, "eap_eke_build_commit"),
1947 (1, "eap_eke_build_confirm"),
1948 (2, "eap_eke_build_confirm"),
1949 (1, "eap_eke_process_commit"),
1950 (2, "eap_eke_process_commit"),
1951 (1, "eap_eke_process_confirm"),
1952 (1, "eap_eke_process_identity"),
1953 (2, "eap_eke_process_identity"),
1954 (3, "eap_eke_process_identity"),
1955 (4, "eap_eke_process_identity") ]:
1956 with alloc_fail(hapd, count, func):
1957 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
1958 expect_failure=True)
1959 dev[0].request("REMOVE_NETWORK all")
1961 for count,func,pw in [ (1, "eap_eke_init", "hello"),
1962 (1, "eap_eke_get_session_id", "hello"),
1963 (1, "eap_eke_getKey", "hello"),
1964 (1, "eap_eke_build_msg", "hello"),
1965 (1, "eap_eke_build_failure", "wrong"),
1966 (1, "eap_eke_build_identity", "hello"),
1967 (2, "eap_eke_build_identity", "hello") ]:
1968 with alloc_fail(hapd, count, func):
1969 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1970 eap="EKE", identity="eke user", password=pw,
1971 wait_connect=False, scan_freq="2412")
1972 # This would eventually time out, but we can stop after having
1973 # reached the allocation failure.
1976 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1978 dev[0].request("REMOVE_NETWORK all")
1980 for count in range(1, 1000):
1982 with alloc_fail(hapd, count, "eap_server_sm_step"):
1983 dev[0].connect("test-wpa2-eap",
1984 key_mgmt="WPA-EAP WPA-EAP-SHA256",
1985 eap="EKE", identity="eke user", password=pw,
1986 wait_connect=False, scan_freq="2412")
1987 # This would eventually time out, but we can stop after having
1988 # reached the allocation failure.
1991 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1993 dev[0].request("REMOVE_NETWORK all")
1994 except Exception, e:
1995 if str(e) == "Allocation failure did not trigger":
1997 raise Exception("Too few allocation failures")
1998 logger.info("%d allocation failures tested" % (count - 1))
2002 def test_ap_wpa2_eap_ikev2(dev, apdev):
2003 """WPA2-Enterprise connection using EAP-IKEv2"""
2004 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2005 hostapd.add_ap(apdev[0]['ifname'], params)
2006 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2007 password="ike password")
2008 eap_reauth(dev[0], "IKEV2")
2009 dev[0].request("REMOVE_NETWORK all")
2010 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2011 password="ike password", fragment_size="50")
2013 logger.info("Negative test with incorrect password")
2014 dev[0].request("REMOVE_NETWORK all")
2015 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2016 password="ike-password", expect_failure=True)
2018 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2019 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2020 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2021 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2022 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2023 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2024 "fragment_size": "50" }
2025 hostapd.add_ap(apdev[0]['ifname'], params)
2026 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2027 password="ike password")
2028 eap_reauth(dev[0], "IKEV2")
2030 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2031 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2032 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2033 hostapd.add_ap(apdev[0]['ifname'], params)
2035 tests = [ (1, "dh_init"),
2037 (1, "dh_derive_shared") ]
2038 for count, func in tests:
2039 with alloc_fail(dev[0], count, func):
2040 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2041 identity="ikev2 user", password="ike password",
2042 wait_connect=False, scan_freq="2412")
2043 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2045 raise Exception("EAP method not selected")
2047 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2050 dev[0].request("REMOVE_NETWORK all")
2052 tests = [ (1, "os_get_random;dh_init") ]
2053 for count, func in tests:
2054 with fail_test(dev[0], count, func):
2055 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2056 identity="ikev2 user", password="ike password",
2057 wait_connect=False, scan_freq="2412")
2058 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2060 raise Exception("EAP method not selected")
2062 if "0:" in dev[0].request("GET_FAIL"):
2065 dev[0].request("REMOVE_NETWORK all")
2067 def test_ap_wpa2_eap_pax(dev, apdev):
2068 """WPA2-Enterprise connection using EAP-PAX"""
2069 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2070 hostapd.add_ap(apdev[0]['ifname'], params)
2071 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2072 password_hex="0123456789abcdef0123456789abcdef")
2073 eap_reauth(dev[0], "PAX")
2075 logger.info("Negative test with incorrect password")
2076 dev[0].request("REMOVE_NETWORK all")
2077 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2078 password_hex="ff23456789abcdef0123456789abcdef",
2079 expect_failure=True)
2081 def test_ap_wpa2_eap_psk(dev, apdev):
2082 """WPA2-Enterprise connection using EAP-PSK"""
2083 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2084 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2085 params["ieee80211w"] = "2"
2086 hostapd.add_ap(apdev[0]['ifname'], params)
2087 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2088 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2089 eap_reauth(dev[0], "PSK", sha256=True)
2090 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2091 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2093 bss = dev[0].get_bss(apdev[0]['bssid'])
2094 if 'flags' not in bss:
2095 raise Exception("Could not get BSS flags from BSS table")
2096 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2097 raise Exception("Unexpected BSS flags: " + bss['flags'])
2099 logger.info("Negative test with incorrect password")
2100 dev[0].request("REMOVE_NETWORK all")
2101 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2102 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2103 expect_failure=True)
2105 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2106 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2107 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2108 hostapd.add_ap(apdev[0]['ifname'], params)
2109 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2110 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2111 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2112 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2113 (1, "=aes_128_eax_encrypt"),
