1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger = logging.getLogger()
22 from utils import HwsimSkip, alloc_fail, fail_test, skip_with_fips, wait_fail_trigger
23 from wpasupplicant import WpaSupplicant
24 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations, set_test_assoc_ie
28 openssl_imported = True
30 openssl_imported = False
32 def check_hlr_auc_gw_support():
33 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev, method):
37 res = dev.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method)
41 def check_subject_match_support(dev):
42 tls = dev.request("GET tls_library")
43 if not tls.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
46 def check_altsubject_match_support(dev):
47 tls = dev.request("GET tls_library")
48 if not tls.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
51 def check_domain_match(dev):
52 tls = dev.request("GET tls_library")
53 if tls.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls)
56 def check_domain_suffix_match(dev):
57 tls = dev.request("GET tls_library")
58 if tls.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls)
61 def check_domain_match_full(dev):
62 tls = dev.request("GET tls_library")
63 if not tls.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
66 def check_cert_probe_support(dev):
67 tls = dev.request("GET tls_library")
68 if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
71 def check_ext_cert_check_support(dev):
72 tls = dev.request("GET tls_library")
73 if not tls.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
76 def check_ocsp_support(dev):
77 tls = dev.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_ocsp_multi_support(dev):
84 tls = dev.request("GET tls_library")
85 if not tls.startswith("internal"):
86 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls)
87 as_hapd = hostapd.Hostapd("as")
88 res = as_hapd.request("GET tls_library")
90 if not res.startswith("internal"):
91 raise HwsimSkip("Authentication server does not support ocsp_multi")
93 def check_pkcs12_support(dev):
94 tls = dev.request("GET tls_library")
95 #if tls.startswith("internal"):
96 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
98 def check_dh_dsa_support(dev):
99 tls = dev.request("GET tls_library")
100 if tls.startswith("internal"):
101 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
104 with open(fname, "r") as f:
105 lines = f.readlines()
113 if "-----BEGIN" in l:
115 return base64.b64decode(cert)
117 def eap_connect(dev, ap, method, identity,
118 sha256=False, expect_failure=False, local_error_report=False,
119 maybe_local_error=False, **kwargs):
120 hapd = hostapd.Hostapd(ap['ifname'])
121 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
122 eap=method, identity=identity,
123 wait_connect=False, scan_freq="2412", ieee80211w="1",
125 eap_check_auth(dev, method, True, sha256=sha256,
126 expect_failure=expect_failure,
127 local_error_report=local_error_report,
128 maybe_local_error=maybe_local_error)
131 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
133 raise Exception("No connection event received from hostapd")
136 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
137 expect_failure=False, local_error_report=False,
138 maybe_local_error=False):
139 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
141 raise Exception("Association and EAP start timed out")
142 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD",
143 "CTRL-EVENT-EAP-FAILURE"], timeout=10)
145 raise Exception("EAP method selection timed out")
146 if "CTRL-EVENT-EAP-FAILURE" in ev:
147 if maybe_local_error:
149 raise Exception("Could not select EAP method")
151 raise Exception("Unexpected EAP method")
153 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
155 raise Exception("EAP failure timed out")
156 ev = dev.wait_disconnected(timeout=10)
157 if maybe_local_error and "locally_generated=1" in ev:
159 if not local_error_report:
160 if "reason=23" not in ev:
161 raise Exception("Proper reason code for disconnection not reported")
163 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
165 raise Exception("EAP success timed out")
168 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
170 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
172 raise Exception("Association with the AP timed out")
173 status = dev.get_status()
174 if status["wpa_state"] != "COMPLETED":
175 raise Exception("Connection not completed")
177 if status["suppPortStatus"] != "Authorized":
178 raise Exception("Port not authorized")
179 if "selectedMethod" not in status:
180 logger.info("Status: " + str(status))
181 raise Exception("No selectedMethod in status")
182 if method not in status["selectedMethod"]:
183 raise Exception("Incorrect EAP method status")
185 e = "WPA2-EAP-SHA256"
187 e = "WPA2/IEEE 802.1X/EAP"
189 e = "WPA/IEEE 802.1X/EAP"
190 if status["key_mgmt"] != e:
191 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
194 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
195 dev.request("REAUTHENTICATE")
196 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
197 expect_failure=expect_failure)
199 def test_ap_wpa2_eap_sim(dev, apdev):
200 """WPA2-Enterprise connection using EAP-SIM"""
201 check_hlr_auc_gw_support()
202 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
203 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
204 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
205 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
206 hwsim_utils.test_connectivity(dev[0], hapd)
207 eap_reauth(dev[0], "SIM")
209 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
212 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
215 logger.info("Negative test with incorrect key")
216 dev[0].request("REMOVE_NETWORK all")
217 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
218 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
221 logger.info("Invalid GSM-Milenage key")
222 dev[0].request("REMOVE_NETWORK all")
223 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
224 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
227 logger.info("Invalid GSM-Milenage key(2)")
228 dev[0].request("REMOVE_NETWORK all")
229 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
230 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
233 logger.info("Invalid GSM-Milenage key(3)")
234 dev[0].request("REMOVE_NETWORK all")
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
239 logger.info("Invalid GSM-Milenage key(4)")
240 dev[0].request("REMOVE_NETWORK all")
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
245 logger.info("Missing key configuration")
246 dev[0].request("REMOVE_NETWORK all")
247 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
250 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
251 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
252 check_hlr_auc_gw_support()
256 raise HwsimSkip("No sqlite3 module available")
257 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
258 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
259 params['auth_server_port'] = "1814"
260 hostapd.add_ap(apdev[0]['ifname'], params)
261 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
262 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
264 logger.info("SIM fast re-authentication")
265 eap_reauth(dev[0], "SIM")
267 logger.info("SIM full auth with pseudonym")
270 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
271 eap_reauth(dev[0], "SIM")
273 logger.info("SIM full auth with permanent identity")
276 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
277 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
278 eap_reauth(dev[0], "SIM")
280 logger.info("SIM reauth with mismatching MK")
283 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
284 eap_reauth(dev[0], "SIM", expect_failure=True)
285 dev[0].request("REMOVE_NETWORK all")
287 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
288 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
291 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
292 eap_reauth(dev[0], "SIM")
295 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 logger.info("SIM reauth with mismatching counter")
297 eap_reauth(dev[0], "SIM")
298 dev[0].request("REMOVE_NETWORK all")
300 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
304 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
305 logger.info("SIM reauth with max reauth count reached")
306 eap_reauth(dev[0], "SIM")
308 def test_ap_wpa2_eap_sim_config(dev, apdev):
309 """EAP-SIM configuration options"""
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
313 identity="1232010000000000",
314 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
315 phase1="sim_min_num_chal=1",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
319 raise Exception("No EAP error message seen")
320 dev[0].request("REMOVE_NETWORK all")
322 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
323 identity="1232010000000000",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
325 phase1="sim_min_num_chal=4",
326 wait_connect=False, scan_freq="2412")
327 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
329 raise Exception("No EAP error message seen (2)")
330 dev[0].request("REMOVE_NETWORK all")
332 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
334 phase1="sim_min_num_chal=2")
335 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
336 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
337 anonymous_identity="345678")
339 def test_ap_wpa2_eap_sim_ext(dev, apdev):
340 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
342 _test_ap_wpa2_eap_sim_ext(dev, apdev)
344 dev[0].request("SET external_sim 0")
346 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
347 check_hlr_auc_gw_support()
348 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
349 hostapd.add_ap(apdev[0]['ifname'], params)
350 dev[0].request("SET external_sim 1")
351 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
352 identity="1232010000000000",
353 wait_connect=False, scan_freq="2412")
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
356 raise Exception("Network connected timed out")
358 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 raise Exception("Wait for external SIM processing request timed out")
362 if p[1] != "GSM-AUTH":
363 raise Exception("Unexpected CTRL-REQ-SIM type")
364 rid = p[0].split('-')[3]
367 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
368 # This will fail during processing, but the ctrl_iface command succeeds
369 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
370 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 raise Exception("EAP failure not reported")
373 dev[0].request("DISCONNECT")
374 dev[0].wait_disconnected()
377 dev[0].select_network(id, freq="2412")
378 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
380 raise Exception("Wait for external SIM processing request timed out")
382 if p[1] != "GSM-AUTH":
383 raise Exception("Unexpected CTRL-REQ-SIM type")
384 rid = p[0].split('-')[3]
385 # This will fail during GSM auth validation
386 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
387 raise Exception("CTRL-RSP-SIM failed")
388 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
390 raise Exception("EAP failure not reported")
391 dev[0].request("DISCONNECT")
392 dev[0].wait_disconnected()
395 dev[0].select_network(id, freq="2412")
396 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
398 raise Exception("Wait for external SIM processing request timed out")
400 if p[1] != "GSM-AUTH":
401 raise Exception("Unexpected CTRL-REQ-SIM type")
402 rid = p[0].split('-')[3]
403 # This will fail during GSM auth validation
404 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
405 raise Exception("CTRL-RSP-SIM failed")
406 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
408 raise Exception("EAP failure not reported")
409 dev[0].request("DISCONNECT")
410 dev[0].wait_disconnected()
413 dev[0].select_network(id, freq="2412")
414 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
416 raise Exception("Wait for external SIM processing request timed out")
418 if p[1] != "GSM-AUTH":
419 raise Exception("Unexpected CTRL-REQ-SIM type")
420 rid = p[0].split('-')[3]
421 # This will fail during GSM auth validation
422 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
423 raise Exception("CTRL-RSP-SIM failed")
424 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
426 raise Exception("EAP failure not reported")
427 dev[0].request("DISCONNECT")
428 dev[0].wait_disconnected()
431 dev[0].select_network(id, freq="2412")
432 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
434 raise Exception("Wait for external SIM processing request timed out")
436 if p[1] != "GSM-AUTH":
437 raise Exception("Unexpected CTRL-REQ-SIM type")
438 rid = p[0].split('-')[3]
439 # This will fail during GSM auth validation
440 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
441 raise Exception("CTRL-RSP-SIM failed")
442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
444 raise Exception("EAP failure not reported")
445 dev[0].request("DISCONNECT")
446 dev[0].wait_disconnected()
449 dev[0].select_network(id, freq="2412")
450 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
452 raise Exception("Wait for external SIM processing request timed out")
454 if p[1] != "GSM-AUTH":
455 raise Exception("Unexpected CTRL-REQ-SIM type")
456 rid = p[0].split('-')[3]
457 # This will fail during GSM auth validation
458 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
459 raise Exception("CTRL-RSP-SIM failed")
460 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
462 raise Exception("EAP failure not reported")
463 dev[0].request("DISCONNECT")
464 dev[0].wait_disconnected()
467 dev[0].select_network(id, freq="2412")
468 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
470 raise Exception("Wait for external SIM processing request timed out")
472 if p[1] != "GSM-AUTH":
473 raise Exception("Unexpected CTRL-REQ-SIM type")
474 rid = p[0].split('-')[3]
475 # This will fail during GSM auth validation
476 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
477 raise Exception("CTRL-RSP-SIM failed")
478 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
480 raise Exception("EAP failure not reported")
482 def test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
483 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
485 _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev)
487 dev[0].request("SET external_sim 0")
489 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev, apdev):
490 check_hlr_auc_gw_support()
491 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
492 hostapd.add_ap(apdev[0]['ifname'], params)
493 dev[0].request("SET external_sim 1")
494 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
495 identity="1232010000000000",
496 wait_connect=False, scan_freq="2412")
498 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
500 raise Exception("Wait for external SIM processing request timed out")
502 if p[1] != "GSM-AUTH":
503 raise Exception("Unexpected CTRL-REQ-SIM type")
504 rid = p[0].split('-')[3]
505 rand = p[2].split(' ')[0]
507 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
509 "auth_serv/hlr_auc_gw.milenage_db",
510 "GSM-AUTH-REQ 232010000000000 " + rand])
511 if "GSM-AUTH-RESP" not in res:
512 raise Exception("Unexpected hlr_auc_gw response")
513 resp = res.split(' ')[2].rstrip()
515 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
516 dev[0].wait_connected(timeout=15)
517 dev[0].request("DISCONNECT")
518 dev[0].wait_disconnected()
520 # Replace SIM, but forget to drop the previous pseudonym identity
521 dev[0].set_network_quoted(id, "identity", "1232010000000009")
522 dev[0].select_network(id, freq="2412")
524 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
526 raise Exception("Wait for external SIM processing request timed out")
528 if p[1] != "GSM-AUTH":
529 raise Exception("Unexpected CTRL-REQ-SIM type")
530 rid = p[0].split('-')[3]
531 rand = p[2].split(' ')[0]
533 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
535 "auth_serv/hlr_auc_gw.milenage_db",
536 "GSM-AUTH-REQ 232010000000009 " + rand])
537 if "GSM-AUTH-RESP" not in res:
538 raise Exception("Unexpected hlr_auc_gw response")
539 resp = res.split(' ')[2].rstrip()
541 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 raise Exception("EAP-Failure not reported")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected()
548 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
549 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
551 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev)
553 dev[0].request("SET external_sim 0")
555 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev, apdev):
556 check_hlr_auc_gw_support()
557 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
558 hostapd.add_ap(apdev[0]['ifname'], params)
559 dev[0].request("SET external_sim 1")
560 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
561 identity="1232010000000000",
562 wait_connect=False, scan_freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p[1] != "GSM-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 rand = p[2].split(' ')[0]
573 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
575 "auth_serv/hlr_auc_gw.milenage_db",
576 "GSM-AUTH-REQ 232010000000000 " + rand])
577 if "GSM-AUTH-RESP" not in res:
578 raise Exception("Unexpected hlr_auc_gw response")
579 resp = res.split(' ')[2].rstrip()
581 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
582 dev[0].wait_connected(timeout=15)
583 dev[0].request("DISCONNECT")
584 dev[0].wait_disconnected()
586 # Replace SIM and drop the previous pseudonym identity
587 dev[0].set_network_quoted(id, "identity", "1232010000000009")
588 dev[0].set_network(id, "anonymous_identity", "NULL")
589 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
593 raise Exception("Wait for external SIM processing request timed out")
595 if p[1] != "GSM-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 rand = p[2].split(' ')[0]
600 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
602 "auth_serv/hlr_auc_gw.milenage_db",
603 "GSM-AUTH-REQ 232010000000009 " + rand])
604 if "GSM-AUTH-RESP" not in res:
605 raise Exception("Unexpected hlr_auc_gw response")
606 resp = res.split(' ')[2].rstrip()
608 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
609 dev[0].wait_connected()
610 dev[0].request("DISCONNECT")
611 dev[0].wait_disconnected()
613 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
614 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
616 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev)
618 dev[0].request("SET external_sim 0")
620 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev, apdev):
621 check_hlr_auc_gw_support()
622 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
623 hostapd.add_ap(apdev[0]['ifname'], params)
624 dev[0].request("SET external_sim 1")
625 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
626 wait_connect=False, scan_freq="2412")
628 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
630 raise Exception("Request for identity timed out")
631 rid = ev.split(':')[0].split('-')[-1]
632 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000000")
634 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
636 raise Exception("Wait for external SIM processing request timed out")
638 if p[1] != "GSM-AUTH":
639 raise Exception("Unexpected CTRL-REQ-SIM type")
640 rid = p[0].split('-')[3]
641 rand = p[2].split(' ')[0]
643 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
645 "auth_serv/hlr_auc_gw.milenage_db",
646 "GSM-AUTH-REQ 232010000000000 " + rand])
647 if "GSM-AUTH-RESP" not in res:
648 raise Exception("Unexpected hlr_auc_gw response")
649 resp = res.split(' ')[2].rstrip()
651 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
652 dev[0].wait_connected(timeout=15)
653 dev[0].request("DISCONNECT")
654 dev[0].wait_disconnected()
656 # Replace SIM and drop the previous permanent and pseudonym identities
657 dev[0].set_network(id, "identity", "NULL")
658 dev[0].set_network(id, "anonymous_identity", "NULL")
659 dev[0].select_network(id, freq="2412")
661 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
663 raise Exception("Request for identity timed out")
664 rid = ev.split(':')[0].split('-')[-1]
665 dev[0].request("CTRL-RSP-IDENTITY-" + rid + ":1232010000000009")
667 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
669 raise Exception("Wait for external SIM processing request timed out")
671 if p[1] != "GSM-AUTH":
672 raise Exception("Unexpected CTRL-REQ-SIM type")
673 rid = p[0].split('-')[3]
674 rand = p[2].split(' ')[0]
676 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
678 "auth_serv/hlr_auc_gw.milenage_db",
679 "GSM-AUTH-REQ 232010000000009 " + rand])
680 if "GSM-AUTH-RESP" not in res:
681 raise Exception("Unexpected hlr_auc_gw response")
682 resp = res.split(' ')[2].rstrip()
684 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
685 dev[0].wait_connected()
686 dev[0].request("DISCONNECT")
687 dev[0].wait_disconnected()
689 def test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
690 """EAP-SIM with external GSM auth and auth failing"""
692 _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev)
694 dev[0].request("SET external_sim 0")
696 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev, apdev):
697 check_hlr_auc_gw_support()
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hostapd.add_ap(apdev[0]['ifname'], params)
700 dev[0].request("SET external_sim 1")
701 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
702 identity="1232010000000000",
703 wait_connect=False, scan_freq="2412")
705 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 rid = p[0].split('-')[3]
710 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-FAIL")
711 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
713 raise Exception("EAP failure not reported")
714 dev[0].request("REMOVE_NETWORK all")
715 dev[0].wait_disconnected()
717 def test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
718 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
720 _test_ap_wpa2_eap_sim_change_bssid(dev, apdev)
722 dev[0].request("SET external_sim 0")
724 def _test_ap_wpa2_eap_sim_change_bssid(dev, apdev):
725 check_hlr_auc_gw_support()
726 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
727 hostapd.add_ap(apdev[0]['ifname'], params)
728 dev[0].request("SET external_sim 1")
729 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
730 identity="1232010000000000",
731 wait_connect=False, scan_freq="2412")
733 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
735 raise Exception("Wait for external SIM processing request timed out")
737 if p[1] != "GSM-AUTH":
738 raise Exception("Unexpected CTRL-REQ-SIM type")
739 rid = p[0].split('-')[3]
740 rand = p[2].split(' ')[0]
742 res = subprocess.check_output(["../../hostapd/hlr_auc_gw",
744 "auth_serv/hlr_auc_gw.milenage_db",
745 "GSM-AUTH-REQ 232010000000000 " + rand])
746 if "GSM-AUTH-RESP" not in res:
747 raise Exception("Unexpected hlr_auc_gw response")
748 resp = res.split(' ')[2].rstrip()
750 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
751 dev[0].wait_connected(timeout=15)
753 # Verify that EAP-SIM Reauthentication can be used after a profile change
754 # that does not affect EAP parameters.
755 dev[0].set_network(id, "bssid", "any")
756 eap_reauth(dev[0], "SIM")
758 def test_ap_wpa2_eap_sim_oom(dev, apdev):
759 """EAP-SIM and OOM"""
760 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
761 hostapd.add_ap(apdev[0]['ifname'], params)
762 tests = [ (1, "milenage_f2345"),
763 (2, "milenage_f2345"),
764 (3, "milenage_f2345"),
765 (4, "milenage_f2345"),
766 (5, "milenage_f2345"),
767 (6, "milenage_f2345"),
768 (7, "milenage_f2345"),
769 (8, "milenage_f2345"),
770 (9, "milenage_f2345"),
771 (10, "milenage_f2345"),
772 (11, "milenage_f2345"),
773 (12, "milenage_f2345") ]
774 for count, func in tests:
775 with fail_test(dev[0], count, func):
776 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
777 identity="1232010000000000",
778 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
779 wait_connect=False, scan_freq="2412")
780 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
782 raise Exception("EAP method not selected")
783 dev[0].wait_disconnected()
784 dev[0].request("REMOVE_NETWORK all")
786 def test_ap_wpa2_eap_aka(dev, apdev):
787 """WPA2-Enterprise connection using EAP-AKA"""
788 check_hlr_auc_gw_support()
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
790 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
791 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
792 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
793 hwsim_utils.test_connectivity(dev[0], hapd)
794 eap_reauth(dev[0], "AKA")
796 logger.info("Negative test with incorrect key")
797 dev[0].request("REMOVE_NETWORK all")
798 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
799 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
802 logger.info("Invalid Milenage key")
803 dev[0].request("REMOVE_NETWORK all")
804 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
805 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
808 logger.info("Invalid Milenage key(2)")
809 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
810 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
813 logger.info("Invalid Milenage key(3)")
814 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
815 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
818 logger.info("Invalid Milenage key(4)")
819 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
820 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
823 logger.info("Invalid Milenage key(5)")
824 dev[0].request("REMOVE_NETWORK all")
825 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
826 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
829 logger.info("Invalid Milenage key(6)")
830 dev[0].request("REMOVE_NETWORK all")
831 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
832 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
835 logger.info("Missing key configuration")
836 dev[0].request("REMOVE_NETWORK all")
837 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
840 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
841 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
842 check_hlr_auc_gw_support()
846 raise HwsimSkip("No sqlite3 module available")
847 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 params['auth_server_port'] = "1814"
850 hostapd.add_ap(apdev[0]['ifname'], params)
851 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
852 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
854 logger.info("AKA fast re-authentication")
855 eap_reauth(dev[0], "AKA")
857 logger.info("AKA full auth with pseudonym")
860 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
861 eap_reauth(dev[0], "AKA")
863 logger.info("AKA full auth with permanent identity")
866 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
867 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
868 eap_reauth(dev[0], "AKA")
870 logger.info("AKA reauth with mismatching MK")
873 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
874 eap_reauth(dev[0], "AKA", expect_failure=True)
875 dev[0].request("REMOVE_NETWORK all")
877 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
878 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
881 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
882 eap_reauth(dev[0], "AKA")
885 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
886 logger.info("AKA reauth with mismatching counter")
887 eap_reauth(dev[0], "AKA")
888 dev[0].request("REMOVE_NETWORK all")
890 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
891 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
894 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
895 logger.info("AKA reauth with max reauth count reached")
896 eap_reauth(dev[0], "AKA")
898 def test_ap_wpa2_eap_aka_config(dev, apdev):
899 """EAP-AKA configuration options"""
900 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
901 hostapd.add_ap(apdev[0]['ifname'], params)
902 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
903 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
904 anonymous_identity="2345678")
906 def test_ap_wpa2_eap_aka_ext(dev, apdev):
907 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
909 _test_ap_wpa2_eap_aka_ext(dev, apdev)
911 dev[0].request("SET external_sim 0")
913 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
914 check_hlr_auc_gw_support()
915 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
916 hostapd.add_ap(apdev[0]['ifname'], params)
917 dev[0].request("SET external_sim 1")
918 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
919 identity="0232010000000000",
920 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
921 wait_connect=False, scan_freq="2412")
922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
924 raise Exception("Network connected timed out")
926 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
928 raise Exception("Wait for external SIM processing request timed out")
930 if p[1] != "UMTS-AUTH":
931 raise Exception("Unexpected CTRL-REQ-SIM type")
932 rid = p[0].split('-')[3]
935 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
936 # This will fail during processing, but the ctrl_iface command succeeds
937 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
938 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
940 raise Exception("EAP failure not reported")
941 dev[0].request("DISCONNECT")
942 dev[0].wait_disconnected()
944 dev[0].dump_monitor()
946 dev[0].select_network(id, freq="2412")
947 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
949 raise Exception("Wait for external SIM processing request timed out")
951 if p[1] != "UMTS-AUTH":
952 raise Exception("Unexpected CTRL-REQ-SIM type")
953 rid = p[0].split('-')[3]
954 # This will fail during UMTS auth validation
955 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
956 raise Exception("CTRL-RSP-SIM failed")
957 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
959 raise Exception("Wait for external SIM processing request timed out")
961 if p[1] != "UMTS-AUTH":
962 raise Exception("Unexpected CTRL-REQ-SIM type")
963 rid = p[0].split('-')[3]
964 # This will fail during UMTS auth validation
965 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
966 raise Exception("CTRL-RSP-SIM failed")
967 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
969 raise Exception("EAP failure not reported")
970 dev[0].request("DISCONNECT")
971 dev[0].wait_disconnected()
973 dev[0].dump_monitor()
975 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
977 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
978 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
979 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
980 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
981 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
983 dev[0].select_network(id, freq="2412")
984 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
986 raise Exception("Wait for external SIM processing request timed out")
988 if p[1] != "UMTS-AUTH":
989 raise Exception("Unexpected CTRL-REQ-SIM type")
990 rid = p[0].split('-')[3]
991 # This will fail during UMTS auth validation
992 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
993 raise Exception("CTRL-RSP-SIM failed")
994 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
996 raise Exception("EAP failure not reported")
997 dev[0].request("DISCONNECT")
998 dev[0].wait_disconnected()
1000 dev[0].dump_monitor()
1002 def test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1003 """EAP-AKA with external UMTS auth and auth failing"""
1005 _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev)
1007 dev[0].request("SET external_sim 0")
1009 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev, apdev):
1010 check_hlr_auc_gw_support()
1011 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1012 hostapd.add_ap(apdev[0]['ifname'], params)
1013 dev[0].request("SET external_sim 1")
1014 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
1015 identity="0232010000000000",
1016 wait_connect=False, scan_freq="2412")
1018 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1020 raise Exception("Wait for external SIM processing request timed out")
1021 p = ev.split(':', 2)
1022 rid = p[0].split('-')[3]
1023 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1024 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1026 raise Exception("EAP failure not reported")
1027 dev[0].request("REMOVE_NETWORK all")
1028 dev[0].wait_disconnected()
1030 def test_ap_wpa2_eap_aka_prime(dev, apdev):
1031 """WPA2-Enterprise connection using EAP-AKA'"""
1032 check_hlr_auc_gw_support()
1033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1034 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1035 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1036 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1037 hwsim_utils.test_connectivity(dev[0], hapd)
1038 eap_reauth(dev[0], "AKA'")
1040 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1041 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
1042 identity="6555444333222111@both",
1043 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1044 wait_connect=False, scan_freq="2412")
1045 dev[1].wait_connected(timeout=15)
1047 logger.info("Negative test with incorrect key")
1048 dev[0].request("REMOVE_NETWORK all")
1049 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1050 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1051 expect_failure=True)
1053 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
1054 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1055 check_hlr_auc_gw_support()
1059 raise HwsimSkip("No sqlite3 module available")
1060 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
1061 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1062 params['auth_server_port'] = "1814"
1063 hostapd.add_ap(apdev[0]['ifname'], params)
1064 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1065 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1067 logger.info("AKA' fast re-authentication")
1068 eap_reauth(dev[0], "AKA'")
1070 logger.info("AKA' full auth with pseudonym")
1073 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1074 eap_reauth(dev[0], "AKA'")
1076 logger.info("AKA' full auth with permanent identity")
1079 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1080 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1081 eap_reauth(dev[0], "AKA'")
1083 logger.info("AKA' reauth with mismatching k_aut")
1086 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1087 eap_reauth(dev[0], "AKA'", expect_failure=True)
1088 dev[0].request("REMOVE_NETWORK all")
1090 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1091 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1094 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1095 eap_reauth(dev[0], "AKA'")
1098 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1099 logger.info("AKA' reauth with mismatching counter")
1100 eap_reauth(dev[0], "AKA'")
1101 dev[0].request("REMOVE_NETWORK all")
1103 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1104 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1107 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1108 logger.info("AKA' reauth with max reauth count reached")
1109 eap_reauth(dev[0], "AKA'")
1111 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1112 """EAP-AKA' with external UMTS auth and auth failing"""
1114 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev)
1116 dev[0].request("SET external_sim 0")
1118 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev, apdev):
1119 check_hlr_auc_gw_support()
1120 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1121 hostapd.add_ap(apdev[0]['ifname'], params)
1122 dev[0].request("SET external_sim 1")
1123 id = dev[0].connect("test-wpa2-eap", eap="AKA'", key_mgmt="WPA-EAP",
1124 identity="6555444333222111",
1125 wait_connect=False, scan_freq="2412")
1127 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
1129 raise Exception("Wait for external SIM processing request timed out")
1130 p = ev.split(':', 2)
1131 rid = p[0].split('-')[3]
1132 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-FAIL")
1133 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
1135 raise Exception("EAP failure not reported")
1136 dev[0].request("REMOVE_NETWORK all")
1137 dev[0].wait_disconnected()
1139 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
1140 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1141 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1142 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1143 key_mgmt = hapd.get_config()['key_mgmt']
1144 if key_mgmt.split(' ')[0] != "WPA-EAP":
1145 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
1146 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1147 anonymous_identity="ttls", password="password",
1148 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
1149 hwsim_utils.test_connectivity(dev[0], hapd)
1150 eap_reauth(dev[0], "TTLS")
1151 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1152 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1154 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
1155 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1156 check_subject_match_support(dev[0])
1157 check_altsubject_match_support(dev[0])
1158 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1159 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1160 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1161 anonymous_identity="ttls", password="password",
1162 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1163 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
1164 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1165 eap_reauth(dev[0], "TTLS")
1167 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
1168 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1169 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1170 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1171 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
1172 anonymous_identity="ttls", password="wrong",
1173 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1174 expect_failure=True)
1175 eap_connect(dev[1], apdev[0], "TTLS", "user",
1176 anonymous_identity="ttls", password="password",
1177 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
1178 expect_failure=True)
1180 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
1181 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1182 skip_with_fips(dev[0])
1183 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1184 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1185 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1186 anonymous_identity="ttls", password="password",
1187 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
1188 hwsim_utils.test_connectivity(dev[0], hapd)
1189 eap_reauth(dev[0], "TTLS")
1191 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
1192 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1193 skip_with_fips(dev[0])
1194 check_altsubject_match_support(dev[0])
1195 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1196 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1197 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1198 anonymous_identity="ttls", password="password",
1199 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1200 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1201 eap_reauth(dev[0], "TTLS")
1203 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
1204 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1205 skip_with_fips(dev[0])
1206 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1207 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1208 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1209 anonymous_identity="ttls", password="wrong",
1210 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1211 expect_failure=True)
1212 eap_connect(dev[1], apdev[0], "TTLS", "user",
1213 anonymous_identity="ttls", password="password",
1214 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
1215 expect_failure=True)
1217 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
1218 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1219 skip_with_fips(dev[0])
1220 check_domain_suffix_match(dev[0])
1221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1222 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1223 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1224 anonymous_identity="ttls", password="password",
1225 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1226 domain_suffix_match="server.w1.fi")
1227 hwsim_utils.test_connectivity(dev[0], hapd)
1228 eap_reauth(dev[0], "TTLS")
1229 dev[0].request("REMOVE_NETWORK all")
1230 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1231 anonymous_identity="ttls", password="password",
1232 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1233 fragment_size="200")
1234 dev[0].request("REMOVE_NETWORK all")
1235 dev[0].wait_disconnected()
1236 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1237 anonymous_identity="ttls",
1238 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1239 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
1241 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
1242 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1243 skip_with_fips(dev[0])
1244 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1245 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1246 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
1247 anonymous_identity="ttls", password="wrong",
1248 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1249 expect_failure=True)
1250 eap_connect(dev[1], apdev[0], "TTLS", "user",
1251 anonymous_identity="ttls", password="password",
1252 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1253 expect_failure=True)
1254 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
1255 anonymous_identity="ttls", password="password",
1256 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1257 expect_failure=True)
1259 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
1260 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1261 check_domain_suffix_match(dev[0])
1262 check_eap_capa(dev[0], "MSCHAPV2")
1263 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1264 hostapd.add_ap(apdev[0]['ifname'], params)
1265 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1266 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1267 anonymous_identity="ttls", password="password",
1268 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1269 domain_suffix_match="server.w1.fi")
1270 hwsim_utils.test_connectivity(dev[0], hapd)
1271 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
1272 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1273 eap_reauth(dev[0], "TTLS")
1274 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
1275 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
1276 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
1277 raise Exception("dot1xAuthEapolFramesRx did not increase")
1278 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
1279 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1280 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
1281 raise Exception("backendAuthSuccesses did not increase")
1283 logger.info("Password as hash value")
1284 dev[0].request("REMOVE_NETWORK all")
1285 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1286 anonymous_identity="ttls",
1287 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1288 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1290 def test_ap_wpa2_eap_ttls_invalid_phase2(dev, apdev):
1291 """EAP-TTLS with invalid phase2 parameter values"""
1292 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1293 hostapd.add_ap(apdev[0]['ifname'], params)
1294 tests = [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1295 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1296 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1298 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1299 identity="DOMAIN\mschapv2 user",
1300 anonymous_identity="ttls", password="password",
1301 ca_cert="auth_serv/ca.pem", phase2=t,
1302 wait_connect=False, scan_freq="2412")
1303 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
1304 if ev is None or "method=21" not in ev:
1305 raise Exception("EAP-TTLS not started")
1306 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method",
1307 "CTRL-EVENT-CONNECTED"], timeout=5)
1308 if ev is None or "CTRL-EVENT-CONNECTED" in ev:
1309 raise Exception("No EAP-TTLS failure reported for phase2=" + t)
1310 dev[0].request("REMOVE_NETWORK all")
1311 dev[0].wait_disconnected()
1312 dev[0].dump_monitor()
1314 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
1315 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1316 check_domain_match_full(dev[0])
1317 skip_with_fips(dev[0])
1318 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1319 hostapd.add_ap(apdev[0]['ifname'], params)
1320 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1321 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1322 anonymous_identity="ttls", password="password",
1323 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1324 domain_suffix_match="w1.fi")
1325 hwsim_utils.test_connectivity(dev[0], hapd)
1326 eap_reauth(dev[0], "TTLS")
1328 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
1329 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1330 check_domain_match(dev[0])
1331 skip_with_fips(dev[0])
1332 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1333 hostapd.add_ap(apdev[0]['ifname'], params)
1334 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1335 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1336 anonymous_identity="ttls", password="password",
1337 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1338 domain_match="Server.w1.fi")
1339 hwsim_utils.test_connectivity(dev[0], hapd)
1340 eap_reauth(dev[0], "TTLS")
1342 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
1343 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1344 skip_with_fips(dev[0])
1345 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1346 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1347 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1348 anonymous_identity="ttls", password="password1",
1349 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1350 expect_failure=True)
1351 eap_connect(dev[1], apdev[0], "TTLS", "user",
1352 anonymous_identity="ttls", password="password",
1353 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1354 expect_failure=True)
1356 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
1357 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1358 skip_with_fips(dev[0])
1359 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1360 hostapd.add_ap(apdev[0]['ifname'], params)
1361 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1362 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
1363 anonymous_identity="ttls", password="secret-åäö-€-password",
1364 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1365 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
1366 anonymous_identity="ttls",
1367 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
1368 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1369 for p in [ "80", "41c041e04141e041", 257*"41" ]:
1370 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1371 eap="TTLS", identity="utf8-user-hash",
1372 anonymous_identity="ttls", password_hex=p,
1373 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1374 wait_connect=False, scan_freq="2412")
1375 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=1)
1377 raise Exception("No failure reported")
1378 dev[2].request("REMOVE_NETWORK all")
1379 dev[2].wait_disconnected()
1381 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
1382 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1383 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1384 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1385 eap_connect(dev[0], apdev[0], "TTLS", "user",
1386 anonymous_identity="ttls", password="password",
1387 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
1388 hwsim_utils.test_connectivity(dev[0], hapd)
1389 eap_reauth(dev[0], "TTLS")
1391 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev):
1392 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1393 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1395 eap_connect(dev[0], apdev[0], "TTLS", "user",
1396 anonymous_identity="ttls", password="wrong",
1397 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1398 expect_failure=True)
1400 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev):
1401 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1402 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1403 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1404 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1405 anonymous_identity="ttls", password="password",
1406 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1407 expect_failure=True)
1409 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev):
1410 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1411 params = int_eap_server_params()
1412 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1413 with alloc_fail(hapd, 1, "eap_gtc_init"):
1414 eap_connect(dev[0], apdev[0], "TTLS", "user",
1415 anonymous_identity="ttls", password="password",
1416 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1417 expect_failure=True)
1418 dev[0].request("REMOVE_NETWORK all")
1420 with alloc_fail(hapd, 1, "eap_gtc_buildReq"):
1421 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1422 eap="TTLS", identity="user",
1423 anonymous_identity="ttls", password="password",
1424 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1425 wait_connect=False, scan_freq="2412")
1426 # This would eventually time out, but we can stop after having reached
1427 # the allocation failure.
1430 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1433 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev, apdev):
1434 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1435 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1436 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1438 tests = [ "eap_gtc_init",
1439 "eap_msg_alloc;eap_gtc_process" ]
1441 with alloc_fail(dev[0], 1, func):
1442 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
1444 eap="TTLS", identity="user",
1445 anonymous_identity="ttls", password="password",
1446 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
1448 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1449 dev[0].request("REMOVE_NETWORK all")
1450 dev[0].wait_disconnected()
1452 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
1453 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1454 check_eap_capa(dev[0], "MD5")
1455 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1456 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1457 eap_connect(dev[0], apdev[0], "TTLS", "user",
1458 anonymous_identity="ttls", password="password",
1459 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
1460 hwsim_utils.test_connectivity(dev[0], hapd)
1461 eap_reauth(dev[0], "TTLS")
1463 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
1464 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1465 check_eap_capa(dev[0], "MD5")
1466 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1467 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1468 eap_connect(dev[0], apdev[0], "TTLS", "user",
1469 anonymous_identity="ttls", password="wrong",
1470 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1471 expect_failure=True)
1473 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev):
1474 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1475 check_eap_capa(dev[0], "MD5")
1476 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1477 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1478 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1479 anonymous_identity="ttls", password="password",
1480 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1481 expect_failure=True)
1483 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
1484 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1485 check_eap_capa(dev[0], "MD5")
1486 params = int_eap_server_params()
1487 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1488 with alloc_fail(hapd, 1, "eap_md5_init"):
1489 eap_connect(dev[0], apdev[0], "TTLS", "user",
1490 anonymous_identity="ttls", password="password",
1491 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1492 expect_failure=True)
1493 dev[0].request("REMOVE_NETWORK all")
1495 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
1496 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1497 eap="TTLS", identity="user",
1498 anonymous_identity="ttls", password="password",
1499 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
1500 wait_connect=False, scan_freq="2412")
1501 # This would eventually time out, but we can stop after having reached
1502 # the allocation failure.