2114 (1, "omac1_aes_vector"),
2115 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2116 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2117 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2118 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2119 (1, "=aes_128_eax_decrypt") ]
2120 for count, func in tests:
2121 with alloc_fail(dev[0], count, func):
2122 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2123 identity="psk.user@example.com",
2124 password_hex="0123456789abcdef0123456789abcdef",
2125 wait_connect=False, scan_freq="2412")
2126 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2128 raise Exception("EAP method not selected")
2130 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2133 dev[0].request("REMOVE_NETWORK all")
2135 with alloc_fail(dev[0], 1, "aes_128_encrypt_block"):
2136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2137 identity="psk.user@example.com",
2138 password_hex="0123456789abcdef0123456789abcdef",
2139 wait_connect=False, scan_freq="2412")
2140 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2142 raise Exception("EAP method failure not reported")
2143 dev[0].request("REMOVE_NETWORK all")
2145 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2146 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2147 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2148 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2149 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2150 identity="user", password="password", phase2="auth=MSCHAPV2",
2151 ca_cert="auth_serv/ca.pem", wait_connect=False,
2153 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2154 hwsim_utils.test_connectivity(dev[0], hapd)
2155 eap_reauth(dev[0], "PEAP", rsn=False)
2156 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2157 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2158 status = dev[0].get_status(extra="VERBOSE")
2159 if 'portControl' not in status:
2160 raise Exception("portControl missing from STATUS-VERBOSE")
2161 if status['portControl'] != 'Auto':
2162 raise Exception("Unexpected portControl value: " + status['portControl'])
2163 if 'eap_session_id' not in status:
2164 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2165 if not status['eap_session_id'].startswith("19"):
2166 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2168 def test_ap_wpa2_eap_interactive(dev, apdev):
2169 """WPA2-Enterprise connection using interactive identity/password entry"""
2170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2171 hostapd.add_ap(apdev[0]['ifname'], params)
2172 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2174 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2175 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2177 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2178 "TTLS", "ttls", None, "auth=MSCHAPV2",
2179 "DOMAIN\mschapv2 user", "password"),
2180 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2181 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2182 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2183 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2184 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2185 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2186 ("Connection with dynamic PEAP/EAP-GTC password entry",
2187 "PEAP", None, "user", "auth=GTC", None, "password") ]
2188 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2190 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2191 anonymous_identity=anon, identity=identity,
2192 ca_cert="auth_serv/ca.pem", phase2=phase2,
2193 wait_connect=False, scan_freq="2412")
2195 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2197 raise Exception("Request for identity timed out")
2198 id = ev.split(':')[0].split('-')[-1]
2199 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2200 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2202 raise Exception("Request for password timed out")
2203 id = ev.split(':')[0].split('-')[-1]
2204 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2205 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2206 dev[0].wait_connected(timeout=10)
2207 dev[0].request("REMOVE_NETWORK all")
2209 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2210 """WPA2-Enterprise connection using EAP vendor test"""
2211 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2212 hostapd.add_ap(apdev[0]['ifname'], params)
2213 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2214 eap_reauth(dev[0], "VENDOR-TEST")
2215 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2218 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2219 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2220 check_eap_capa(dev[0], "FAST")
2221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2223 eap_connect(dev[0], apdev[0], "FAST", "user",
2224 anonymous_identity="FAST", password="password",
2225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2226 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2227 hwsim_utils.test_connectivity(dev[0], hapd)
2228 res = eap_reauth(dev[0], "FAST")
2229 if res['tls_session_reused'] != '1':
2230 raise Exception("EAP-FAST could not use PAC session ticket")
2232 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2233 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2234 check_eap_capa(dev[0], "FAST")
2235 pac_file = os.path.join(params['logdir'], "fast.pac")
2236 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2237 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2238 hostapd.add_ap(apdev[0]['ifname'], params)
2241 eap_connect(dev[0], apdev[0], "FAST", "user",
2242 anonymous_identity="FAST", password="password",
2243 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2244 phase1="fast_provisioning=1", pac_file=pac_file)
2245 with open(pac_file, "r") as f:
2247 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2248 raise Exception("PAC file header missing")
2249 if "PAC-Key=" not in data:
2250 raise Exception("PAC-Key missing from PAC file")
2251 dev[0].request("REMOVE_NETWORK all")
2252 eap_connect(dev[0], apdev[0], "FAST", "user",
2253 anonymous_identity="FAST", password="password",
2254 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2257 eap_connect(dev[1], apdev[0], "FAST", "user",
2258 anonymous_identity="FAST", password="password",
2259 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2260 phase1="fast_provisioning=1 fast_pac_format=binary",
2262 dev[1].request("REMOVE_NETWORK all")