1505 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1508 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
1509 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1510 check_eap_capa(dev[0], "MSCHAPV2")
1511 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1512 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1513 eap_connect(dev[0], apdev[0], "TTLS", "user",
1514 anonymous_identity="ttls", password="password",
1515 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
1516 hwsim_utils.test_connectivity(dev[0], hapd)
1517 eap_reauth(dev[0], "TTLS")
1519 logger.info("Negative test with incorrect password")
1520 dev[0].request("REMOVE_NETWORK all")
1521 eap_connect(dev[0], apdev[0], "TTLS", "user",
1522 anonymous_identity="ttls", password="password1",
1523 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1524 expect_failure=True)
1526 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev):
1527 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1528 check_eap_capa(dev[0], "MSCHAPV2")
1529 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1530 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1531 eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd",
1532 anonymous_identity="ttls", password="password",
1533 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1534 expect_failure=True)
1536 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev, apdev):
1537 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1538 check_eap_capa(dev[0], "MSCHAPV2")
1539 params = int_eap_server_params()
1540 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1541 with alloc_fail(hapd, 1, "eap_mschapv2_init"):
1542 eap_connect(dev[0], apdev[0], "TTLS", "user",
1543 anonymous_identity="ttls", password="password",
1544 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1545 expect_failure=True)
1546 dev[0].request("REMOVE_NETWORK all")
1548 with alloc_fail(hapd, 1, "eap_mschapv2_build_challenge"):
1549 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1550 eap="TTLS", identity="user",
1551 anonymous_identity="ttls", password="password",
1552 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1553 wait_connect=False, scan_freq="2412")
1554 # This would eventually time out, but we can stop after having reached
1555 # the allocation failure.
1558 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1560 dev[0].request("REMOVE_NETWORK all")
1562 with alloc_fail(hapd, 1, "eap_mschapv2_build_success_req"):
1563 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1564 eap="TTLS", identity="user",
1565 anonymous_identity="ttls", password="password",
1566 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1567 wait_connect=False, scan_freq="2412")
1568 # This would eventually time out, but we can stop after having reached
1569 # the allocation failure.
1572 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1574 dev[0].request("REMOVE_NETWORK all")
1576 with alloc_fail(hapd, 1, "eap_mschapv2_build_failure_req"):
1577 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1578 eap="TTLS", identity="user",
1579 anonymous_identity="ttls", password="wrong",
1580 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
1581 wait_connect=False, scan_freq="2412")
1582 # This would eventually time out, but we can stop after having reached
1583 # the allocation failure.
1586 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
1588 dev[0].request("REMOVE_NETWORK all")
1590 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
1591 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1592 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1593 hostapd.add_ap(apdev[0]['ifname'], params)
1594 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
1595 anonymous_identity="0232010000000000@ttls",
1596 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1597 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
1599 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
1600 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1601 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1602 hostapd.add_ap(apdev[0]['ifname'], params)
1603 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
1604 anonymous_identity="0232010000000000@peap",
1605 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1606 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1608 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
1609 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1610 check_eap_capa(dev[0], "FAST")
1611 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1612 hostapd.add_ap(apdev[0]['ifname'], params)
1613 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
1614 anonymous_identity="0232010000000000@fast",
1615 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1616 phase1="fast_provisioning=2",
1617 pac_file="blob://fast_pac_auth_aka",
1618 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
1620 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
1621 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1622 check_eap_capa(dev[0], "MSCHAPV2")
1623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1624 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1625 eap_connect(dev[0], apdev[0], "PEAP", "user",
1626 anonymous_identity="peap", password="password",
1627 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1628 hwsim_utils.test_connectivity(dev[0], hapd)
1629 eap_reauth(dev[0], "PEAP")
1630 dev[0].request("REMOVE_NETWORK all")
1631 eap_connect(dev[0], apdev[0], "PEAP", "user",
1632 anonymous_identity="peap", password="password",
1633 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1634 fragment_size="200")
1636 logger.info("Password as hash value")
1637 dev[0].request("REMOVE_NETWORK all")
1638 eap_connect(dev[0], apdev[0], "PEAP", "user",
1639 anonymous_identity="peap",
1640 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1641 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1643 logger.info("Negative test with incorrect password")
1644 dev[0].request("REMOVE_NETWORK all")
1645 eap_connect(dev[0], apdev[0], "PEAP", "user",
1646 anonymous_identity="peap", password="password1",
1647 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1648 expect_failure=True)
1650 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev, apdev):
1651 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1652 check_eap_capa(dev[0], "MSCHAPV2")
1653 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1654 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1655 eap_connect(dev[0], apdev[0], "PEAP", "DOMAIN\user3",
1656 anonymous_identity="peap", password="password",
1657 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1658 hwsim_utils.test_connectivity(dev[0], hapd)
1659 eap_reauth(dev[0], "PEAP")
1661 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev, apdev):
1662 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1663 check_eap_capa(dev[0], "MSCHAPV2")
1664 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1665 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1666 eap_connect(dev[0], apdev[0], "PEAP", "user",
1667 anonymous_identity="peap", password="wrong",
1668 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1669 expect_failure=True)
1671 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1672 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1673 check_eap_capa(dev[0], "MSCHAPV2")
1674 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1675 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1676 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1677 ca_cert="auth_serv/ca.pem",
1678 phase1="peapver=0 crypto_binding=2",
1679 phase2="auth=MSCHAPV2")
1680 hwsim_utils.test_connectivity(dev[0], hapd)
1681 eap_reauth(dev[0], "PEAP")
1683 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1684 ca_cert="auth_serv/ca.pem",
1685 phase1="peapver=0 crypto_binding=1",
1686 phase2="auth=MSCHAPV2")
1687 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1688 ca_cert="auth_serv/ca.pem",
1689 phase1="peapver=0 crypto_binding=0",
1690 phase2="auth=MSCHAPV2")
1692 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev, apdev):
1693 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1694 check_eap_capa(dev[0], "MSCHAPV2")
1695 params = int_eap_server_params()
1696 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1697 with alloc_fail(hapd, 1, "eap_mschapv2_getKey"):
1698 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1699 ca_cert="auth_serv/ca.pem",
1700 phase1="peapver=0 crypto_binding=2",
1701 phase2="auth=MSCHAPV2",
1702 expect_failure=True, local_error_report=True)
1704 def test_ap_wpa2_eap_peap_params(dev, apdev):
1705 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1706 check_eap_capa(dev[0], "MSCHAPV2")
1707 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1708 hostapd.add_ap(apdev[0]['ifname'], params)
1709 eap_connect(dev[0], apdev[0], "PEAP", "user",
1710 anonymous_identity="peap", password="password",
1711 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1712 phase1="peapver=0 peaplabel=1",
1713 expect_failure=True)
1714 dev[0].request("REMOVE_NETWORK all")
1715 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1717 anonymous_identity="peap", password="password",
1718 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1719 phase1="peap_outer_success=0",
1720 wait_connect=False, scan_freq="2412")
1721 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1723 raise Exception("No EAP success seen")
1724 # This won't succeed to connect with peap_outer_success=0, so stop here.
1725 dev[0].request("REMOVE_NETWORK all")
1726 dev[0].wait_disconnected()
1727 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1728 ca_cert="auth_serv/ca.pem",
1729 phase1="peap_outer_success=1",
1730 phase2="auth=MSCHAPV2")
1731 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1732 ca_cert="auth_serv/ca.pem",
1733 phase1="peap_outer_success=2",
1734 phase2="auth=MSCHAPV2")
1735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1737 anonymous_identity="peap", password="password",
1738 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1739 phase1="peapver=1 peaplabel=1",
1740 wait_connect=False, scan_freq="2412")
1741 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1743 raise Exception("No EAP success seen")
1744 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1746 raise Exception("Unexpected connection")
1748 tests = [ ("peap-ver0", ""),
1750 ("peap-ver0", "peapver=0"),
1751 ("peap-ver1", "peapver=1") ]
1752 for anon,phase1 in tests:
1753 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1754 identity="user", anonymous_identity=anon,
1755 password="password", phase1=phase1,
1756 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1758 dev[0].request("REMOVE_NETWORK all")
1759 dev[0].wait_disconnected()
1761 tests = [ ("peap-ver0", "peapver=1"),
1762 ("peap-ver1", "peapver=0") ]
1763 for anon,phase1 in tests:
1764 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1765 identity="user", anonymous_identity=anon,
1766 password="password", phase1=phase1,
1767 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1768 wait_connect=False, scan_freq="2412")
1769 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
1771 raise Exception("No EAP-Failure seen")
1772 dev[0].request("REMOVE_NETWORK all")
1773 dev[0].wait_disconnected()
1775 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1776 ca_cert="auth_serv/ca.pem",
1777 phase1="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1778 phase2="auth=MSCHAPV2")
1780 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1781 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1782 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1783 hostapd.add_ap(apdev[0]['ifname'], params)
1784 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1785 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1786 ca_cert2="auth_serv/ca.pem",
1787 client_cert2="auth_serv/user.pem",
1788 private_key2="auth_serv/user.key")
1789 eap_reauth(dev[0], "PEAP")
1791 def test_ap_wpa2_eap_tls(dev, apdev):
1792 """WPA2-Enterprise connection using EAP-TLS"""
1793 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1794 hostapd.add_ap(apdev[0]['ifname'], params)
1795 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1796 client_cert="auth_serv/user.pem",
1797 private_key="auth_serv/user.key")
1798 eap_reauth(dev[0], "TLS")
1800 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev, apdev):
1801 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1802 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1803 hostapd.add_ap(apdev[0]['ifname'], params)
1804 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1805 client_cert="auth_serv/user.pem",
1806 private_key="auth_serv/user.key.pkcs8",
1807 private_key_passwd="whatever")
1809 def test_eap_tls_pkcs8_pkcs5_v15(dev, apdev):
1810 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1811 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1812 hostapd.add_ap(apdev[0]['ifname'], params)
1813 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1814 client_cert="auth_serv/user.pem",
1815 private_key="auth_serv/user.key.pkcs8.pkcs5v15",
1816 private_key_passwd="whatever")
1818 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1819 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1820 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1821 hostapd.add_ap(apdev[0]['ifname'], params)
1822 cert = read_pem("auth_serv/ca.pem")
1823 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1824 raise Exception("Could not set cacert blob")
1825 cert = read_pem("auth_serv/user.pem")
1826 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1827 raise Exception("Could not set usercert blob")
1828 key = read_pem("auth_serv/user.rsa-key")
1829 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1830 raise Exception("Could not set cacert blob")
1831 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1832 client_cert="blob://usercert",
1833 private_key="blob://userkey")
1835 def test_ap_wpa2_eap_tls_blob_missing(dev, apdev):
1836 """EAP-TLS and config blob missing"""
1837 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1838 hostapd.add_ap(apdev[0]['ifname'], params)
1839 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1840 identity="tls user",
1841 ca_cert="blob://testing-blob-does-not-exist",
1842 client_cert="blob://testing-blob-does-not-exist",
1843 private_key="blob://testing-blob-does-not-exist",
1844 wait_connect=False, scan_freq="2412")
1845 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=10)
1847 raise Exception("EAP failure not reported")
1848 dev[0].request("REMOVE_NETWORK all")
1849 dev[0].wait_disconnected()
1851 def test_ap_wpa2_eap_tls_with_tls_len(dev, apdev):
1852 """EAP-TLS and TLS Message Length in unfragmented packets"""
1853 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1854 hostapd.add_ap(apdev[0]['ifname'], params)
1855 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1856 phase1="include_tls_length=1",
1857 client_cert="auth_serv/user.pem",
1858 private_key="auth_serv/user.key")
1860 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1861 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1862 check_pkcs12_support(dev[0])
1863 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1864 hostapd.add_ap(apdev[0]['ifname'], params)
1865 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1866 private_key="auth_serv/user.pkcs12",
1867 private_key_passwd="whatever")
1868 dev[0].request("REMOVE_NETWORK all")
1869 dev[0].wait_disconnected()
1871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1872 identity="tls user",
1873 ca_cert="auth_serv/ca.pem",
1874 private_key="auth_serv/user.pkcs12",
1875 wait_connect=False, scan_freq="2412")
1876 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1878 raise Exception("Request for private key passphrase timed out")
1879 id = ev.split(':')[0].split('-')[-1]
1880 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1881 dev[0].wait_connected(timeout=10)
1882 dev[0].request("REMOVE_NETWORK all")
1883 dev[0].wait_disconnected()
1885 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1886 # different files to cover both cases of the extra certificate being the
1887 # one that signed the client certificate and it being unrelated to the
1888 # client certificate.
1889 for pkcs12 in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1891 eap_connect(dev[0], apdev[0], "TLS", "tls user",
1892 ca_cert="auth_serv/ca.pem",
1894 private_key_passwd="whatever")
1895 dev[0].request("REMOVE_NETWORK all")
1896 dev[0].wait_disconnected()
1898 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1899 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1900 check_pkcs12_support(dev[0])
1901 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1902 hostapd.add_ap(apdev[0]['ifname'], params)
1903 cert = read_pem("auth_serv/ca.pem")
1904 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1905 raise Exception("Could not set cacert blob")
1906 with open("auth_serv/user.pkcs12", "rb") as f:
1907 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1908 raise Exception("Could not set pkcs12 blob")
1909 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1910 private_key="blob://pkcs12",
1911 private_key_passwd="whatever")
1913 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1914 """WPA2-Enterprise negative test - incorrect trust root"""
1915 check_eap_capa(dev[0], "MSCHAPV2")
1916 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1917 hostapd.add_ap(apdev[0]['ifname'], params)
1918 cert = read_pem("auth_serv/ca-incorrect.pem")
1919 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1920 raise Exception("Could not set cacert blob")
1921 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1922 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1923 password="password", phase2="auth=MSCHAPV2",
1924 ca_cert="blob://cacert",
1925 wait_connect=False, scan_freq="2412")
1926 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1927 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1928 password="password", phase2="auth=MSCHAPV2",
1929 ca_cert="auth_serv/ca-incorrect.pem",
1930 wait_connect=False, scan_freq="2412")
1932 for dev in (dev[0], dev[1]):
1933 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
1935 raise Exception("Association and EAP start timed out")
1937 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1939 raise Exception("EAP method selection timed out")
1940 if "TTLS" not in ev:
1941 raise Exception("Unexpected EAP method")
1943 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1944 "CTRL-EVENT-EAP-SUCCESS",
1945 "CTRL-EVENT-EAP-FAILURE",
1946 "CTRL-EVENT-CONNECTED",
1947 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1949 raise Exception("EAP result timed out")
1950 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1951 raise Exception("TLS certificate error not reported")
1953 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1954 "CTRL-EVENT-EAP-FAILURE",
1955 "CTRL-EVENT-CONNECTED",
1956 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1958 raise Exception("EAP result(2) timed out")
1959 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1960 raise Exception("EAP failure not reported")
1962 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1963 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1965 raise Exception("EAP result(3) timed out")
1966 if "CTRL-EVENT-DISCONNECTED" not in ev:
1967 raise Exception("Disconnection not reported")
1969 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1971 raise Exception("Network block disabling not reported")
1973 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1974 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1975 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1976 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1977 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1978 identity="pap user", anonymous_identity="ttls",
1979 password="password", phase2="auth=PAP",
1980 ca_cert="auth_serv/ca.pem",
1981 wait_connect=True, scan_freq="2412")
1982 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1983 identity="pap user", anonymous_identity="ttls",
1984 password="password", phase2="auth=PAP",
1985 ca_cert="auth_serv/ca-incorrect.pem",
1986 only_add_network=True, scan_freq="2412")
1988 dev[0].request("DISCONNECT")
1989 dev[0].wait_disconnected()
1990 dev[0].dump_monitor()
1991 dev[0].select_network(id, freq="2412")
1993 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1995 raise Exception("EAP-TTLS not re-started")
1997 ev = dev[0].wait_disconnected(timeout=15)
1998 if "reason=23" not in ev:
1999 raise Exception("Proper reason code for disconnection not reported")
2001 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
2002 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2003 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2004 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2005 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2006 identity="pap user", anonymous_identity="ttls",
2007 password="password", phase2="auth=PAP",
2008 wait_connect=True, scan_freq="2412")
2009 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2010 identity="pap user", anonymous_identity="ttls",
2011 password="password", phase2="auth=PAP",
2012 ca_cert="auth_serv/ca-incorrect.pem",
2013 only_add_network=True, scan_freq="2412")
2015 dev[0].request("DISCONNECT")
2016 dev[0].wait_disconnected()
2017 dev[0].dump_monitor()
2018 dev[0].select_network(id, freq="2412")
2020 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2022 raise Exception("EAP-TTLS not re-started")
2024 ev = dev[0].wait_disconnected(timeout=15)
2025 if "reason=23" not in ev:
2026 raise Exception("Proper reason code for disconnection not reported")
2028 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
2029 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2030 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2031 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2032 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2033 identity="pap user", anonymous_identity="ttls",
2034 password="password", phase2="auth=PAP",
2035 ca_cert="auth_serv/ca.pem",
2036 wait_connect=True, scan_freq="2412")
2037 dev[0].request("DISCONNECT")
2038 dev[0].wait_disconnected()
2039 dev[0].dump_monitor()
2040 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2041 dev[0].select_network(id, freq="2412")
2043 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
2045 raise Exception("EAP-TTLS not re-started")
2047 ev = dev[0].wait_disconnected(timeout=15)
2048 if "reason=23" not in ev:
2049 raise Exception("Proper reason code for disconnection not reported")
2051 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
2052 """WPA2-Enterprise negative test - domain suffix mismatch"""
2053 check_domain_suffix_match(dev[0])
2054 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2055 hostapd.add_ap(apdev[0]['ifname'], params)
2056 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2057 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2058 password="password", phase2="auth=MSCHAPV2",
2059 ca_cert="auth_serv/ca.pem",
2060 domain_suffix_match="incorrect.example.com",
2061 wait_connect=False, scan_freq="2412")
2063 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2065 raise Exception("Association and EAP start timed out")
2067 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2069 raise Exception("EAP method selection timed out")
2070 if "TTLS" not in ev:
2071 raise Exception("Unexpected EAP method")
2073 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2074 "CTRL-EVENT-EAP-SUCCESS",
2075 "CTRL-EVENT-EAP-FAILURE",
2076 "CTRL-EVENT-CONNECTED",
2077 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2079 raise Exception("EAP result timed out")
2080 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2081 raise Exception("TLS certificate error not reported")
2082 if "Domain suffix mismatch" not in ev:
2083 raise Exception("Domain suffix mismatch not reported")
2085 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2086 "CTRL-EVENT-EAP-FAILURE",
2087 "CTRL-EVENT-CONNECTED",
2088 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2090 raise Exception("EAP result(2) timed out")
2091 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2092 raise Exception("EAP failure not reported")
2094 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2095 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2097 raise Exception("EAP result(3) timed out")
2098 if "CTRL-EVENT-DISCONNECTED" not in ev:
2099 raise Exception("Disconnection not reported")
2101 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2103 raise Exception("Network block disabling not reported")
2105 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
2106 """WPA2-Enterprise negative test - domain mismatch"""
2107 check_domain_match(dev[0])
2108 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2109 hostapd.add_ap(apdev[0]['ifname'], params)
2110 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2111 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2112 password="password", phase2="auth=MSCHAPV2",
2113 ca_cert="auth_serv/ca.pem",
2114 domain_match="w1.fi",
2115 wait_connect=False, scan_freq="2412")
2117 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2119 raise Exception("Association and EAP start timed out")
2121 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2123 raise Exception("EAP method selection timed out")
2124 if "TTLS" not in ev:
2125 raise Exception("Unexpected EAP method")
2127 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2128 "CTRL-EVENT-EAP-SUCCESS",
2129 "CTRL-EVENT-EAP-FAILURE",
2130 "CTRL-EVENT-CONNECTED",
2131 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2133 raise Exception("EAP result timed out")
2134 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2135 raise Exception("TLS certificate error not reported")
2136 if "Domain mismatch" not in ev:
2137 raise Exception("Domain mismatch not reported")
2139 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2140 "CTRL-EVENT-EAP-FAILURE",
2141 "CTRL-EVENT-CONNECTED",
2142 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2144 raise Exception("EAP result(2) timed out")
2145 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2146 raise Exception("EAP failure not reported")
2148 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2149 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2151 raise Exception("EAP result(3) timed out")
2152 if "CTRL-EVENT-DISCONNECTED" not in ev:
2153 raise Exception("Disconnection not reported")
2155 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2157 raise Exception("Network block disabling not reported")
2159 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
2160 """WPA2-Enterprise negative test - subject mismatch"""
2161 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2162 hostapd.add_ap(apdev[0]['ifname'], params)
2163 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2164 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2165 password="password", phase2="auth=MSCHAPV2",
2166 ca_cert="auth_serv/ca.pem",
2167 subject_match="/C=FI/O=w1.fi/CN=example.com",
2168 wait_connect=False, scan_freq="2412")
2170 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2172 raise Exception("Association and EAP start timed out")
2174 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2175 "EAP: Failed to initialize EAP method"], timeout=10)
2177 raise Exception("EAP method selection timed out")
2178 if "EAP: Failed to initialize EAP method" in ev:
2179 tls = dev[0].request("GET tls_library")
2180 if tls.startswith("OpenSSL"):
2181 raise Exception("Failed to select EAP method")
2182 logger.info("subject_match not supported - connection failed, so test succeeded")
2184 if "TTLS" not in ev:
2185 raise Exception("Unexpected EAP method")
2187 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2188 "CTRL-EVENT-EAP-SUCCESS",
2189 "CTRL-EVENT-EAP-FAILURE",
2190 "CTRL-EVENT-CONNECTED",
2191 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2193 raise Exception("EAP result timed out")
2194 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2195 raise Exception("TLS certificate error not reported")
2196 if "Subject mismatch" not in ev:
2197 raise Exception("Subject mismatch not reported")
2199 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2200 "CTRL-EVENT-EAP-FAILURE",
2201 "CTRL-EVENT-CONNECTED",
2202 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2204 raise Exception("EAP result(2) timed out")
2205 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2206 raise Exception("EAP failure not reported")
2208 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2209 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2211 raise Exception("EAP result(3) timed out")
2212 if "CTRL-EVENT-DISCONNECTED" not in ev:
2213 raise Exception("Disconnection not reported")
2215 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2217 raise Exception("Network block disabling not reported")
2219 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
2220 """WPA2-Enterprise negative test - altsubject mismatch"""
2221 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2222 hostapd.add_ap(apdev[0]['ifname'], params)
2224 tests = [ "incorrect.example.com",
2225 "DNS:incorrect.example.com",
2229 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
2231 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
2232 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2233 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2234 password="password", phase2="auth=MSCHAPV2",
2235 ca_cert="auth_serv/ca.pem",
2236 altsubject_match=match,
2237 wait_connect=False, scan_freq="2412")
2239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2241 raise Exception("Association and EAP start timed out")
2243 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2244 "EAP: Failed to initialize EAP method"], timeout=10)
2246 raise Exception("EAP method selection timed out")
2247 if "EAP: Failed to initialize EAP method" in ev:
2248 tls = dev[0].request("GET tls_library")
2249 if tls.startswith("OpenSSL"):
2250 raise Exception("Failed to select EAP method")
2251 logger.info("altsubject_match not supported - connection failed, so test succeeded")
2253 if "TTLS" not in ev:
2254 raise Exception("Unexpected EAP method")
2256 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2257 "CTRL-EVENT-EAP-SUCCESS",
2258 "CTRL-EVENT-EAP-FAILURE",
2259 "CTRL-EVENT-CONNECTED",
2260 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2262 raise Exception("EAP result timed out")
2263 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
2264 raise Exception("TLS certificate error not reported")
2265 if "AltSubject mismatch" not in ev:
2266 raise Exception("altsubject mismatch not reported")
2268 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2269 "CTRL-EVENT-EAP-FAILURE",
2270 "CTRL-EVENT-CONNECTED",
2271 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2273 raise Exception("EAP result(2) timed out")
2274 if "CTRL-EVENT-EAP-FAILURE" not in ev:
2275 raise Exception("EAP failure not reported")
2277 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
2278 "CTRL-EVENT-DISCONNECTED"], timeout=10)
2280 raise Exception("EAP result(3) timed out")
2281 if "CTRL-EVENT-DISCONNECTED" not in ev:
2282 raise Exception("Disconnection not reported")
2284 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
2286 raise Exception("Network block disabling not reported")
2288 dev[0].request("REMOVE_NETWORK all")
2290 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
2291 """WPA2-Enterprise connection using UNAUTH-TLS"""
2292 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2293 hostapd.add_ap(apdev[0]['ifname'], params)
2294 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
2295 ca_cert="auth_serv/ca.pem")
2296 eap_reauth(dev[0], "UNAUTH-TLS")
2298 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
2299 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2300 check_cert_probe_support(dev[0])
2301 skip_with_fips(dev[0])
2302 srv_cert_hash = "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
2303 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2304 hostapd.add_ap(apdev[0]['ifname'], params)
2305 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2306 identity="probe", ca_cert="probe://",
2307 wait_connect=False, scan_freq="2412")
2308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2310 raise Exception("Association and EAP start timed out")
2311 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
2313 raise Exception("No peer server certificate event seen")
2314 if "hash=" + srv_cert_hash not in ev:
2315 raise Exception("Expected server certificate hash not reported")
2316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2318 raise Exception("EAP result timed out")
2319 if "Server certificate chain probe" not in ev:
2320 raise Exception("Server certificate probe not reported")
2321 dev[0].wait_disconnected(timeout=10)
2322 dev[0].request("REMOVE_NETWORK all")
2324 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2325 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2326 password="password", phase2="auth=MSCHAPV2",
2327 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2328 wait_connect=False, scan_freq="2412")
2329 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2331 raise Exception("Association and EAP start timed out")
2332 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
2334 raise Exception("EAP result timed out")
2335 if "Server certificate mismatch" not in ev:
2336 raise Exception("Server certificate mismatch not reported")
2337 dev[0].wait_disconnected(timeout=10)
2338 dev[0].request("REMOVE_NETWORK all")
2340 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
2341 anonymous_identity="ttls", password="password",
2342 ca_cert="hash://server/sha256/" + srv_cert_hash,
2343 phase2="auth=MSCHAPV2")
2345 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
2346 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2347 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2348 hostapd.add_ap(apdev[0]['ifname'], params)
2349 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2350 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2351 password="password", phase2="auth=MSCHAPV2",
2352 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2353 wait_connect=False, scan_freq="2412")
2354 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2355 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2356 password="password", phase2="auth=MSCHAPV2",
2357 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2358 wait_connect=False, scan_freq="2412")
2359 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2360 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
2361 password="password", phase2="auth=MSCHAPV2",
2362 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2363 wait_connect=False, scan_freq="2412")
2364 for i in range(0, 3):
2365 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
2367 raise Exception("Association and EAP start timed out")
2368 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
2370 raise Exception("Did not report EAP method initialization failure")
2372 def test_ap_wpa2_eap_pwd(dev, apdev):
2373 """WPA2-Enterprise connection using EAP-pwd"""
2374 check_eap_capa(dev[0], "PWD")
2375 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2376 hostapd.add_ap(apdev[0]['ifname'], params)
2377 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2378 eap_reauth(dev[0], "PWD")
2379 dev[0].request("REMOVE_NETWORK all")
2381 eap_connect(dev[1], apdev[0], "PWD",
2382 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2383 password="secret password",
2386 logger.info("Negative test with incorrect password")
2387 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
2388 expect_failure=True, local_error_report=True)
2390 eap_connect(dev[0], apdev[0], "PWD",
2391 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2392 password="secret password",
2395 def test_ap_wpa2_eap_pwd_nthash(dev, apdev):
2396 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2397 check_eap_capa(dev[0], "PWD")
2398 skip_with_fips(dev[0])
2399 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2400 hostapd.add_ap(apdev[0]['ifname'], params)
2401 eap_connect(dev[0], apdev[0], "PWD", "pwd-hash", password="secret password")
2402 eap_connect(dev[1], apdev[0], "PWD", "pwd-hash",
2403 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a")
2404 eap_connect(dev[2], apdev[0], "PWD", "pwd user",
2405 password_hex="hash:e3718ece8ab74792cbbfffd316d2d19a",
2406 expect_failure=True, local_error_report=True)
2408 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
2409 """WPA2-Enterprise connection using various EAP-pwd groups"""
2410 check_eap_capa(dev[0], "PWD")
2411 tls = dev[0].request("GET tls_library")
2412 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2413 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2414 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2415 groups = [ 19, 20, 21, 25, 26 ]
2416 if tls.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
2417 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
2418 groups += [ 27, 28, 29, 30 ]
2420 logger.info("Group %d" % i)
2421 params['pwd_group'] = str(i)
2422 hostapd.add_ap(apdev[0]['ifname'], params)
2424 eap_connect(dev[0], apdev[0], "PWD", "pwd user",
2425 password="secret password")
2426 dev[0].request("REMOVE_NETWORK all")
2427 dev[0].wait_disconnected()
2428 dev[0].dump_monitor()
2430 if "BoringSSL" in tls and i in [ 25 ]:
2431 logger.info("Ignore connection failure with group %d with BoringSSL" % i)
2432 dev[0].request("DISCONNECT")
2434 dev[0].request("REMOVE_NETWORK all")
2435 dev[0].dump_monitor()
2439 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
2440 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2441 check_eap_capa(dev[0], "PWD")
2442 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2443 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2444 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2445 params['pwd_group'] = "0"
2446 hostapd.add_ap(apdev[0]['ifname'], params)
2447 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
2448 identity="pwd user", password="secret password",
2449 scan_freq="2412", wait_connect=False)
2450 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2452 raise Exception("Timeout on EAP failure report")
2454 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
2455 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2456 check_eap_capa(dev[0], "PWD")
2457 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2458 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2459 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2460 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2461 "pwd_group": "19", "fragment_size": "40" }
2462 hostapd.add_ap(apdev[0]['ifname'], params)
2463 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
2465 def test_ap_wpa2_eap_gpsk(dev, apdev):
2466 """WPA2-Enterprise connection using EAP-GPSK"""
2467 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2468 hostapd.add_ap(apdev[0]['ifname'], params)
2469 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2470 password="abcdefghijklmnop0123456789abcdef")
2471 eap_reauth(dev[0], "GPSK")
2473 logger.info("Test forced algorithm selection")
2474 for phase1 in [ "cipher=1", "cipher=2" ]:
2475 dev[0].set_network_quoted(id, "phase1", phase1)
2476 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2478 raise Exception("EAP success timed out")
2479 dev[0].wait_connected(timeout=10)
2481 logger.info("Test failed algorithm negotiation")
2482 dev[0].set_network_quoted(id, "phase1", "cipher=9")
2483 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2485 raise Exception("EAP failure timed out")
2487 logger.info("Negative test with incorrect password")
2488 dev[0].request("REMOVE_NETWORK all")
2489 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
2490 password="ffcdefghijklmnop0123456789abcdef",
2491 expect_failure=True)
2493 def test_ap_wpa2_eap_sake(dev, apdev):
2494 """WPA2-Enterprise connection using EAP-SAKE"""
2495 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2496 hostapd.add_ap(apdev[0]['ifname'], params)
2497 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2498 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2499 eap_reauth(dev[0], "SAKE")
2501 logger.info("Negative test with incorrect password")
2502 dev[0].request("REMOVE_NETWORK all")
2503 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
2504 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2505 expect_failure=True)
2507 def test_ap_wpa2_eap_eke(dev, apdev):
2508 """WPA2-Enterprise connection using EAP-EKE"""
2509 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2510 hostapd.add_ap(apdev[0]['ifname'], params)
2511 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2512 eap_reauth(dev[0], "EKE")
2514 logger.info("Test forced algorithm selection")
2515 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
2516 "dhgroup=4 encr=1 prf=2 mac=2",
2517 "dhgroup=3 encr=1 prf=2 mac=2",
2518 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2519 dev[0].set_network_quoted(id, "phase1", phase1)
2520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2522 raise Exception("EAP success timed out")
2523 dev[0].wait_connected(timeout=10)
2525 logger.info("Test failed algorithm negotiation")
2526 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2527 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2529 raise Exception("EAP failure timed out")
2531 logger.info("Negative test with incorrect password")
2532 dev[0].request("REMOVE_NETWORK all")
2533 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
2534 expect_failure=True)
2536 def test_ap_wpa2_eap_eke_many(dev, apdev, params):
2537 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2538 if not params['long']:
2539 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2540 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2541 hostapd.add_ap(apdev[0]['ifname'], params)
2544 for i in range(100):
2546 dev[j].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="EKE",
2547 identity="eke user", password="hello",
2548 phase1="dhgroup=3 encr=1 prf=1 mac=1",
2549 scan_freq="2412", wait_connect=False)
2551 ev = dev[j].wait_event(["CTRL-EVENT-CONNECTED",
2552 "CTRL-EVENT-DISCONNECTED"], timeout=15)
2554 raise Exception("No connected/disconnected event")
2555 if "CTRL-EVENT-DISCONNECTED" in ev:
2557 # The RADIUS server limits on active sessions can be hit when
2558 # going through this test case, so try to give some more time
2559 # for the server to remove sessions.
2560 logger.info("Failed to connect i=%d j=%d" % (i, j))
2561 dev[j].request("REMOVE_NETWORK all")
2565 dev[j].request("REMOVE_NETWORK all")
2566 dev[j].wait_disconnected()
2567 dev[j].dump_monitor()
2568 logger.info("Total success=%d failure=%d" % (success, fail))
2570 def test_ap_wpa2_eap_eke_serverid_nai(dev, apdev):
2571 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2572 params = int_eap_server_params()
2573 params['server_id'] = 'example.server@w1.fi'
2574 hostapd.add_ap(apdev[0]['ifname'], params)
2575 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
2577 def test_ap_wpa2_eap_eke_server_oom(dev, apdev):
2578 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2579 params = int_eap_server_params()
2580 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2581 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
2583 for count,func in [ (1, "eap_eke_build_commit"),
2584 (2, "eap_eke_build_commit"),
2585 (3, "eap_eke_build_commit"),
2586 (1, "eap_eke_build_confirm"),
2587 (2, "eap_eke_build_confirm"),
2588 (1, "eap_eke_process_commit"),
2589 (2, "eap_eke_process_commit"),
2590 (1, "eap_eke_process_confirm"),
2591 (1, "eap_eke_process_identity"),
2592 (2, "eap_eke_process_identity"),
2593 (3, "eap_eke_process_identity"),
2594 (4, "eap_eke_process_identity") ]:
2595 with alloc_fail(hapd, count, func):
2596 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello",
2597 expect_failure=True)
2598 dev[0].request("REMOVE_NETWORK all")
2600 for count,func,pw in [ (1, "eap_eke_init", "hello"),
2601 (1, "eap_eke_get_session_id", "hello"),
2602 (1, "eap_eke_getKey", "hello"),
2603 (1, "eap_eke_build_msg", "hello"),
2604 (1, "eap_eke_build_failure", "wrong"),
2605 (1, "eap_eke_build_identity", "hello"),
2606 (2, "eap_eke_build_identity", "hello") ]:
2607 with alloc_fail(hapd, count, func):
2608 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2609 eap="EKE", identity="eke user", password=pw,
2610 wait_connect=False, scan_freq="2412")
2611 # This would eventually time out, but we can stop after having
2612 # reached the allocation failure.
2615 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2617 dev[0].request("REMOVE_NETWORK all")
2619 for count in range(1, 1000):
2621 with alloc_fail(hapd, count, "eap_server_sm_step"):
2622 dev[0].connect("test-wpa2-eap",
2623 key_mgmt="WPA-EAP WPA-EAP-SHA256",
2624 eap="EKE", identity="eke user", password=pw,
2625 wait_connect=False, scan_freq="2412")
2626 # This would eventually time out, but we can stop after having
2627 # reached the allocation failure.