2263 eap_connect(dev[1], apdev[0], "FAST", "user",
2264 anonymous_identity="FAST", password="password",
2265 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2266 phase1="fast_pac_format=binary",
2274 os.remove(pac_file2)
2278 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2279 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2280 check_eap_capa(dev[0], "FAST")
2281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2282 hostapd.add_ap(apdev[0]['ifname'], params)
2283 eap_connect(dev[0], apdev[0], "FAST", "user",
2284 anonymous_identity="FAST", password="password",
2285 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2286 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2287 pac_file="blob://fast_pac_bin")
2288 res = eap_reauth(dev[0], "FAST")
2289 if res['tls_session_reused'] != '1':
2290 raise Exception("EAP-FAST could not use PAC session ticket")
2292 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
2293 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2294 check_eap_capa(dev[0], "FAST")
2295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2296 hostapd.add_ap(apdev[0]['ifname'], params)
2298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2299 identity="user", anonymous_identity="FAST",
2300 password="password",
2301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2302 pac_file="blob://fast_pac_not_in_use",
2303 wait_connect=False, scan_freq="2412")
2304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2306 raise Exception("Timeout on EAP failure report")
2307 dev[0].request("REMOVE_NETWORK all")
2309 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2310 identity="user", anonymous_identity="FAST",
2311 password="password",
2312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2313 wait_connect=False, scan_freq="2412")
2314 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2316 raise Exception("Timeout on EAP failure report")
2318 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
2319 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2320 check_eap_capa(dev[0], "FAST")
2321 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2322 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2323 eap_connect(dev[0], apdev[0], "FAST", "user",
2324 anonymous_identity="FAST", password="password",
2325 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2326 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
2327 hwsim_utils.test_connectivity(dev[0], hapd)
2328 res = eap_reauth(dev[0], "FAST")
2329 if res['tls_session_reused'] != '1':
2330 raise Exception("EAP-FAST could not use PAC session ticket")
2332 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
2333 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2334 check_eap_capa(dev[0], "FAST")
2335 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2336 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2337 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2338 anonymous_identity="FAST", password="password",
2339 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
2340 phase1="fast_provisioning=2",
2341 pac_file="blob://fast_pac_auth")
2342 dev[0].set_network_quoted(id, "identity", "user2")
2343 dev[0].wait_disconnected()
2344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
2346 raise Exception("EAP-FAST not started")
2347 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
2349 raise Exception("EAP failure not reported")
2350 dev[0].wait_disconnected()
2352 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
2353 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2354 check_eap_capa(dev[0], "FAST")
2355 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2356 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2357 with alloc_fail(dev[0], 2, "openssl_tls_prf"):
2358 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
2359 identity="user", anonymous_identity="FAST",
2360 password="password", ca_cert="auth_serv/ca.pem",
2362 phase1="fast_provisioning=2",
2363 pac_file="blob://fast_pac_auth",
2364 wait_connect=False, scan_freq="2412")
2365 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
2367 raise Exception("EAP failure not reported")
2368 dev[0].request("DISCONNECT")
2370 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
2371 """EAP-FAST/MSCHAPv2 and server OOM"""
2372 check_eap_capa(dev[0], "FAST")
2374 params = int_eap_server_params()
2375 params['dh_file'] = 'auth_serv/dh.conf'
2376 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2377 params['eap_fast_a_id'] = '1011'
2378 params['eap_fast_a_id_info'] = 'another test server'
2379 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2381 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
2382 id = eap_connect(dev[0], apdev[0], "FAST", "user",
2383 anonymous_identity="FAST", password="password",
2384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2385 phase1="fast_provisioning=1",
2386 pac_file="blob://fast_pac",
2387 expect_failure=True)
2388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2390 raise Exception("No EAP failure reported")
2391 dev[0].wait_disconnected()
2392 dev[0].request("DISCONNECT")
2394 dev[0].select_network(id, freq="2412")
2396 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
2397 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2398 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2399 hostapd.add_ap(apdev[0]['ifname'], params)
2400 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
2401 private_key="auth_serv/user.pkcs12",
2402 private_key_passwd="whatever", ocsp=2)
2404 def int_eap_server_params():
2405 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2406 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2407 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2408 "ca_cert": "auth_serv/ca.pem",
2409 "server_cert": "auth_serv/server.pem",
2410 "private_key": "auth_serv/server.key" }
2413 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
2414 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2415 params = int_eap_server_params()
2416 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2417 hostapd.add_ap(apdev[0]['ifname'], params)
2418 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2419 identity="tls user", ca_cert="auth_serv/ca.pem",
2420 private_key="auth_serv/user.pkcs12",
2421 private_key_passwd="whatever", ocsp=2,
2422 wait_connect=False, scan_freq="2412")
2425 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2427 raise Exception("Timeout on EAP status")
2428 if 'bad certificate status response' in ev:
2432 raise Exception("Unexpected number of EAP status messages")
2434 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2436 raise Exception("Timeout on EAP failure report")
2438 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
2439 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2440 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2441 if not os.path.exists(ocsp):
2442 raise HwsimSkip("No OCSP response available")
2443 params = int_eap_server_params()
2444 params["ocsp_stapling_response"] = ocsp
2445 hostapd.add_ap(apdev[0]['ifname'], params)
2446 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2447 identity="pap user", ca_cert="auth_serv/ca.pem",
2448 anonymous_identity="ttls", password="password",
2449 phase2="auth=PAP", ocsp=2,
2450 wait_connect=False, scan_freq="2412")
2453 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2455 raise Exception("Timeout on EAP status")
2456 if 'bad certificate status response' in ev:
2458 if 'certificate revoked' in ev:
2462 raise Exception("Unexpected number of EAP status messages")
2464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2466 raise Exception("Timeout on EAP failure report")
2468 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2469 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2470 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2471 if not os.path.exists(ocsp):
2472 raise HwsimSkip("No OCSP response available")
2473 params = int_eap_server_params()
2474 params["ocsp_stapling_response"] = ocsp
2475 hostapd.add_ap(apdev[0]['ifname'], params)
2476 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2477 identity="pap user", ca_cert="auth_serv/ca.pem",
2478 anonymous_identity="ttls", password="password",
2479 phase2="auth=PAP", ocsp=2,
2480 wait_connect=False, scan_freq="2412")
2483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2485 raise Exception("Timeout on EAP status")
2486 if 'bad certificate status response' in ev:
2490 raise Exception("Unexpected number of EAP status messages")
2492 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2494 raise Exception("Timeout on EAP failure report")
2496 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2497 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2498 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2499 if not os.path.exists(ocsp):
2500 raise HwsimSkip("No OCSP response available")
2501 params = int_eap_server_params()
2502 params["ocsp_stapling_response"] = ocsp
2503 hostapd.add_ap(apdev[0]['ifname'], params)
2504 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2505 identity="pap user", ca_cert="auth_serv/ca.pem",
2506 anonymous_identity="ttls", password="password",
2507 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2509 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2510 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2511 params = int_eap_server_params()
2512 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2513 params["private_key"] = "auth_serv/server-no-dnsname.key"
2514 hostapd.add_ap(apdev[0]['ifname'], params)
2515 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2516 identity="tls user", ca_cert="auth_serv/ca.pem",
2517 private_key="auth_serv/user.pkcs12",
2518 private_key_passwd="whatever",
2519 domain_suffix_match="server3.w1.fi",
2522 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2523 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2524 params = int_eap_server_params()
2525 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2526 params["private_key"] = "auth_serv/server-no-dnsname.key"
2527 hostapd.add_ap(apdev[0]['ifname'], params)
2528 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2529 identity="tls user", ca_cert="auth_serv/ca.pem",
2530 private_key="auth_serv/user.pkcs12",
2531 private_key_passwd="whatever",
2532 domain_match="server3.w1.fi",
2535 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2536 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2537 check_domain_match_full(dev[0])
2538 params = int_eap_server_params()
2539 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2540 params["private_key"] = "auth_serv/server-no-dnsname.key"
2541 hostapd.add_ap(apdev[0]['ifname'], params)
2542 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2543 identity="tls user", ca_cert="auth_serv/ca.pem",
2544 private_key="auth_serv/user.pkcs12",
2545 private_key_passwd="whatever",
2546 domain_suffix_match="w1.fi",
2549 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2550 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2551 params = int_eap_server_params()
2552 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2553 params["private_key"] = "auth_serv/server-no-dnsname.key"
2554 hostapd.add_ap(apdev[0]['ifname'], params)
2555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2556 identity="tls user", ca_cert="auth_serv/ca.pem",
2557 private_key="auth_serv/user.pkcs12",
2558 private_key_passwd="whatever",
2559 domain_suffix_match="example.com",
2562 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2563 identity="tls user", ca_cert="auth_serv/ca.pem",
2564 private_key="auth_serv/user.pkcs12",
2565 private_key_passwd="whatever",
2566 domain_suffix_match="erver3.w1.fi",
2569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2571 raise Exception("Timeout on EAP failure report")
2572 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2574 raise Exception("Timeout on EAP failure report (2)")
2576 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2577 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2578 params = int_eap_server_params()
2579 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2580 params["private_key"] = "auth_serv/server-no-dnsname.key"
2581 hostapd.add_ap(apdev[0]['ifname'], params)
2582 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2583 identity="tls user", ca_cert="auth_serv/ca.pem",
2584 private_key="auth_serv/user.pkcs12",
2585 private_key_passwd="whatever",
2586 domain_match="example.com",
2589 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2590 identity="tls user", ca_cert="auth_serv/ca.pem",
2591 private_key="auth_serv/user.pkcs12",
2592 private_key_passwd="whatever",
2593 domain_match="w1.fi",
2596 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2598 raise Exception("Timeout on EAP failure report")
2599 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2601 raise Exception("Timeout on EAP failure report (2)")