2630 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
2632 dev[0].request("REMOVE_NETWORK all")
2633 except Exception, e:
2634 if str(e) == "Allocation failure did not trigger":
2636 raise Exception("Too few allocation failures")
2637 logger.info("%d allocation failures tested" % (count - 1))
2641 def test_ap_wpa2_eap_ikev2(dev, apdev):
2642 """WPA2-Enterprise connection using EAP-IKEv2"""
2643 check_eap_capa(dev[0], "IKEV2")
2644 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2645 hostapd.add_ap(apdev[0]['ifname'], params)
2646 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2647 password="ike password")
2648 eap_reauth(dev[0], "IKEV2")
2649 dev[0].request("REMOVE_NETWORK all")
2650 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2651 password="ike password", fragment_size="50")
2653 logger.info("Negative test with incorrect password")
2654 dev[0].request("REMOVE_NETWORK all")
2655 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2656 password="ike-password", expect_failure=True)
2657 dev[0].request("REMOVE_NETWORK all")
2659 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2660 password="ike password", fragment_size="0")
2661 dev[0].request("REMOVE_NETWORK all")
2662 dev[0].wait_disconnected()
2664 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
2665 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2666 check_eap_capa(dev[0], "IKEV2")
2667 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2668 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2669 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2670 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2671 "fragment_size": "50" }
2672 hostapd.add_ap(apdev[0]['ifname'], params)
2673 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
2674 password="ike password")
2675 eap_reauth(dev[0], "IKEV2")
2677 def test_ap_wpa2_eap_ikev2_oom(dev, apdev):
2678 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2679 check_eap_capa(dev[0], "IKEV2")
2680 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2681 hostapd.add_ap(apdev[0]['ifname'], params)
2683 tests = [ (1, "dh_init"),
2685 (1, "dh_derive_shared") ]
2686 for count, func in tests:
2687 with alloc_fail(dev[0], count, func):
2688 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2689 identity="ikev2 user", password="ike password",
2690 wait_connect=False, scan_freq="2412")
2691 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2693 raise Exception("EAP method not selected")
2695 if "0:" in dev[0].request("GET_ALLOC_FAIL"):
2698 dev[0].request("REMOVE_NETWORK all")
2700 tests = [ (1, "os_get_random;dh_init") ]
2701 for count, func in tests:
2702 with fail_test(dev[0], count, func):
2703 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="IKEV2",
2704 identity="ikev2 user", password="ike password",
2705 wait_connect=False, scan_freq="2412")
2706 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2708 raise Exception("EAP method not selected")
2710 if "0:" in dev[0].request("GET_FAIL"):
2713 dev[0].request("REMOVE_NETWORK all")
2715 def test_ap_wpa2_eap_pax(dev, apdev):
2716 """WPA2-Enterprise connection using EAP-PAX"""
2717 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2718 hostapd.add_ap(apdev[0]['ifname'], params)
2719 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2720 password_hex="0123456789abcdef0123456789abcdef")
2721 eap_reauth(dev[0], "PAX")
2723 logger.info("Negative test with incorrect password")
2724 dev[0].request("REMOVE_NETWORK all")
2725 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2726 password_hex="ff23456789abcdef0123456789abcdef",
2727 expect_failure=True)
2729 def test_ap_wpa2_eap_psk(dev, apdev):
2730 """WPA2-Enterprise connection using EAP-PSK"""
2731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2732 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2733 params["ieee80211w"] = "2"
2734 hostapd.add_ap(apdev[0]['ifname'], params)
2735 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2736 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
2737 eap_reauth(dev[0], "PSK", sha256=True)
2738 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2739 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2741 bss = dev[0].get_bss(apdev[0]['bssid'])
2742 if 'flags' not in bss:
2743 raise Exception("Could not get BSS flags from BSS table")
2744 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
2745 raise Exception("Unexpected BSS flags: " + bss['flags'])
2747 logger.info("Negative test with incorrect password")
2748 dev[0].request("REMOVE_NETWORK all")
2749 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
2750 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
2751 expect_failure=True)
2753 def test_ap_wpa2_eap_psk_oom(dev, apdev):
2754 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2755 skip_with_fips(dev[0])
2756 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2757 hostapd.add_ap(apdev[0]['ifname'], params)
2758 tests = [ (1, "=aes_128_eax_encrypt"),
2759 (1, "=aes_128_eax_decrypt") ]
2760 for count, func in tests:
2761 with alloc_fail(dev[0], count, func):
2762 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2763 identity="psk.user@example.com",
2764 password_hex="0123456789abcdef0123456789abcdef",
2765 wait_connect=False, scan_freq="2412")
2766 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2768 raise Exception("EAP method not selected")
2769 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
2770 note="Failure not triggered: %d:%s" % (count, func))
2771 dev[0].request("REMOVE_NETWORK all")
2772 dev[0].wait_disconnected()
2774 tests = [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2775 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2776 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2777 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2778 (1, "omac1_aes_vector"),
2779 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2780 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2781 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2782 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt") ]
2783 for count, func in tests:
2784 with fail_test(dev[0], count, func):
2785 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2786 identity="psk.user@example.com",
2787 password_hex="0123456789abcdef0123456789abcdef",
2788 wait_connect=False, scan_freq="2412")
2789 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
2791 raise Exception("EAP method not selected")
2792 wait_fail_trigger(dev[0], "GET_FAIL",
2793 note="Failure not triggered: %d:%s" % (count, func))
2794 dev[0].request("REMOVE_NETWORK all")
2795 dev[0].wait_disconnected()
2797 with fail_test(dev[0], 1, "aes_128_encrypt_block"):
2798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PSK",
2799 identity="psk.user@example.com",
2800 password_hex="0123456789abcdef0123456789abcdef",
2801 wait_connect=False, scan_freq="2412")
2802 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
2804 raise Exception("EAP method failure not reported")
2805 dev[0].request("REMOVE_NETWORK all")
2806 dev[0].wait_disconnected()
2808 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
2809 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2810 check_eap_capa(dev[0], "MSCHAPV2")
2811 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
2812 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2813 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
2814 identity="user", password="password", phase2="auth=MSCHAPV2",
2815 ca_cert="auth_serv/ca.pem", wait_connect=False,
2817 eap_check_auth(dev[0], "PEAP", True, rsn=False)
2818 hwsim_utils.test_connectivity(dev[0], hapd)
2819 eap_reauth(dev[0], "PEAP", rsn=False)
2820 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2821 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2822 status = dev[0].get_status(extra="VERBOSE")
2823 if 'portControl' not in status:
2824 raise Exception("portControl missing from STATUS-VERBOSE")
2825 if status['portControl'] != 'Auto':
2826 raise Exception("Unexpected portControl value: " + status['portControl'])
2827 if 'eap_session_id' not in status:
2828 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2829 if not status['eap_session_id'].startswith("19"):
2830 raise Exception("Unexpected eap_session_id value: " + status['eap_session_id'])
2832 def test_ap_wpa2_eap_interactive(dev, apdev):
2833 """WPA2-Enterprise connection using interactive identity/password entry"""
2834 check_eap_capa(dev[0], "MSCHAPV2")
2835 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2836 hostapd.add_ap(apdev[0]['ifname'], params)
2837 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2839 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2840 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2842 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2843 "TTLS", "ttls", None, "auth=MSCHAPV2",
2844 "DOMAIN\mschapv2 user", "password"),
2845 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2846 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2847 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2848 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2849 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2850 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2851 ("Connection with dynamic PEAP/EAP-GTC password entry",
2852 "PEAP", None, "user", "auth=GTC", None, "password") ]
2853 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
2855 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
2856 anonymous_identity=anon, identity=identity,
2857 ca_cert="auth_serv/ca.pem", phase2=phase2,
2858 wait_connect=False, scan_freq="2412")
2860 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2862 raise Exception("Request for identity timed out")
2863 id = ev.split(':')[0].split('-')[-1]
2864 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2865 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2867 raise Exception("Request for password timed out")
2868 id = ev.split(':')[0].split('-')[-1]
2869 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
2870 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
2871 dev[0].wait_connected(timeout=10)
2872 dev[0].request("REMOVE_NETWORK all")
2874 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev, apdev):
2875 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2876 check_eap_capa(dev[0], "MSCHAPV2")
2877 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2878 hostapd.add_ap(apdev[0]['ifname'], params)
2879 hapd = hostapd.Hostapd(apdev[0]['ifname'])
2881 id_other = dev[0].connect("other", key_mgmt="NONE", scan_freq="2412",
2882 only_add_network=True)
2884 req_id = "DOMAIN\mschapv2 user"
2885 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2886 anonymous_identity="ttls", identity=None,
2887 password="password",
2888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2889 wait_connect=False, scan_freq="2412")
2890 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
2892 raise Exception("Request for identity timed out")
2893 id = ev.split(':')[0].split('-')[-1]
2894 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
2895 dev[0].wait_connected(timeout=10)
2897 if "OK" not in dev[0].request("ENABLE_NETWORK " + str(id_other)):
2898 raise Exception("Failed to enable network")
2899 ev = dev[0].wait_event(["SME: Trying to authenticate"], timeout=1)
2901 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2902 dev[0].request("REMOVE_NETWORK all")
2904 def test_ap_wpa2_eap_vendor_test(dev, apdev):
2905 """WPA2-Enterprise connection using EAP vendor test"""
2906 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2907 hostapd.add_ap(apdev[0]['ifname'], params)
2908 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
2909 eap_reauth(dev[0], "VENDOR-TEST")
2910 eap_connect(dev[1], apdev[0], "VENDOR-TEST", "vendor-test",
2913 def test_ap_wpa2_eap_vendor_test_oom(dev, apdev):
2914 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
2915 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2916 hostapd.add_ap(apdev[0]['ifname'], params)
2918 tests = [ "eap_vendor_test_init",
2919 "eap_msg_alloc;eap_vendor_test_process",
2920 "eap_vendor_test_getKey" ]
2922 with alloc_fail(dev[0], 1, func):
2923 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
2925 eap="VENDOR-TEST", identity="vendor-test",
2927 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
2928 dev[0].request("REMOVE_NETWORK all")
2929 dev[0].wait_disconnected()
2931 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
2932 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2933 check_eap_capa(dev[0], "FAST")
2934 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2935 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2936 eap_connect(dev[0], apdev[0], "FAST", "user",
2937 anonymous_identity="FAST", password="password",
2938 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2939 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
2940 hwsim_utils.test_connectivity(dev[0], hapd)
2941 res = eap_reauth(dev[0], "FAST")
2942 if res['tls_session_reused'] != '1':
2943 raise Exception("EAP-FAST could not use PAC session ticket")
2945 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
2946 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2947 check_eap_capa(dev[0], "FAST")
2948 pac_file = os.path.join(params['logdir'], "fast.pac")
2949 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
2950 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2951 hostapd.add_ap(apdev[0]['ifname'], params)
2954 eap_connect(dev[0], apdev[0], "FAST", "user",
2955 anonymous_identity="FAST", password="password",
2956 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2957 phase1="fast_provisioning=1", pac_file=pac_file)
2958 with open(pac_file, "r") as f:
2960 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
2961 raise Exception("PAC file header missing")
2962 if "PAC-Key=" not in data:
2963 raise Exception("PAC-Key missing from PAC file")
2964 dev[0].request("REMOVE_NETWORK all")
2965 eap_connect(dev[0], apdev[0], "FAST", "user",
2966 anonymous_identity="FAST", password="password",
2967 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2970 eap_connect(dev[1], apdev[0], "FAST", "user",
2971 anonymous_identity="FAST", password="password",
2972 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2973 phase1="fast_provisioning=1 fast_pac_format=binary",
2975 dev[1].request("REMOVE_NETWORK all")
2976 eap_connect(dev[1], apdev[0], "FAST", "user",
2977 anonymous_identity="FAST", password="password",
2978 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2979 phase1="fast_pac_format=binary",
2987 os.remove(pac_file2)
2991 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
2992 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2993 check_eap_capa(dev[0], "FAST")
2994 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2995 hostapd.add_ap(apdev[0]['ifname'], params)
2996 eap_connect(dev[0], apdev[0], "FAST", "user",
2997 anonymous_identity="FAST", password="password",
2998 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
2999 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3000 pac_file="blob://fast_pac_bin")
3001 res = eap_reauth(dev[0], "FAST")
3002 if res['tls_session_reused'] != '1':
3003 raise Exception("EAP-FAST could not use PAC session ticket")
3005 # Verify fast_max_pac_list_len=0 special case
3006 dev[0].request("REMOVE_NETWORK all")
3007 dev[0].wait_disconnected()
3008 eap_connect(dev[0], apdev[0], "FAST", "user",
3009 anonymous_identity="FAST", password="password",
3010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3011 phase1="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3012 pac_file="blob://fast_pac_bin")
3014 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
3015 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3016 check_eap_capa(dev[0], "FAST")
3017 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3018 hostapd.add_ap(apdev[0]['ifname'], params)
3020 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3021 identity="user", anonymous_identity="FAST",
3022 password="password",
3023 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3024 pac_file="blob://fast_pac_not_in_use",
3025 wait_connect=False, scan_freq="2412")
3026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3028 raise Exception("Timeout on EAP failure report")
3029 dev[0].request("REMOVE_NETWORK all")
3031 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3032 identity="user", anonymous_identity="FAST",
3033 password="password",
3034 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3035 wait_connect=False, scan_freq="2412")
3036 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3038 raise Exception("Timeout on EAP failure report")
3040 def test_ap_wpa2_eap_fast_binary_pac_errors(dev, apdev):
3041 """EAP-FAST and binary PAC errors"""
3042 check_eap_capa(dev[0], "FAST")
3043 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3044 hostapd.add_ap(apdev[0]['ifname'], params)
3046 tests = [ (1, "=eap_fast_save_pac_bin"),
3047 (1, "eap_fast_write_pac"),
3048 (2, "eap_fast_write_pac"), ]
3049 for count, func in tests:
3050 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors "):
3051 raise Exception("Could not set blob")
3053 with alloc_fail(dev[0], count, func):
3054 eap_connect(dev[0], apdev[0], "FAST", "user",
3055 anonymous_identity="FAST", password="password",
3056 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3057 phase1="fast_provisioning=1 fast_pac_format=binary",
3058 pac_file="blob://fast_pac_bin_errors")
3059 dev[0].request("REMOVE_NETWORK all")
3060 dev[0].wait_disconnected()
3062 tests = [ "00", "000000000000", "6ae4920c0001",
3064 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3065 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3066 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3067 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3069 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + t):
3070 raise Exception("Could not set blob")
3072 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3073 identity="user", anonymous_identity="FAST",
3074 password="password",
3075 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3076 phase1="fast_provisioning=1 fast_pac_format=binary",
3077 pac_file="blob://fast_pac_bin_errors",
3078 scan_freq="2412", wait_connect=False)
3079 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3082 raise Exception("Failure not reported")
3083 dev[0].request("REMOVE_NETWORK all")
3084 dev[0].wait_disconnected()
3086 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3087 tests = [ (1, "eap_fast_load_pac_bin"),
3088 (2, "eap_fast_load_pac_bin"),
3089 (3, "eap_fast_load_pac_bin") ]
3090 for count, func in tests:
3091 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3092 raise Exception("Could not set blob")
3094 with alloc_fail(dev[0], count, func):
3095 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3096 identity="user", anonymous_identity="FAST",
3097 password="password",
3098 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3099 phase1="fast_provisioning=1 fast_pac_format=binary",
3100 pac_file="blob://fast_pac_bin_errors",
3101 scan_freq="2412", wait_connect=False)
3102 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
3105 raise Exception("Failure not reported")
3106 dev[0].request("REMOVE_NETWORK all")
3107 dev[0].wait_disconnected()
3109 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3110 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3111 raise Exception("Could not set blob")
3113 eap_connect(dev[0], apdev[0], "FAST", "user",
3114 anonymous_identity="FAST", password="password",
3115 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3116 phase1="fast_provisioning=1 fast_pac_format=binary",
3117 pac_file="blob://fast_pac_bin_errors")
3118 dev[0].request("REMOVE_NETWORK all")
3119 dev[0].wait_disconnected()
3121 pac = "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3122 tests = [ (1, "eap_fast_pac_get_a_id"),
3123 (2, "eap_fast_pac_get_a_id") ]
3124 for count, func in tests:
3125 if "OK" not in dev[0].request("SET blob fast_pac_bin_errors " + pac):
3126 raise Exception("Could not set blob")
3127 with alloc_fail(dev[0], count, func):
3128 eap_connect(dev[0], apdev[0], "FAST", "user",
3129 anonymous_identity="FAST", password="password",
3130 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3131 phase1="fast_provisioning=1 fast_pac_format=binary",
3132 pac_file="blob://fast_pac_bin_errors")
3133 dev[0].request("REMOVE_NETWORK all")
3134 dev[0].wait_disconnected()
3136 def test_ap_wpa2_eap_fast_text_pac_errors(dev, apdev):
3137 """EAP-FAST and text PAC errors"""
3138 check_eap_capa(dev[0], "FAST")
3139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3140 hostapd.add_ap(apdev[0]['ifname'], params)
3142 tests = [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3143 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3144 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3145 (1, "eap_fast_parse_start"),
3146 (1, "eap_fast_save_pac") ]
3147 for count, func in tests:
3148 dev[0].request("FLUSH")
3149 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3150 raise Exception("Could not set blob")
3152 with alloc_fail(dev[0], count, func):
3153 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3154 identity="user", anonymous_identity="FAST",
3155 password="password",
3156 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3157 phase1="fast_provisioning=1",
3158 pac_file="blob://fast_pac_text_errors",
3159 scan_freq="2412", wait_connect=False)
3160 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
3161 dev[0].request("REMOVE_NETWORK all")
3162 dev[0].wait_disconnected()
3164 pac = "wpa_supplicant EAP-FAST PAC file - version 1\n"
3168 if "OK" not in dev[0].request("SET blob fast_pac_text_errors " + pac.encode("hex")):
3169 raise Exception("Could not set blob")
3171 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3172 identity="user", anonymous_identity="FAST",
3173 password="password",
3174 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3175 phase1="fast_provisioning=1",
3176 pac_file="blob://fast_pac_text_errors",
3177 scan_freq="2412", wait_connect=False)
3178 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"], timeout=5)
3180 raise Exception("Failure not reported")
3181 dev[0].request("REMOVE_NETWORK all")
3182 dev[0].wait_disconnected()
3184 dev[0].request("FLUSH")
3185 if "OK" not in dev[0].request("SET blob fast_pac_text_errors "):
3186 raise Exception("Could not set blob")
3188 with alloc_fail(dev[0], 1, "eap_fast_add_pac_data"):
3190 params = int_eap_server_params()
3191 params['ssid'] = "test-wpa2-eap-2"
3192 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3193 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3194 params['eap_fast_a_id_info'] = "test server %d" % i
3196 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params)
3198 dev[0].connect("test-wpa2-eap-2", key_mgmt="WPA-EAP", eap="FAST",
3199 identity="user", anonymous_identity="FAST",
3200 password="password",
3201 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3202 phase1="fast_provisioning=1",
3203 pac_file="blob://fast_pac_text_errors",
3204 scan_freq="2412", wait_connect=False)
3205 dev[0].wait_connected()
3206 dev[0].request("REMOVE_NETWORK all")
3207 dev[0].wait_disconnected()
3211 def test_ap_wpa2_eap_fast_pac_truncate(dev, apdev):
3212 """EAP-FAST and PAC list truncation"""
3213 check_eap_capa(dev[0], "FAST")
3214 if "OK" not in dev[0].request("SET blob fast_pac_truncate "):
3215 raise Exception("Could not set blob")
3217 params = int_eap_server_params()
3218 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3219 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3220 params['eap_fast_a_id_info'] = "test server %d" % i
3221 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3223 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3224 identity="user", anonymous_identity="FAST",
3225 password="password",
3226 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3227 phase1="fast_provisioning=1 fast_max_pac_list_len=2",
3228 pac_file="blob://fast_pac_truncate",
3229 scan_freq="2412", wait_connect=False)
3230 dev[0].wait_connected()
3231 dev[0].request("REMOVE_NETWORK all")
3232 dev[0].wait_disconnected()
3236 def test_ap_wpa2_eap_fast_pac_refresh(dev, apdev):
3237 """EAP-FAST and PAC refresh"""
3238 check_eap_capa(dev[0], "FAST")
3239 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3240 raise Exception("Could not set blob")
3242 params = int_eap_server_params()
3243 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3244 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3245 params['eap_fast_a_id_info'] = "test server %d" % i
3246 params['pac_key_refresh_time'] = "1"
3247 params['pac_key_lifetime'] = "10"
3248 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3250 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3251 identity="user", anonymous_identity="FAST",
3252 password="password",
3253 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3254 phase1="fast_provisioning=1",
3255 pac_file="blob://fast_pac_refresh",
3256 scan_freq="2412", wait_connect=False)
3257 dev[0].wait_connected()
3258 dev[0].request("REMOVE_NETWORK all")
3259 dev[0].wait_disconnected()
3264 params = int_eap_server_params()
3265 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3266 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3267 params['eap_fast_a_id_info'] = "test server %d" % i
3268 params['pac_key_refresh_time'] = "10"
3269 params['pac_key_lifetime'] = "10"
3270 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3272 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3273 identity="user", anonymous_identity="FAST",
3274 password="password",
3275 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3276 phase1="fast_provisioning=1",