2603 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2604 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2605 params = int_eap_server_params()
2606 params["server_cert"] = "auth_serv/server-expired.pem"
2607 params["private_key"] = "auth_serv/server-expired.key"
2608 hostapd.add_ap(apdev[0]['ifname'], params)
2609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2610 identity="mschap user", password="password",
2611 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2614 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2616 raise Exception("Timeout on EAP certificate error report")
2617 if "reason=4" not in ev or "certificate has expired" not in ev:
2618 raise Exception("Unexpected failure reason: " + ev)
2619 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2621 raise Exception("Timeout on EAP failure report")
2623 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2624 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2625 params = int_eap_server_params()
2626 params["server_cert"] = "auth_serv/server-expired.pem"
2627 params["private_key"] = "auth_serv/server-expired.key"
2628 hostapd.add_ap(apdev[0]['ifname'], params)
2629 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2630 identity="mschap user", password="password",
2631 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2632 phase1="tls_disable_time_checks=1",
2635 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
2636 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2637 params = int_eap_server_params()
2638 params["server_cert"] = "auth_serv/server-long-duration.pem"
2639 params["private_key"] = "auth_serv/server-long-duration.key"
2640 hostapd.add_ap(apdev[0]['ifname'], params)
2641 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2642 identity="mschap user", password="password",
2643 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2646 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2647 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2648 params = int_eap_server_params()
2649 params["server_cert"] = "auth_serv/server-eku-client.pem"
2650 params["private_key"] = "auth_serv/server-eku-client.key"
2651 hostapd.add_ap(apdev[0]['ifname'], params)
2652 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2653 identity="mschap user", password="password",
2654 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2657 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2659 raise Exception("Timeout on EAP failure report")
2661 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2662 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2663 params = int_eap_server_params()
2664 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2665 params["private_key"] = "auth_serv/server-eku-client-server.key"
2666 hostapd.add_ap(apdev[0]['ifname'], params)
2667 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2668 identity="mschap user", password="password",
2669 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2672 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2673 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2674 params = int_eap_server_params()
2675 del params["server_cert"]
2676 params["private_key"] = "auth_serv/server.pkcs12"
2677 hostapd.add_ap(apdev[0]['ifname'], params)
2678 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2679 identity="mschap user", password="password",
2680 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2683 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2684 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2685 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2686 hostapd.add_ap(apdev[0]['ifname'], params)
2687 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2688 anonymous_identity="ttls", password="password",
2689 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2690 dh_file="auth_serv/dh.conf")
2692 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
2693 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
2694 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2695 hostapd.add_ap(apdev[0]['ifname'], params)
2696 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2697 anonymous_identity="ttls", password="password",
2698 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2699 dh_file="auth_serv/dsaparam.pem")
2701 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2702 """EAP-TTLS and DH params file not found"""
2703 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2704 hostapd.add_ap(apdev[0]['ifname'], params)
2705 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2706 identity="mschap user", password="password",
2707 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2708 dh_file="auth_serv/dh-no-such-file.conf",
2709 scan_freq="2412", wait_connect=False)
2710 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2712 raise Exception("EAP failure timed out")
2713 dev[0].request("REMOVE_NETWORK all")
2714 dev[0].wait_disconnected()
2716 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2717 """EAP-TTLS and invalid DH params file"""
2718 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2719 hostapd.add_ap(apdev[0]['ifname'], params)
2720 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2721 identity="mschap user", password="password",
2722 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2723 dh_file="auth_serv/ca.pem",
2724 scan_freq="2412", wait_connect=False)
2725 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2727 raise Exception("EAP failure timed out")
2728 dev[0].request("REMOVE_NETWORK all")
2729 dev[0].wait_disconnected()
2731 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2732 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2733 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2734 hostapd.add_ap(apdev[0]['ifname'], params)
2735 dh = read_pem("auth_serv/dh2.conf")
2736 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2737 raise Exception("Could not set dhparams blob")
2738 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2739 anonymous_identity="ttls", password="password",
2740 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2741 dh_file="blob://dhparams")
2743 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
2744 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
2745 params = int_eap_server_params()
2746 params["dh_file"] = "auth_serv/dh2.conf"
2747 hostapd.add_ap(apdev[0]['ifname'], params)
2748 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2749 anonymous_identity="ttls", password="password",