3277 pac_file="blob://fast_pac_refresh",
3278 scan_freq="2412", wait_connect=False)
3279 dev[0].wait_connected()
3280 dev[0].request("REMOVE_NETWORK all")
3281 dev[0].wait_disconnected()
3285 def test_ap_wpa2_eap_fast_pac_lifetime(dev, apdev):
3286 """EAP-FAST and PAC lifetime"""
3287 check_eap_capa(dev[0], "FAST")
3288 if "OK" not in dev[0].request("SET blob fast_pac_refresh "):
3289 raise Exception("Could not set blob")
3292 params = int_eap_server_params()
3293 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3294 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3295 params['eap_fast_a_id_info'] = "test server %d" % i
3296 params['pac_key_refresh_time'] = "0"
3297 params['pac_key_lifetime'] = "2"
3298 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3300 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3301 identity="user", anonymous_identity="FAST",
3302 password="password",
3303 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3304 phase1="fast_provisioning=2",
3305 pac_file="blob://fast_pac_refresh",
3306 scan_freq="2412", wait_connect=False)
3307 dev[0].wait_connected()
3308 dev[0].request("DISCONNECT")
3309 dev[0].wait_disconnected()
3312 dev[0].request("PMKSA_FLUSH")
3313 dev[0].request("RECONNECT")
3314 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3316 raise Exception("No EAP-Failure seen after expired PAC")
3317 dev[0].request("DISCONNECT")
3318 dev[0].wait_disconnected()
3320 dev[0].select_network(id)
3321 dev[0].wait_connected()
3322 dev[0].request("REMOVE_NETWORK all")
3323 dev[0].wait_disconnected()
3325 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
3326 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3327 check_eap_capa(dev[0], "FAST")
3328 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3329 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3330 eap_connect(dev[0], apdev[0], "FAST", "user",
3331 anonymous_identity="FAST", password="password",
3332 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3333 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
3334 hwsim_utils.test_connectivity(dev[0], hapd)
3335 res = eap_reauth(dev[0], "FAST")
3336 if res['tls_session_reused'] != '1':
3337 raise Exception("EAP-FAST could not use PAC session ticket")
3339 def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev):
3340 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3341 check_eap_capa(dev[0], "FAST")
3342 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3343 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3344 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3345 anonymous_identity="FAST", password="password",
3346 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3347 phase1="fast_provisioning=2",
3348 pac_file="blob://fast_pac_auth")
3349 dev[0].set_network_quoted(id, "identity", "user2")
3350 dev[0].wait_disconnected()
3351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
3353 raise Exception("EAP-FAST not started")
3354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
3356 raise Exception("EAP failure not reported")
3357 dev[0].wait_disconnected()
3359 def test_ap_wpa2_eap_fast_prf_oom(dev, apdev):
3360 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3361 check_eap_capa(dev[0], "FAST")
3362 tls = dev[0].request("GET tls_library")
3363 if tls.startswith("OpenSSL"):
3364 func = "openssl_tls_prf"
3366 elif tls.startswith("internal"):
3367 func = "tls_connection_prf"
3370 raise HwsimSkip("Unsupported TLS library")
3371 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3372 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3373 with alloc_fail(dev[0], count, func):
3374 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
3375 identity="user", anonymous_identity="FAST",
3376 password="password", ca_cert="auth_serv/ca.pem",
3378 phase1="fast_provisioning=2",
3379 pac_file="blob://fast_pac_auth",
3380 wait_connect=False, scan_freq="2412")
3381 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
3383 raise Exception("EAP failure not reported")
3384 dev[0].request("DISCONNECT")
3386 def test_ap_wpa2_eap_fast_server_oom(dev, apdev):
3387 """EAP-FAST/MSCHAPv2 and server OOM"""
3388 check_eap_capa(dev[0], "FAST")
3390 params = int_eap_server_params()
3391 params['dh_file'] = 'auth_serv/dh.conf'
3392 params['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3393 params['eap_fast_a_id'] = '1011'
3394 params['eap_fast_a_id_info'] = 'another test server'
3395 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3397 with alloc_fail(hapd, 1, "tls_session_ticket_ext_cb"):
3398 id = eap_connect(dev[0], apdev[0], "FAST", "user",
3399 anonymous_identity="FAST", password="password",
3400 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
3401 phase1="fast_provisioning=1",
3402 pac_file="blob://fast_pac",
3403 expect_failure=True)
3404 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
3406 raise Exception("No EAP failure reported")
3407 dev[0].wait_disconnected()
3408 dev[0].request("DISCONNECT")
3410 dev[0].select_network(id, freq="2412")
3412 def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev):
3413 """EAP-FAST and different TLS cipher suites"""
3414 check_eap_capa(dev[0], "FAST")
3415 tls = dev[0].request("GET tls_library")
3416 if not tls.startswith("OpenSSL"):
3417 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
3419 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3420 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3422 dev[0].request("SET blob fast_pac_ciphers ")
3423 eap_connect(dev[0], apdev[0], "FAST", "user",
3424 anonymous_identity="FAST", password="password",
3425 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3426 phase1="fast_provisioning=2",
3427 pac_file="blob://fast_pac_ciphers")
3428 res = dev[0].get_status_field('EAP TLS cipher')
3429 dev[0].request("REMOVE_NETWORK all")
3430 dev[0].wait_disconnected()
3431 if res != "DHE-RSA-AES256-SHA":
3432 raise Exception("Unexpected cipher suite for provisioning: " + res)
3434 tests = [ "DHE-RSA-AES128-SHA",
3438 "DHE-RSA-AES256-SHA" ]
3439 for cipher in tests:
3440 dev[0].dump_monitor()
3441 logger.info("Testing " + cipher)
3443 eap_connect(dev[0], apdev[0], "FAST", "user",
3444 openssl_ciphers=cipher,
3445 anonymous_identity="FAST", password="password",
3446 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
3447 pac_file="blob://fast_pac_ciphers")
3448 except Exception, e:
3449 if "Could not select EAP method" in str(e) and cipher == "RC4-SHA":
3450 tls = dev[0].request("GET tls_library")
3451 if "run=OpenSSL 1.1" in tls:
3452 logger.info("Allow failure due to missing TLS library support")
3453 dev[0].request("REMOVE_NETWORK all")
3454 dev[0].wait_disconnected()
3457 res = dev[0].get_status_field('EAP TLS cipher')
3458 dev[0].request("REMOVE_NETWORK all")
3459 dev[0].wait_disconnected()
3461 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher, res))
3463 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
3464 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3465 check_ocsp_support(dev[0])
3466 check_pkcs12_support(dev[0])
3467 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3468 hostapd.add_ap(apdev[0]['ifname'], params)
3469 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3470 private_key="auth_serv/user.pkcs12",
3471 private_key_passwd="whatever", ocsp=2)
3473 def test_ap_wpa2_eap_tls_ocsp_multi(dev, apdev):
3474 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3475 check_ocsp_multi_support(dev[0])
3476 check_pkcs12_support(dev[0])
3478 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
3479 hostapd.add_ap(apdev[0]['ifname'], params)
3480 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
3481 private_key="auth_serv/user.pkcs12",
3482 private_key_passwd="whatever", ocsp=2)
3484 def int_eap_server_params():
3485 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3486 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3487 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3488 "ca_cert": "auth_serv/ca.pem",
3489 "server_cert": "auth_serv/server.pem",
3490 "private_key": "auth_serv/server.key",
3491 "dh_file": "auth_serv/dh.conf" }
3494 def test_ap_wpa2_eap_tls_ocsp_key_id(dev, apdev, params):
3495 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3496 check_ocsp_support(dev[0])
3497 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-key-id.der")
3498 if not os.path.exists(ocsp):
3499 raise HwsimSkip("No OCSP response available")
3500 params = int_eap_server_params()
3501 params["ocsp_stapling_response"] = ocsp
3502 hostapd.add_ap(apdev[0]['ifname'], params)
3503 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3504 identity="tls user", ca_cert="auth_serv/ca.pem",
3505 private_key="auth_serv/user.pkcs12",
3506 private_key_passwd="whatever", ocsp=2,
3509 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev, apdev, params):
3510 """EAP-TLS and CA signed OCSP response (good)"""
3511 check_ocsp_support(dev[0])
3512 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed.der")
3513 if not os.path.exists(ocsp):
3514 raise HwsimSkip("No OCSP response available")
3515 params = int_eap_server_params()
3516 params["ocsp_stapling_response"] = ocsp
3517 hostapd.add_ap(apdev[0]['ifname'], params)
3518 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3519 identity="tls user", ca_cert="auth_serv/ca.pem",
3520 private_key="auth_serv/user.pkcs12",
3521 private_key_passwd="whatever", ocsp=2,
3524 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev, apdev, params):
3525 """EAP-TLS and CA signed OCSP response (revoked)"""
3526 check_ocsp_support(dev[0])
3527 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-revoked.der")
3528 if not os.path.exists(ocsp):
3529 raise HwsimSkip("No OCSP response available")
3530 params = int_eap_server_params()
3531 params["ocsp_stapling_response"] = ocsp
3532 hostapd.add_ap(apdev[0]['ifname'], params)
3533 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3534 identity="tls user", ca_cert="auth_serv/ca.pem",
3535 private_key="auth_serv/user.pkcs12",
3536 private_key_passwd="whatever", ocsp=2,
3537 wait_connect=False, scan_freq="2412")
3540 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3542 raise Exception("Timeout on EAP status")
3543 if 'bad certificate status response' in ev:
3545 if 'certificate revoked' in ev:
3549 raise Exception("Unexpected number of EAP status messages")
3551 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3553 raise Exception("Timeout on EAP failure report")
3555 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev, apdev, params):
3556 """EAP-TLS and CA signed OCSP response (unknown)"""
3557 check_ocsp_support(dev[0])
3558 ocsp = os.path.join(params['logdir'], "ocsp-resp-ca-signed-unknown.der")
3559 if not os.path.exists(ocsp):
3560 raise HwsimSkip("No OCSP response available")
3561 params = int_eap_server_params()
3562 params["ocsp_stapling_response"] = ocsp
3563 hostapd.add_ap(apdev[0]['ifname'], params)
3564 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3565 identity="tls user", ca_cert="auth_serv/ca.pem",
3566 private_key="auth_serv/user.pkcs12",
3567 private_key_passwd="whatever", ocsp=2,
3568 wait_connect=False, scan_freq="2412")
3571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3573 raise Exception("Timeout on EAP status")
3574 if 'bad certificate status response' in ev:
3578 raise Exception("Unexpected number of EAP status messages")
3580 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3582 raise Exception("Timeout on EAP failure report")
3584 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev, apdev, params):
3585 """EAP-TLS and server signed OCSP response"""
3586 check_ocsp_support(dev[0])
3587 ocsp = os.path.join(params['logdir'], "ocsp-resp-server-signed.der")
3588 if not os.path.exists(ocsp):
3589 raise HwsimSkip("No OCSP response available")
3590 params = int_eap_server_params()
3591 params["ocsp_stapling_response"] = ocsp
3592 hostapd.add_ap(apdev[0]['ifname'], params)
3593 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3594 identity="tls user", ca_cert="auth_serv/ca.pem",
3595 private_key="auth_serv/user.pkcs12",
3596 private_key_passwd="whatever", ocsp=2,
3597 wait_connect=False, scan_freq="2412")
3600 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3602 raise Exception("Timeout on EAP status")
3603 if 'bad certificate status response' in ev:
3607 raise Exception("Unexpected number of EAP status messages")
3609 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3611 raise Exception("Timeout on EAP failure report")
3613 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev, apdev):
3614 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3615 check_ocsp_support(dev[0])
3616 params = int_eap_server_params()
3617 params["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3618 hostapd.add_ap(apdev[0]['ifname'], params)
3619 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3620 identity="tls user", ca_cert="auth_serv/ca.pem",
3621 private_key="auth_serv/user.pkcs12",
3622 private_key_passwd="whatever", ocsp=2,
3623 wait_connect=False, scan_freq="2412")
3626 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3628 raise Exception("Timeout on EAP status")
3629 if 'bad certificate status response' in ev:
3633 raise Exception("Unexpected number of EAP status messages")
3635 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3637 raise Exception("Timeout on EAP failure report")
3639 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
3640 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3641 check_ocsp_support(dev[0])
3642 params = int_eap_server_params()
3643 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3644 hostapd.add_ap(apdev[0]['ifname'], params)
3645 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3646 identity="tls user", ca_cert="auth_serv/ca.pem",
3647 private_key="auth_serv/user.pkcs12",
3648 private_key_passwd="whatever", ocsp=2,
3649 wait_connect=False, scan_freq="2412")
3652 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3654 raise Exception("Timeout on EAP status")
3655 if 'bad certificate status response' in ev:
3659 raise Exception("Unexpected number of EAP status messages")
3661 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3663 raise Exception("Timeout on EAP failure report")
3665 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev, apdev):
3666 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3667 check_ocsp_support(dev[0])
3668 params = int_eap_server_params()
3669 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3670 hostapd.add_ap(apdev[0]['ifname'], params)
3671 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3672 identity="tls user", ca_cert="auth_serv/ca.pem",
3673 private_key="auth_serv/user.pkcs12",
3674 private_key_passwd="whatever", ocsp=2,
3675 wait_connect=False, scan_freq="2412")
3678 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3680 raise Exception("Timeout on EAP status")
3681 if 'bad certificate status response' in ev:
3685 raise Exception("Unexpected number of EAP status messages")
3687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3689 raise Exception("Timeout on EAP failure report")
3691 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
3692 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3693 check_ocsp_support(dev[0])
3694 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
3695 if not os.path.exists(ocsp):
3696 raise HwsimSkip("No OCSP response available")
3697 params = int_eap_server_params()
3698 params["ocsp_stapling_response"] = ocsp
3699 hostapd.add_ap(apdev[0]['ifname'], params)
3700 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3701 identity="pap user", ca_cert="auth_serv/ca.pem",
3702 anonymous_identity="ttls", password="password",
3703 phase2="auth=PAP", ocsp=2,
3704 wait_connect=False, scan_freq="2412")
3707 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3709 raise Exception("Timeout on EAP status")
3710 if 'bad certificate status response' in ev:
3712 if 'certificate revoked' in ev:
3716 raise Exception("Unexpected number of EAP status messages")
3718 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3720 raise Exception("Timeout on EAP failure report")
3722 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
3723 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3724 check_ocsp_support(dev[0])
3725 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3726 if not os.path.exists(ocsp):
3727 raise HwsimSkip("No OCSP response available")
3728 params = int_eap_server_params()
3729 params["ocsp_stapling_response"] = ocsp
3730 hostapd.add_ap(apdev[0]['ifname'], params)
3731 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3732 identity="pap user", ca_cert="auth_serv/ca.pem",
3733 anonymous_identity="ttls", password="password",
3734 phase2="auth=PAP", ocsp=2,
3735 wait_connect=False, scan_freq="2412")
3738 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3740 raise Exception("Timeout on EAP status")
3741 if 'bad certificate status response' in ev:
3745 raise Exception("Unexpected number of EAP status messages")
3747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3749 raise Exception("Timeout on EAP failure report")
3751 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
3752 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3753 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
3754 if not os.path.exists(ocsp):
3755 raise HwsimSkip("No OCSP response available")
3756 params = int_eap_server_params()
3757 params["ocsp_stapling_response"] = ocsp
3758 hostapd.add_ap(apdev[0]['ifname'], params)
3759 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
3760 identity="pap user", ca_cert="auth_serv/ca.pem",
3761 anonymous_identity="ttls", password="password",
3762 phase2="auth=PAP", ocsp=1, scan_freq="2412")
3764 def test_ap_wpa2_eap_tls_intermediate_ca(dev, apdev, params):
3765 """EAP-TLS with intermediate server/user CA"""
3766 params = int_eap_server_params()
3767 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3768 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3769 params["private_key"] = "auth_serv/iCA-server/server.key"
3770 hostapd.add_ap(apdev[0]['ifname'], params)
3771 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3772 identity="tls user",
3773 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3774 client_cert="auth_serv/iCA-user/user.pem",
3775 private_key="auth_serv/iCA-user/user.key",
3778 def root_ocsp(cert):
3779 ca = "auth_serv/ca.pem"
3781 fd2, fn2 = tempfile.mkstemp()
3784 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3785 "-no_nonce", "-sha256", "-text" ]
3786 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3787 stderr=subprocess.PIPE)
3788 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3791 logger.info("OCSP request:\n" + res)
3793 fd, fn = tempfile.mkstemp()
3795 arg = [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
3796 "-rsigner", ca, "-rkey", "auth_serv/ca-key.pem",
3797 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3798 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3800 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3801 stderr=subprocess.PIPE)
3802 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3805 logger.info("OCSP response:\n" + res)
3810 prefix = "auth_serv/iCA-server/"
3811 ca = prefix + "cacert.pem"
3812 cert = prefix + cert
3814 fd2, fn2 = tempfile.mkstemp()
3817 arg = [ "openssl", "ocsp", "-reqout", fn2, "-issuer", ca, "-cert", cert,
3818 "-no_nonce", "-sha256", "-text" ]
3819 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3820 stderr=subprocess.PIPE)
3821 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3824 logger.info("OCSP request:\n" + res)
3826 fd, fn = tempfile.mkstemp()
3828 arg = [ "openssl", "ocsp", "-index", prefix + "index.txt",
3829 "-rsigner", ca, "-rkey", prefix + "private/cakey.pem",
3830 "-CA", ca, "-issuer", ca, "-verify_other", ca, "-trust_other",
3831 "-ndays", "7", "-reqin", fn2, "-resp_no_certs", "-respout", fn,
3833 cmd = subprocess.Popen(arg, stdout=subprocess.PIPE,
3834 stderr=subprocess.PIPE)
3835 res = cmd.stdout.read() + "\n" + cmd.stderr.read()
3838 logger.info("OCSP response:\n" + res)
3842 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params):
3843 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
3844 params = int_eap_server_params()
3845 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3846 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3847 params["private_key"] = "auth_serv/iCA-server/server.key"
3848 fn = ica_ocsp("server.pem")
3849 params["ocsp_stapling_response"] = fn
3851 hostapd.add_ap(apdev[0]['ifname'], params)
3852 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3853 identity="tls user",
3854 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3855 client_cert="auth_serv/iCA-user/user.pem",
3856 private_key="auth_serv/iCA-user/user.key",
3857 scan_freq="2412", ocsp=2)
3861 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params):
3862 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
3863 params = int_eap_server_params()
3864 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3865 params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
3866 params["private_key"] = "auth_serv/iCA-server/server-revoked.key"
3867 fn = ica_ocsp("server-revoked.pem")
3868 params["ocsp_stapling_response"] = fn
3870 hostapd.add_ap(apdev[0]['ifname'], params)
3871 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3872 identity="tls user",
3873 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3874 client_cert="auth_serv/iCA-user/user.pem",
3875 private_key="auth_serv/iCA-user/user.key",
3876 scan_freq="2412", ocsp=1, wait_connect=False)
3879 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3880 "CTRL-EVENT-EAP-SUCCESS"])
3882 raise Exception("Timeout on EAP status")
3883 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3884 raise Exception("Unexpected EAP-Success")
3885 if 'bad certificate status response' in ev:
3887 if 'certificate revoked' in ev:
3891 raise Exception("Unexpected number of EAP status messages")
3893 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3895 raise Exception("Timeout on EAP failure report")
3896 dev[0].request("REMOVE_NETWORK all")
3897 dev[0].wait_disconnected()
3901 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev, apdev, params):
3902 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
3903 check_ocsp_support(dev[0])
3904 check_ocsp_multi_support(dev[0])
3906 params = int_eap_server_params()
3907 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3908 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3909 params["private_key"] = "auth_serv/iCA-server/server.key"
3910 fn = ica_ocsp("server.pem")
3911 params["ocsp_stapling_response"] = fn
3913 hostapd.add_ap(apdev[0]['ifname'], params)
3914 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3915 identity="tls user",
3916 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3917 client_cert="auth_serv/iCA-user/user.pem",
3918 private_key="auth_serv/iCA-user/user.key",
3919 scan_freq="2412", ocsp=3, wait_connect=False)
3922 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
3923 "CTRL-EVENT-EAP-SUCCESS"])
3925 raise Exception("Timeout on EAP status")
3926 if "CTRL-EVENT-EAP-SUCCESS" in ev:
3927 raise Exception("Unexpected EAP-Success")
3928 if 'bad certificate status response' in ev:
3930 if 'certificate revoked' in ev:
3934 raise Exception("Unexpected number of EAP status messages")
3936 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3938 raise Exception("Timeout on EAP failure report")
3939 dev[0].request("REMOVE_NETWORK all")
3940 dev[0].wait_disconnected()
3944 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev, apdev, params):
3945 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
3946 check_ocsp_support(dev[0])
3947 check_ocsp_multi_support(dev[0])
3949 params = int_eap_server_params()
3950 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
3951 params["server_cert"] = "auth_serv/iCA-server/server.pem"
3952 params["private_key"] = "auth_serv/iCA-server/server.key"
3953 fn = ica_ocsp("server.pem")
3954 fn2 = root_ocsp("auth_serv/iCA-server/cacert.pem")
3955 params["ocsp_stapling_response"] = fn
3957 with open(fn, "r") as f:
3958 resp_server = f.read()
3959 with open(fn2, "r") as f:
3962 fd3, fn3 = tempfile.mkstemp()
3964 f = os.fdopen(fd3, 'w')
3965 f.write(struct.pack(">L", len(resp_server))[1:4])
3966 f.write(resp_server)
3967 f.write(struct.pack(">L", len(resp_ica))[1:4])
3971 params["ocsp_stapling_response_multi"] = fn3
3973 hostapd.add_ap(apdev[0]['ifname'], params)
3974 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
3975 identity="tls user",
3976 ca_cert="auth_serv/iCA-user/ca-and-root.pem",
3977 client_cert="auth_serv/iCA-user/user.pem",
3978 private_key="auth_serv/iCA-user/user.key",
3979 scan_freq="2412", ocsp=3)
3980 dev[0].request("REMOVE_NETWORK all")
3981 dev[0].wait_disconnected()
3987 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev, apdev, params):
3988 """EAP-TLS and CA signed OCSP multi response (revoked)"""
3989 check_ocsp_support(dev[0])
3990 check_ocsp_multi_support(dev[0])
3992 ocsp_revoked = os.path.join(params['logdir'],
3993 "ocsp-resp-ca-signed-revoked.der")
3994 if not os.path.exists(ocsp_revoked):
3995 raise HwsimSkip("No OCSP response (revoked) available")
3996 ocsp_unknown = os.path.join(params['logdir'],
3997 "ocsp-resp-ca-signed-unknown.der")
3998 if not os.path.exists(ocsp_unknown):
3999 raise HwsimSkip("No OCSP response(unknown) available")
4001 with open(ocsp_revoked, "r") as f:
4002 resp_revoked = f.read()
4003 with open(ocsp_unknown, "r") as f:
4004 resp_unknown = f.read()
4006 fd, fn = tempfile.mkstemp()
4008 # This is not really a valid order of the OCSPResponse items in the
4009 # list, but this works for now to verify parsing and processing of
4010 # multiple responses.
4011 f = os.fdopen(fd, 'w')
4012 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4013 f.write(resp_unknown)
4014 f.write(struct.pack(">L", len(resp_revoked))[1:4])
4015 f.write(resp_revoked)
4016 f.write(struct.pack(">L", 0)[1:4])
4017 f.write(struct.pack(">L", len(resp_unknown))[1:4])
4018 f.write(resp_unknown)
4021 params = int_eap_server_params()
4022 params["ocsp_stapling_response_multi"] = fn
4023 hostapd.add_ap(apdev[0]['ifname'], params)
4024 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4025 identity="tls user", ca_cert="auth_serv/ca.pem",
4026 private_key="auth_serv/user.pkcs12",
4027 private_key_passwd="whatever", ocsp=1,
4028 wait_connect=False, scan_freq="2412")
4031 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4032 "CTRL-EVENT-EAP-SUCCESS"])
4034 raise Exception("Timeout on EAP status")
4035 if "CTRL-EVENT-EAP-SUCCESS" in ev:
4036 raise Exception("Unexpected EAP-Success")
4037 if 'bad certificate status response' in ev:
4039 if 'certificate revoked' in ev:
4043 raise Exception("Unexpected number of EAP status messages")
4047 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
4048 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4049 check_domain_match_full(dev[0])
4050 params = int_eap_server_params()
4051 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4052 params["private_key"] = "auth_serv/server-no-dnsname.key"
4053 hostapd.add_ap(apdev[0]['ifname'], params)
4054 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4055 identity="tls user", ca_cert="auth_serv/ca.pem",
4056 private_key="auth_serv/user.pkcs12",
4057 private_key_passwd="whatever",
4058 domain_suffix_match="server3.w1.fi",
4061 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
4062 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4063 check_domain_match(dev[0])
4064 params = int_eap_server_params()
4065 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4066 params["private_key"] = "auth_serv/server-no-dnsname.key"
4067 hostapd.add_ap(apdev[0]['ifname'], params)
4068 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4069 identity="tls user", ca_cert="auth_serv/ca.pem",
4070 private_key="auth_serv/user.pkcs12",
4071 private_key_passwd="whatever",
4072 domain_match="server3.w1.fi",
4075 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
4076 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4077 check_domain_match_full(dev[0])
4078 params = int_eap_server_params()
4079 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4080 params["private_key"] = "auth_serv/server-no-dnsname.key"
4081 hostapd.add_ap(apdev[0]['ifname'], params)
4082 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4083 identity="tls user", ca_cert="auth_serv/ca.pem",
4084 private_key="auth_serv/user.pkcs12",
4085 private_key_passwd="whatever",
4086 domain_suffix_match="w1.fi",
4089 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
4090 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4091 check_domain_suffix_match(dev[0])
4092 params = int_eap_server_params()
4093 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4094 params["private_key"] = "auth_serv/server-no-dnsname.key"
4095 hostapd.add_ap(apdev[0]['ifname'], params)
4096 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4097 identity="tls user", ca_cert="auth_serv/ca.pem",
4098 private_key="auth_serv/user.pkcs12",
4099 private_key_passwd="whatever",
4100 domain_suffix_match="example.com",
4103 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4104 identity="tls user", ca_cert="auth_serv/ca.pem",
4105 private_key="auth_serv/user.pkcs12",
4106 private_key_passwd="whatever",
4107 domain_suffix_match="erver3.w1.fi",
4110 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4112 raise Exception("Timeout on EAP failure report")
4113 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4115 raise Exception("Timeout on EAP failure report (2)")
4117 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
4118 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4119 check_domain_match(dev[0])
4120 params = int_eap_server_params()
4121 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
4122 params["private_key"] = "auth_serv/server-no-dnsname.key"
4123 hostapd.add_ap(apdev[0]['ifname'], params)
4124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4125 identity="tls user", ca_cert="auth_serv/ca.pem",
4126 private_key="auth_serv/user.pkcs12",
4127 private_key_passwd="whatever",
4128 domain_match="example.com",
4131 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4132 identity="tls user", ca_cert="auth_serv/ca.pem",
4133 private_key="auth_serv/user.pkcs12",
4134 private_key_passwd="whatever",
4135 domain_match="w1.fi",
4138 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4140 raise Exception("Timeout on EAP failure report")
4141 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4143 raise Exception("Timeout on EAP failure report (2)")
4145 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
4146 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4147 skip_with_fips(dev[0])
4148 params = int_eap_server_params()
4149 params["server_cert"] = "auth_serv/server-expired.pem"
4150 params["private_key"] = "auth_serv/server-expired.key"
4151 hostapd.add_ap(apdev[0]['ifname'], params)
4152 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4153 identity="mschap user", password="password",
4154 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4157 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4159 raise Exception("Timeout on EAP certificate error report")
4160 if "reason=4" not in ev or "certificate has expired" not in ev:
4161 raise Exception("Unexpected failure reason: " + ev)
4162 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4164 raise Exception("Timeout on EAP failure report")
4166 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
4167 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4168 skip_with_fips(dev[0])
4169 params = int_eap_server_params()
4170 params["server_cert"] = "auth_serv/server-expired.pem"
4171 params["private_key"] = "auth_serv/server-expired.key"
4172 hostapd.add_ap(apdev[0]['ifname'], params)
4173 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4174 identity="mschap user", password="password",
4175 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4176 phase1="tls_disable_time_checks=1",
4179 def test_ap_wpa2_eap_ttls_long_duration(dev, apdev):
4180 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4181 skip_with_fips(dev[0])
4182 params = int_eap_server_params()
4183 params["server_cert"] = "auth_serv/server-long-duration.pem"
4184 params["private_key"] = "auth_serv/server-long-duration.key"
4185 hostapd.add_ap(apdev[0]['ifname'], params)
4186 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4187 identity="mschap user", password="password",
4188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4191 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
4192 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4193 skip_with_fips(dev[0])
4194 params = int_eap_server_params()
4195 params["server_cert"] = "auth_serv/server-eku-client.pem"
4196 params["private_key"] = "auth_serv/server-eku-client.key"
4197 hostapd.add_ap(apdev[0]['ifname'], params)
4198 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4199 identity="mschap user", password="password",
4200 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4203 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4205 raise Exception("Timeout on EAP failure report")
4207 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
4208 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4209 skip_with_fips(dev[0])
4210 params = int_eap_server_params()
4211 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
4212 params["private_key"] = "auth_serv/server-eku-client-server.key"
4213 hostapd.add_ap(apdev[0]['ifname'], params)
4214 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4215 identity="mschap user", password="password",
4216 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4219 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
4220 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4221 skip_with_fips(dev[0])
4222 params = int_eap_server_params()
4223 del params["server_cert"]
4224 params["private_key"] = "auth_serv/server.pkcs12"
4225 hostapd.add_ap(apdev[0]['ifname'], params)
4226 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4227 identity="mschap user", password="password",
4228 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4231 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
4232 """EAP-TTLS and server PKCS#12 file with extra certs"""
4233 skip_with_fips(dev[0])
4234 params = int_eap_server_params()
4235 del params["server_cert"]
4236 params["private_key"] = "auth_serv/server-extra.pkcs12"
4237 params["private_key_passwd"] = "whatever"
4238 hostapd.add_ap(apdev[0]['ifname'], params)
4239 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4240 identity="mschap user", password="password",
4241 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4244 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
4245 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4246 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4247 hostapd.add_ap(apdev[0]['ifname'], params)
4248 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4249 anonymous_identity="ttls", password="password",
4250 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4251 dh_file="auth_serv/dh.conf")
4253 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev, apdev):
4254 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4255 check_dh_dsa_support(dev[0])
4256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4257 hostapd.add_ap(apdev[0]['ifname'], params)
4258 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4259 anonymous_identity="ttls", password="password",
4260 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4261 dh_file="auth_serv/dsaparam.pem")
4263 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4264 """EAP-TTLS and DH params file not found"""
4265 skip_with_fips(dev[0])
4266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4267 hostapd.add_ap(apdev[0]['ifname'], params)
4268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4269 identity="mschap user", password="password",
4270 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4271 dh_file="auth_serv/dh-no-such-file.conf",
4272 scan_freq="2412", wait_connect=False)
4273 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4275 raise Exception("EAP failure timed out")
4276 dev[0].request("REMOVE_NETWORK all")
4277 dev[0].wait_disconnected()
4279 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4280 """EAP-TTLS and invalid DH params file"""
4281 skip_with_fips(dev[0])
4282 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4283 hostapd.add_ap(apdev[0]['ifname'], params)
4284 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4285 identity="mschap user", password="password",
4286 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4287 dh_file="auth_serv/ca.pem",
4288 scan_freq="2412", wait_connect=False)
4289 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4291 raise Exception("EAP failure timed out")
4292 dev[0].request("REMOVE_NETWORK all")
4293 dev[0].wait_disconnected()
4295 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
4296 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4297 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4298 hostapd.add_ap(apdev[0]['ifname'], params)
4299 dh = read_pem("auth_serv/dh2.conf")
4300 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
4301 raise Exception("Could not set dhparams blob")
4302 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4303 anonymous_identity="ttls", password="password",
4304 ca_cert="auth_serv/ca.der", phase2="auth=PAP",
4305 dh_file="blob://dhparams")
4307 def test_ap_wpa2_eap_ttls_dh_params_server(dev, apdev):
4308 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4309 params = int_eap_server_params()
4310 params["dh_file"] = "auth_serv/dh2.conf"
4311 hostapd.add_ap(apdev[0]['ifname'], params)
4312 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4313 anonymous_identity="ttls", password="password",
4314 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4316 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
4317 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4318 params = int_eap_server_params()
4319 params["dh_file"] = "auth_serv/dsaparam.pem"
4320 hostapd.add_ap(apdev[0]['ifname'], params)
4321 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4322 anonymous_identity="ttls", password="password",
4323 ca_cert="auth_serv/ca.der", phase2="auth=PAP")
4325 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev, apdev):
4326 """EAP-TLS server and dhparams file not found"""
4327 params = int_eap_server_params()
4328 params["dh_file"] = "auth_serv/dh-no-such-file.conf"
4329 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4330 if "FAIL" not in hapd.request("ENABLE"):
4331 raise Exception("Invalid configuration accepted")
4333 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev, apdev):
4334 """EAP-TLS server and invalid dhparams file"""
4335 params = int_eap_server_params()
4336 params["dh_file"] = "auth_serv/ca.pem"
4337 hapd = hostapd.add_ap(apdev[0]['ifname'], params, no_enable=True)
4338 if "FAIL" not in hapd.request("ENABLE"):
4339 raise Exception("Invalid configuration accepted")
4341 def test_ap_wpa2_eap_reauth(dev, apdev):
4342 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4343 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4344 params['eap_reauth_period'] = '2'
4345 hostapd.add_ap(apdev[0]['ifname'], params)
4346 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4347 password_hex="0123456789abcdef0123456789abcdef")
4348 logger.info("Wait for reauthentication")
4349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
4351 raise Exception("Timeout on reauthentication")
4352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4354 raise Exception("Timeout on reauthentication")
4355 for i in range(0, 20):
4356 state = dev[0].get_status_field("wpa_state")
4357 if state == "COMPLETED":
4360 if state != "COMPLETED":
4361 raise Exception("Reauthentication did not complete")
4363 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
4364 """Optional displayable message in EAP Request-Identity"""
4365 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4366 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4367 hostapd.add_ap(apdev[0]['ifname'], params)
4368 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
4369 password_hex="0123456789abcdef0123456789abcdef")
4371 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
4372 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4373 check_hlr_auc_gw_support()
4374 params = int_eap_server_params()
4375 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4376 params['eap_sim_aka_result_ind'] = "1"
4377 hostapd.add_ap(apdev[0]['ifname'], params)
4379 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
4380 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4381 phase1="result_ind=1")
4382 eap_reauth(dev[0], "SIM")
4383 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
4384 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4386 dev[0].request("REMOVE_NETWORK all")
4387 dev[1].request("REMOVE_NETWORK all")
4389 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
4390 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4391 phase1="result_ind=1")
4392 eap_reauth(dev[0], "AKA")
4393 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
4394 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4396 dev[0].request("REMOVE_NETWORK all")
4397 dev[1].request("REMOVE_NETWORK all")
4399 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
4400 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4401 phase1="result_ind=1")
4402 eap_reauth(dev[0], "AKA'")
4403 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
4404 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4406 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
4407 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4408 skip_with_fips(dev[0])
4409 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4410 hostapd.add_ap(apdev[0]['ifname'], params)
4411 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4412 eap="TTLS", identity="mschap user",
4413 wait_connect=False, scan_freq="2412", ieee80211w="1",
4414 anonymous_identity="ttls", password="password",
4415 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4417 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
4419 raise Exception("EAP roundtrip limit not reached")
4421 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
4422 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4423 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4424 hostapd.add_ap(apdev[0]['ifname'], params)
4425 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
4426 eap="PSK", identity="vendor-test",
4427 password_hex="ff23456789abcdef0123456789abcdef",
4431 for i in range(0, 5):
4432 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=16)
4434 raise Exception("Association and EAP start timed out")
4435 if "refuse proposed method" in ev:
4439 raise Exception("Unexpected EAP status: " + ev)
4441 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4443 raise Exception("EAP failure timed out")
4445 def test_ap_wpa2_eap_sql(dev, apdev, params):
4446 """WPA2-Enterprise connection using SQLite for user DB"""
4447 skip_with_fips(dev[0])
4451 raise HwsimSkip("No sqlite3 module available")
4452 dbfile = os.path.join(params['logdir'], "eap-user.db")
4457 con = sqlite3.connect(dbfile)
4460 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4461 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4462 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4463 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4464 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4465 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4466 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4467 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4470 params = int_eap_server_params()
4471 params["eap_user_file"] = "sqlite:" + dbfile
4472 hostapd.add_ap(apdev[0]['ifname'], params)
4473 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
4474 anonymous_identity="ttls", password="password",
4475 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
4476 dev[0].request("REMOVE_NETWORK all")
4477 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
4478 anonymous_identity="ttls", password="password",
4479 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
4480 dev[1].request("REMOVE_NETWORK all")
4481 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
4482 anonymous_identity="ttls", password="password",
4483 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
4484 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
4485 anonymous_identity="ttls", password="password",
4486 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4490 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
4491 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4492 params = int_eap_server_params()
4493 hostapd.add_ap(apdev[0]['ifname'], params)
4494 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4495 identity="\x80", password="password", wait_connect=False)
4496 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4497 identity="a\x80", password="password", wait_connect=False)
4498 for i in range(0, 2):
4499 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4501 raise Exception("Association and EAP start timed out")
4502 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4504 raise Exception("EAP method selection timed out")
4506 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
4507 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4509 hostapd.add_ap(apdev[0]['ifname'], params)
4510 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4511 identity="\x80", password="password", wait_connect=False)
4512 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4513 identity="a\x80", password="password", wait_connect=False)
4514 for i in range(0, 2):
4515 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=16)
4517 raise Exception("Association and EAP start timed out")
4518 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
4520 raise Exception("EAP method selection timed out")
4522 def test_openssl_cipher_suite_config_wpas(dev, apdev):
4523 """OpenSSL cipher suite configuration on wpa_supplicant"""
4524 tls = dev[0].request("GET tls_library")
4525 if not tls.startswith("OpenSSL"):
4526 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
4527 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4528 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4529 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4530 anonymous_identity="ttls", password="password",
4531 openssl_ciphers="AES128",
4532 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4533 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4534 anonymous_identity="ttls", password="password",
4535 openssl_ciphers="EXPORT",
4536 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4537 expect_failure=True, maybe_local_error=True)
4538 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
4539 identity="pap user", anonymous_identity="ttls",
4540 password="password",
4541 openssl_ciphers="FOO",
4542 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4544 ev = dev[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
4546 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4547 dev[2].request("DISCONNECT")
4549 def test_openssl_cipher_suite_config_hapd(dev, apdev):
4550 """OpenSSL cipher suite configuration on hostapd"""
4551 tls = dev[0].request("GET tls_library")
4552 if not tls.startswith("OpenSSL"):
4553 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
4554 params = int_eap_server_params()
4555 params['openssl_ciphers'] = "AES256"
4556 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4557 tls = hapd.request("GET tls_library")
4558 if not tls.startswith("OpenSSL"):
4559 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4560 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4561 anonymous_identity="ttls", password="password",
4562 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4563 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
4564 anonymous_identity="ttls", password="password",
4565 openssl_ciphers="AES128",
4566 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
4567 expect_failure=True)
4568 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
4569 anonymous_identity="ttls", password="password",
4570 openssl_ciphers="HIGH:!ADH",
4571 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4573 params['openssl_ciphers'] = "FOO"
4574 hapd2 = hostapd.add_ap(apdev[1]['ifname'], params, no_enable=True)
4575 if "FAIL" not in hapd2.request("ENABLE"):
4576 raise Exception("Invalid openssl_ciphers value accepted")
4578 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
4579 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4580 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4581 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
4582 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4583 pid = find_wpas_process(dev[0])
4584 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
4585 anonymous_identity="ttls", password=password,
4586 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4587 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4588 # event has been delivered, so verify that wpa_supplicant has returned to
4589 # eloop before reading process memory.