2750 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2752 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
2753 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
2754 params = int_eap_server_params()
2755 params["dh_file"] = "auth_serv/dsaparam.pem"
2756 hostapd.add_ap(apdev[0]['ifname'], params)
2757 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2758 anonymous_identity="ttls", password="password",
2759 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
2761 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
2762 """EAP-TLS server and dhparams file not found"""
2763 params = int_eap_server_params()
2764 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
2765 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2766 if "FAIL" not in hapd.request("ENABLE"):
2767 raise Exception("Invalid configuration accepted")
2769 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
2770 """EAP-TLS server and invalid dhparams file"""
2771 params = int_eap_server_params()
2772 params["dh_file"] = "auth_serv/ca.pem"
2773 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
2774 if "FAIL" not in hapd.request("ENABLE"):
2775 raise Exception("Invalid configuration accepted")
2777 def test_ap_wpa2_eap_reauth(dev, apdev):
2778 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2779 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2780 params['eap_reauth_period'] = '2'
2781 hostapd.add_ap(apdev[0]['ifname'], params)
2782 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2783 password_hex="0123456789abcdef0123456789abcdef")
2784 logger.info("Wait for reauthentication")
2785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2787 raise Exception("Timeout on reauthentication")
2788 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2790 raise Exception("Timeout on reauthentication")
2791 for i in range(0, 20):
2792 state = dev[0].get_status_field("wpa_state")
2793 if state == "COMPLETED":
2796 if state != "COMPLETED":
2797 raise Exception("Reauthentication did not complete")
2799 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2800 """Optional displayable message in EAP Request-Identity"""
2801 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2802 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2803 hostapd.add_ap(apdev[0]['ifname'], params)
2804 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2805 password_hex="0123456789abcdef0123456789abcdef")
2807 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2808 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2809 check_hlr_auc_gw_support()
2810 params = int_eap_server_params()
2811 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2812 params['eap_sim_aka_result_ind'] = "1"
2813 hostapd.add_ap(apdev[0]['ifname'], params)
2815 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2816 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2817 phase1="result_ind=1")
2818 eap_reauth(dev[0], "SIM")
2819 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2820 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2822 dev[0].request("REMOVE_NETWORK all")
2823 dev[1].request("REMOVE_NETWORK all")
2825 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2826 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2827 phase1="result_ind=1")
2828 eap_reauth(dev[0], "AKA")
2829 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2830 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2832 dev[0].request("REMOVE_NETWORK all")
2833 dev[1].request("REMOVE_NETWORK all")
2835 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2836 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2837 phase1="result_ind=1")
2838 eap_reauth(dev[0], "AKA'")
2839 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2840 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2842 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2843 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2844 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2845 hostapd.add_ap(apdev[0]['ifname'], params)
2846 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2847 eap="TTLS", identity="mschap user",
2848 wait_connect=False, scan_freq="2412", ieee80211w="1",
2849 anonymous_identity="ttls", password="password",
2850 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2852 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2854 raise Exception("EAP roundtrip limit not reached")
2856 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2857 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2858 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2859 hostapd.add_ap(apdev[0]['ifname'], params)
2860 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2861 eap="PSK", identity="vendor-test",
2862 password_hex="ff23456789abcdef0123456789abcdef",
2866 for i in range(0, 5):
2867 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2869 raise Exception("Association and EAP start timed out")
2870 if "refuse proposed method" in ev:
2874 raise Exception("Unexpected EAP status: " + ev)
2876 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2878 raise Exception("EAP failure timed out")
2880 def test_ap_wpa2_eap_sql(dev, apdev, params):
2881 """WPA2-Enterprise connection using SQLite for user DB"""
2885 raise HwsimSkip("No sqlite3 module available")
2886 dbfile = os.path.join(params['logdir'], "eap-user.db")
2891 con = sqlite3.connect(dbfile)
2894 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2895 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2896 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2897 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2898 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2899 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2900 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2901 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2904 params = int_eap_server_params()
2905 params["eap_user_file"] = "sqlite:" + dbfile
2906 hostapd.add_ap(apdev[0]['ifname'], params)
2907 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2908 anonymous_identity="ttls", password="password",
2909 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2910 dev[0].request("REMOVE_NETWORK all")
2911 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2912 anonymous_identity="ttls", password="password",
2913 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2914 dev[1].request("REMOVE_NETWORK all")
2915 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2916 anonymous_identity="ttls", password="password",
2917 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2918 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2919 anonymous_identity="ttls", password="password",
2920 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2924 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2925 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2926 params = int_eap_server_params()
2927 hostapd.add_ap(apdev[0]['ifname'], params)
2928 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2929 identity="\x80", password="password", wait_connect=False)
2930 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2931 identity="a\x80", password="password", wait_connect=False)
2932 for i in range(0, 2):
2933 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2935 raise Exception("Association and EAP start timed out")
2936 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2938 raise Exception("EAP method selection timed out")
2940 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2941 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2942 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2943 hostapd.add_ap(apdev[0]['ifname'], params)
2944 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2945 identity="\x80", password="password", wait_connect=False)
2946 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2947 identity="a\x80", password="password", wait_connect=False)
2948 for i in range(0, 2):
2949 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2951 raise Exception("Association and EAP start timed out")
2952 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2954 raise Exception("EAP method selection timed out")
2956 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2957 """OpenSSL cipher suite configuration on wpa_supplicant"""
2958 tls = dev[0].request("GET tls_library")
2959 if not tls.startswith("OpenSSL"):
2960 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2961 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2962 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2963 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2964 anonymous_identity="ttls", password="password",
2965 openssl_ciphers="AES128",
2966 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2967 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2968 anonymous_identity="ttls", password="password",
2969 openssl_ciphers="EXPORT",
2970 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2971 expect_failure=True)
2973 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2974 """OpenSSL cipher suite configuration on hostapd"""
2975 tls = dev[0].request("GET tls_library")
2976 if not tls.startswith("OpenSSL"):
2977 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2978 params = int_eap_server_params()
2979 params['openssl_ciphers'] = "AES256"
2980 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2981 tls = hapd.request("GET tls_library")
2982 if not tls.startswith("OpenSSL"):
2983 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2984 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2985 anonymous_identity="ttls", password="password",
2986 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2987 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2988 anonymous_identity="ttls", password="password",
2989 openssl_ciphers="AES128",
2990 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2991 expect_failure=True)
2992 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2993 anonymous_identity="ttls", password="password",
2994 openssl_ciphers="HIGH:!ADH",
2995 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2997 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2998 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2999 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3000 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
3001 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3002 pid = find_wpas_process(dev[0])
3003 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
3004 anonymous_identity="ttls", password=password,
3005 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3007 buf = read_process_memory(pid, password)
3009 dev[0].request("DISCONNECT")
3010 dev[0].wait_disconnected()
3018 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
3019 for l in f.readlines():
3020 if "EAP-TTLS: Derived key - hexdump" in l:
3021 val = l.strip().split(':')[3].replace(' ', '')
3022 msk = binascii.unhexlify(val)
3023 if "EAP-TTLS: Derived EMSK - hexdump" in l:
3024 val = l.strip().split(':')[3].replace(' ', '')
3025 emsk = binascii.unhexlify(val)
3026 if "WPA: PMK - hexdump" in l:
3027 val = l.strip().split(':')[3].replace(' ', '')
3028 pmk = binascii.unhexlify(val)
3029 if "WPA: PTK - hexdump" in l:
3030 val = l.strip().split(':')[3].replace(' ', '')
3031 ptk = binascii.unhexlify(val)
3032 if "WPA: Group Key - hexdump" in l:
3033 val = l.strip().split(':')[3].replace(' ', '')
3034 gtk = binascii.unhexlify(val)
3035 if not msk or not emsk or not pmk or not ptk or not gtk:
3036 raise Exception("Could not find keys from debug log")
3038 raise Exception("Unexpected GTK length")
3044 fname = os.path.join(params['logdir'],
3045 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3047 logger.info("Checking keys in memory while associated")
3048 get_key_locations(buf, password, "Password")
3049 get_key_locations(buf, pmk, "PMK")
3050 get_key_locations(buf, msk, "MSK")
3051 get_key_locations(buf, emsk, "EMSK")
3052 if password not in buf:
3053 raise HwsimSkip("Password not found while associated")
3055 raise HwsimSkip("PMK not found while associated")
3057 raise Exception("KCK not found while associated")
3059 raise Exception("KEK not found while associated")
3061 raise Exception("TK found from memory")
3063 raise Exception("GTK found from memory")
3065 logger.info("Checking keys in memory after disassociation")
3066 buf = read_process_memory(pid, password)
3068 # Note: Password is still present in network configuration
3069 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3071 get_key_locations(buf, password, "Password")
3072 get_key_locations(buf, pmk, "PMK")
3073 get_key_locations(buf, msk, "MSK")
3074 get_key_locations(buf, emsk, "EMSK")
3075 verify_not_present(buf, kck, fname, "KCK")
3076 verify_not_present(buf, kek, fname, "KEK")
3077 verify_not_present(buf, tk, fname, "TK")
3078 verify_not_present(buf, gtk, fname, "GTK")
3080 dev[0].request("PMKSA_FLUSH")
3081 dev[0].set_network_quoted(id, "identity", "foo")
3082 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3083 buf = read_process_memory(pid, password)
3084 get_key_locations(buf, password, "Password")
3085 get_key_locations(buf, pmk, "PMK")
3086 get_key_locations(buf, msk, "MSK")
3087 get_key_locations(buf, emsk, "EMSK")
3088 verify_not_present(buf, pmk, fname, "PMK")
3090 dev[0].request("REMOVE_NETWORK all")
3092 logger.info("Checking keys in memory after network profile removal")
3093 buf = read_process_memory(pid, password)
3095 get_key_locations(buf, password, "Password")
3096 get_key_locations(buf, pmk, "PMK")
3097 get_key_locations(buf, msk, "MSK")
3098 get_key_locations(buf, emsk, "EMSK")
3099 verify_not_present(buf, password, fname, "password")
3100 verify_not_present(buf, pmk, fname, "PMK")
3101 verify_not_present(buf, kck, fname, "KCK")
3102 verify_not_present(buf, kek, fname, "KEK")
3103 verify_not_present(buf, tk, fname, "TK")
3104 verify_not_present(buf, gtk, fname, "GTK")
3105 verify_not_present(buf, msk, fname, "MSK")
3106 verify_not_present(buf, emsk, fname, "EMSK")
3108 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
3109 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3110 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3111 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3112 bssid = apdev[0]['bssid']
3113 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3114 anonymous_identity="ttls", password="password",
3115 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
3117 # Send unexpected WEP EAPOL-Key; this gets dropped
3118 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3120 raise Exception("EAPOL_RX to wpa_supplicant failed")
3122 def test_ap_wpa2_eap_in_bridge(dev, apdev):
3123 """WPA2-EAP and wpas interface in a bridge"""
3127 _test_ap_wpa2_eap_in_bridge(dev, apdev)
3129 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
3130 subprocess.call(['brctl', 'delif', br_ifname, ifname])
3131 subprocess.call(['brctl', 'delbr', br_ifname])
3132 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
3134 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
3135 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3136 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3140 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
3141 subprocess.call(['brctl', 'addbr', br_ifname])
3142 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
3143 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
3144 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
3145 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
3146 wpas.interface_add(ifname, br_ifname=br_ifname)
3148 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
3149 password_hex="0123456789abcdef0123456789abcdef")
3150 eap_reauth(wpas, "PAX")
3151 # Try again as a regression test for packet socket workaround
3152 eap_reauth(wpas, "PAX")
3153 wpas.request("DISCONNECT")
3154 wpas.wait_disconnected()
3155 wpas.request("RECONNECT")
3156 wpas.wait_connected()
3158 def test_ap_wpa2_eap_session_ticket(dev, apdev):
3159 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3160 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3161 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3162 key_mgmt = hapd.get_config()['key_mgmt']
3163 if key_mgmt.split(' ')[0] != "WPA-EAP":
3164 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3165 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3166 anonymous_identity="ttls", password="password",
3167 ca_cert="auth_serv/ca.pem",
3168 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
3169 eap_reauth(dev[0], "TTLS")
3171 def test_ap_wpa2_eap_no_workaround(dev, apdev):
3172 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3173 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3174 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3175 key_mgmt = hapd.get_config()['key_mgmt']
3176 if key_mgmt.split(' ')[0] != "WPA-EAP":
3177 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
3178 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
3179 anonymous_identity="ttls", password="password",
3180 ca_cert="auth_serv/ca.pem", eap_workaround='0',
3182 eap_reauth(dev[0], "TTLS")
3184 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
3185 """EAP-TLS and server checking CRL"""
3186 params = int_eap_server_params()
3187 params['check_crl'] = '1'
3188 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3190 # check_crl=1 and no CRL available --> reject connection
3191 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3192 client_cert="auth_serv/user.pem",
3193 private_key="auth_serv/user.key", expect_failure=True)
3194 dev[0].request("REMOVE_NETWORK all")
3197 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
3200 # check_crl=1 and valid CRL --> accept
3201 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3202 client_cert="auth_serv/user.pem",
3203 private_key="auth_serv/user.key")
3204 dev[0].request("REMOVE_NETWORK all")
3207 hapd.set("check_crl", "2")
3210 # check_crl=2 and valid CRL --> accept
3211 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3212 client_cert="auth_serv/user.pem",
3213 private_key="auth_serv/user.key")
3214 dev[0].request("REMOVE_NETWORK all")
3216 def test_ap_wpa2_eap_tls_oom(dev, apdev):
3217 """EAP-TLS and OOM"""
3218 check_subject_match_support(dev[0])
3219 check_altsubject_match_support(dev[0])
3220 check_domain_match_full(dev[0])
3222 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3223 hostapd.add_ap(apdev[0]['ifname'], params)
3225 tests = [ (1, "tls_connection_set_subject_match"),
3226 (2, "tls_connection_set_subject_match"),
3227 (3, "tls_connection_set_subject_match"),
3228 (4, "tls_connection_set_subject_match") ]
3229 for count, func in tests:
3230 with alloc_fail(dev[0], count, func):
3231 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3232 identity="tls user", ca_cert="auth_serv/ca.pem",
3233 client_cert="auth_serv/user.pem",
3234 private_key="auth_serv/user.key",
3235 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
3236 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3237 domain_suffix_match="server.w1.fi",
3238 domain_match="server.w1.fi",
3239 wait_connect=False, scan_freq="2412")
3240 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3241 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
3243 raise Exception("No passphrase request")
3244 dev[0].request("REMOVE_NETWORK all")
3245 dev[0].wait_disconnected()