4592 buf = read_process_memory(pid, password)
4594 dev[0].request("DISCONNECT")
4595 dev[0].wait_disconnected()
4603 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
4604 for l in f.readlines():
4605 if "EAP-TTLS: Derived key - hexdump" in l:
4606 val = l.strip().split(':')[3].replace(' ', '')
4607 msk = binascii.unhexlify(val)
4608 if "EAP-TTLS: Derived EMSK - hexdump" in l:
4609 val = l.strip().split(':')[3].replace(' ', '')
4610 emsk = binascii.unhexlify(val)
4611 if "WPA: PMK - hexdump" in l:
4612 val = l.strip().split(':')[3].replace(' ', '')
4613 pmk = binascii.unhexlify(val)
4614 if "WPA: PTK - hexdump" in l:
4615 val = l.strip().split(':')[3].replace(' ', '')
4616 ptk = binascii.unhexlify(val)
4617 if "WPA: Group Key - hexdump" in l:
4618 val = l.strip().split(':')[3].replace(' ', '')
4619 gtk = binascii.unhexlify(val)
4620 if not msk or not emsk or not pmk or not ptk or not gtk:
4621 raise Exception("Could not find keys from debug log")
4623 raise Exception("Unexpected GTK length")
4629 fname = os.path.join(params['logdir'],
4630 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4632 logger.info("Checking keys in memory while associated")
4633 get_key_locations(buf, password, "Password")
4634 get_key_locations(buf, pmk, "PMK")
4635 get_key_locations(buf, msk, "MSK")
4636 get_key_locations(buf, emsk, "EMSK")
4637 if password not in buf:
4638 raise HwsimSkip("Password not found while associated")
4640 raise HwsimSkip("PMK not found while associated")
4642 raise Exception("KCK not found while associated")
4644 raise Exception("KEK not found while associated")
4646 raise Exception("TK found from memory")
4648 get_key_locations(buf, gtk, "GTK")
4649 raise Exception("GTK found from memory")
4651 logger.info("Checking keys in memory after disassociation")
4652 buf = read_process_memory(pid, password)
4654 # Note: Password is still present in network configuration
4655 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4657 get_key_locations(buf, password, "Password")
4658 get_key_locations(buf, pmk, "PMK")
4659 get_key_locations(buf, msk, "MSK")
4660 get_key_locations(buf, emsk, "EMSK")
4661 verify_not_present(buf, kck, fname, "KCK")
4662 verify_not_present(buf, kek, fname, "KEK")
4663 verify_not_present(buf, tk, fname, "TK")
4664 verify_not_present(buf, gtk, fname, "GTK")
4666 dev[0].request("PMKSA_FLUSH")
4667 dev[0].set_network_quoted(id, "identity", "foo")
4668 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4669 buf = read_process_memory(pid, password)
4670 get_key_locations(buf, password, "Password")
4671 get_key_locations(buf, pmk, "PMK")
4672 get_key_locations(buf, msk, "MSK")
4673 get_key_locations(buf, emsk, "EMSK")
4674 verify_not_present(buf, pmk, fname, "PMK")
4676 dev[0].request("REMOVE_NETWORK all")
4678 logger.info("Checking keys in memory after network profile removal")
4679 buf = read_process_memory(pid, password)
4681 get_key_locations(buf, password, "Password")
4682 get_key_locations(buf, pmk, "PMK")
4683 get_key_locations(buf, msk, "MSK")
4684 get_key_locations(buf, emsk, "EMSK")
4685 verify_not_present(buf, password, fname, "password")
4686 verify_not_present(buf, pmk, fname, "PMK")
4687 verify_not_present(buf, kck, fname, "KCK")
4688 verify_not_present(buf, kek, fname, "KEK")
4689 verify_not_present(buf, tk, fname, "TK")
4690 verify_not_present(buf, gtk, fname, "GTK")
4691 verify_not_present(buf, msk, fname, "MSK")
4692 verify_not_present(buf, emsk, fname, "EMSK")
4694 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev, apdev):
4695 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
4696 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4697 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4698 bssid = apdev[0]['bssid']
4699 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4700 anonymous_identity="ttls", password="password",
4701 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
4703 # Send unexpected WEP EAPOL-Key; this gets dropped
4704 res = dev[0].request("EAPOL_RX " + bssid + " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
4706 raise Exception("EAPOL_RX to wpa_supplicant failed")
4708 def test_ap_wpa2_eap_in_bridge(dev, apdev):
4709 """WPA2-EAP and wpas interface in a bridge"""
4713 _test_ap_wpa2_eap_in_bridge(dev, apdev)
4715 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'down'])
4716 subprocess.call(['brctl', 'delif', br_ifname, ifname])
4717 subprocess.call(['brctl', 'delbr', br_ifname])
4718 subprocess.call(['iw', ifname, 'set', '4addr', 'off'])
4720 def _test_ap_wpa2_eap_in_bridge(dev, apdev):
4721 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4722 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4726 wpas = WpaSupplicant(global_iface='/tmp/wpas-wlan5')
4727 subprocess.call(['brctl', 'addbr', br_ifname])
4728 subprocess.call(['brctl', 'setfd', br_ifname, '0'])
4729 subprocess.call(['ip', 'link', 'set', 'dev', br_ifname, 'up'])
4730 subprocess.call(['iw', ifname, 'set', '4addr', 'on'])
4731 subprocess.check_call(['brctl', 'addif', br_ifname, ifname])
4732 wpas.interface_add(ifname, br_ifname=br_ifname)
4735 id = eap_connect(wpas, apdev[0], "PAX", "pax.user@example.com",
4736 password_hex="0123456789abcdef0123456789abcdef")
4738 eap_reauth(wpas, "PAX")
4740 # Try again as a regression test for packet socket workaround
4741 eap_reauth(wpas, "PAX")
4743 wpas.request("DISCONNECT")
4744 wpas.wait_disconnected()
4746 wpas.request("RECONNECT")
4747 wpas.wait_connected()
4750 def test_ap_wpa2_eap_session_ticket(dev, apdev):
4751 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
4752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4753 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4754 key_mgmt = hapd.get_config()['key_mgmt']
4755 if key_mgmt.split(' ')[0] != "WPA-EAP":
4756 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4757 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4758 anonymous_identity="ttls", password="password",
4759 ca_cert="auth_serv/ca.pem",
4760 phase1="tls_disable_session_ticket=0", phase2="auth=PAP")
4761 eap_reauth(dev[0], "TTLS")
4763 def test_ap_wpa2_eap_no_workaround(dev, apdev):
4764 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
4765 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4766 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4767 key_mgmt = hapd.get_config()['key_mgmt']
4768 if key_mgmt.split(' ')[0] != "WPA-EAP":
4769 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
4770 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4771 anonymous_identity="ttls", password="password",
4772 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4774 eap_reauth(dev[0], "TTLS")
4776 def test_ap_wpa2_eap_tls_check_crl(dev, apdev):
4777 """EAP-TLS and server checking CRL"""
4778 params = int_eap_server_params()
4779 params['check_crl'] = '1'
4780 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4782 # check_crl=1 and no CRL available --> reject connection
4783 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4784 client_cert="auth_serv/user.pem",
4785 private_key="auth_serv/user.key", expect_failure=True)
4786 dev[0].request("REMOVE_NETWORK all")
4789 hapd.set("ca_cert", "auth_serv/ca-and-crl.pem")
4792 # check_crl=1 and valid CRL --> accept
4793 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4794 client_cert="auth_serv/user.pem",
4795 private_key="auth_serv/user.key")
4796 dev[0].request("REMOVE_NETWORK all")
4799 hapd.set("check_crl", "2")
4802 # check_crl=2 and valid CRL --> accept
4803 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4804 client_cert="auth_serv/user.pem",
4805 private_key="auth_serv/user.key")
4806 dev[0].request("REMOVE_NETWORK all")
4808 def test_ap_wpa2_eap_tls_oom(dev, apdev):
4809 """EAP-TLS and OOM"""
4810 check_subject_match_support(dev[0])
4811 check_altsubject_match_support(dev[0])
4812 check_domain_match(dev[0])
4813 check_domain_match_full(dev[0])
4815 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4816 hostapd.add_ap(apdev[0]['ifname'], params)
4818 tests = [ (1, "tls_connection_set_subject_match"),
4819 (2, "tls_connection_set_subject_match"),
4820 (3, "tls_connection_set_subject_match"),
4821 (4, "tls_connection_set_subject_match") ]
4822 for count, func in tests:
4823 with alloc_fail(dev[0], count, func):
4824 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4825 identity="tls user", ca_cert="auth_serv/ca.pem",
4826 client_cert="auth_serv/user.pem",
4827 private_key="auth_serv/user.key",
4828 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
4829 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
4830 domain_suffix_match="server.w1.fi",
4831 domain_match="server.w1.fi",
4832 wait_connect=False, scan_freq="2412")
4833 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
4834 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout=5)
4836 raise Exception("No passphrase request")
4837 dev[0].request("REMOVE_NETWORK all")
4838 dev[0].wait_disconnected()
4840 def test_ap_wpa2_eap_tls_macacl(dev, apdev):
4841 """WPA2-Enterprise connection using MAC ACL"""
4842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4843 params["macaddr_acl"] = "2"
4844 hostapd.add_ap(apdev[0]['ifname'], params)
4845 eap_connect(dev[1], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4846 client_cert="auth_serv/user.pem",
4847 private_key="auth_serv/user.key")
4849 def test_ap_wpa2_eap_oom(dev, apdev):
4850 """EAP server and OOM"""
4851 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4852 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4853 dev[0].scan_for_bss(apdev[0]['bssid'], freq=2412)
4855 with alloc_fail(hapd, 1, "eapol_auth_alloc"):
4856 # The first attempt fails, but STA will send EAPOL-Start to retry and
4858 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
4859 identity="tls user", ca_cert="auth_serv/ca.pem",
4860 client_cert="auth_serv/user.pem",
4861 private_key="auth_serv/user.key",
4864 def check_tls_ver(dev, ap, phase1, expected):
4865 eap_connect(dev, ap, "TLS", "tls user", ca_cert="auth_serv/ca.pem",
4866 client_cert="auth_serv/user.pem",
4867 private_key="auth_serv/user.key",
4869 ver = dev.get_status_field("eap_tls_version")
4871 raise Exception("Unexpected TLS version (expected %s): %s" % (expected, ver))
4873 def test_ap_wpa2_eap_tls_versions(dev, apdev):
4874 """EAP-TLS and TLS version configuration"""
4875 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4876 hostapd.add_ap(apdev[0]['ifname'], params)
4878 tls = dev[0].request("GET tls_library")
4879 if tls.startswith("OpenSSL"):
4880 if "build=OpenSSL 1.0.2" in tls and "run=OpenSSL 1.0.2" in tls:
4881 check_tls_ver(dev[0], apdev[0],
4882 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
4884 elif tls.startswith("internal"):
4885 check_tls_ver(dev[0], apdev[0],
4886 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
4887 check_tls_ver(dev[1], apdev[0],
4888 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
4889 check_tls_ver(dev[2], apdev[0],
4890 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
4892 def test_rsn_ie_proto_eap_sta(dev, apdev):
4893 """RSN element protocol testing for EAP cases on STA side"""
4894 bssid = apdev[0]['bssid']
4895 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
4896 # This is the RSN element used normally by hostapd
4897 params['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
4898 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4899 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
4900 identity="gpsk user",
4901 password="abcdefghijklmnop0123456789abcdef",
4904 tests = [ ('No RSN Capabilities field',
4905 '30120100000fac040100000fac040100000fac01'),
4906 ('No AKM Suite fields',
4907 '300c0100000fac040100000fac04'),
4908 ('No Pairwise Cipher Suite fields',
4909 '30060100000fac04'),
4910 ('No Group Data Cipher Suite field',
4912 for txt,ie in tests:
4913 dev[0].request("DISCONNECT")
4914 dev[0].wait_disconnected()
4917 hapd.set('own_ie_override', ie)
4919 dev[0].request("BSS_FLUSH 0")
4920 dev[0].scan_for_bss(bssid, 2412, force_scan=True, only_new=True)
4921 dev[0].select_network(id, freq=2412)
4922 dev[0].wait_connected()
4924 dev[0].request("DISCONNECT")
4925 dev[0].wait_disconnected()
4926 dev[0].flush_scan_cache()
4928 def check_tls_session_resumption_capa(dev, hapd):
4929 tls = hapd.request("GET tls_library")
4930 if not tls.startswith("OpenSSL"):
4931 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
4933 tls = dev.request("GET tls_library")
4934 if not tls.startswith("OpenSSL"):
4935 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls)
4937 def test_eap_ttls_pap_session_resumption(dev, apdev):
4938 """EAP-TTLS/PAP session resumption"""
4939 params = int_eap_server_params()
4940 params['tls_session_lifetime'] = '60'
4941 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4942 check_tls_session_resumption_capa(dev[0], hapd)
4943 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
4944 anonymous_identity="ttls", password="password",
4945 ca_cert="auth_serv/ca.pem", eap_workaround='0',
4947 if dev[0].get_status_field("tls_session_reused") != '0':
4948 raise Exception("Unexpected session resumption on the first connection")
4950 dev[0].request("REAUTHENTICATE")
4951 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4953 raise Exception("EAP success timed out")
4954 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4956 raise Exception("Key handshake with the AP timed out")
4957 if dev[0].get_status_field("tls_session_reused") != '1':
4958 raise Exception("Session resumption not used on the second connection")
4960 def test_eap_ttls_chap_session_resumption(dev, apdev):
4961 """EAP-TTLS/CHAP session resumption"""
4962 params = int_eap_server_params()
4963 params['tls_session_lifetime'] = '60'
4964 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4965 check_tls_session_resumption_capa(dev[0], hapd)
4966 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
4967 anonymous_identity="ttls", password="password",
4968 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
4969 if dev[0].get_status_field("tls_session_reused") != '0':
4970 raise Exception("Unexpected session resumption on the first connection")
4972 dev[0].request("REAUTHENTICATE")
4973 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4975 raise Exception("EAP success timed out")
4976 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
4978 raise Exception("Key handshake with the AP timed out")
4979 if dev[0].get_status_field("tls_session_reused") != '1':
4980 raise Exception("Session resumption not used on the second connection")
4982 def test_eap_ttls_mschap_session_resumption(dev, apdev):
4983 """EAP-TTLS/MSCHAP session resumption"""
4984 check_domain_suffix_match(dev[0])
4985 params = int_eap_server_params()
4986 params['tls_session_lifetime'] = '60'
4987 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4988 check_tls_session_resumption_capa(dev[0], hapd)
4989 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
4990 anonymous_identity="ttls", password="password",
4991 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
4992 domain_suffix_match="server.w1.fi")
4993 if dev[0].get_status_field("tls_session_reused") != '0':
4994 raise Exception("Unexpected session resumption on the first connection")
4996 dev[0].request("REAUTHENTICATE")
4997 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
4999 raise Exception("EAP success timed out")
5000 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5002 raise Exception("Key handshake with the AP timed out")
5003 if dev[0].get_status_field("tls_session_reused") != '1':
5004 raise Exception("Session resumption not used on the second connection")
5006 def test_eap_ttls_mschapv2_session_resumption(dev, apdev):
5007 """EAP-TTLS/MSCHAPv2 session resumption"""
5008 check_domain_suffix_match(dev[0])
5009 check_eap_capa(dev[0], "MSCHAPV2")
5010 params = int_eap_server_params()
5011 params['tls_session_lifetime'] = '60'
5012 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5013 check_tls_session_resumption_capa(dev[0], hapd)
5014 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
5015 anonymous_identity="ttls", password="password",
5016 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5017 domain_suffix_match="server.w1.fi")
5018 if dev[0].get_status_field("tls_session_reused") != '0':
5019 raise Exception("Unexpected session resumption on the first connection")
5021 dev[0].request("REAUTHENTICATE")
5022 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5024 raise Exception("EAP success timed out")
5025 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5027 raise Exception("Key handshake with the AP timed out")
5028 if dev[0].get_status_field("tls_session_reused") != '1':
5029 raise Exception("Session resumption not used on the second connection")
5031 def test_eap_ttls_eap_gtc_session_resumption(dev, apdev):
5032 """EAP-TTLS/EAP-GTC session resumption"""
5033 params = int_eap_server_params()
5034 params['tls_session_lifetime'] = '60'
5035 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5036 check_tls_session_resumption_capa(dev[0], hapd)
5037 eap_connect(dev[0], apdev[0], "TTLS", "user",
5038 anonymous_identity="ttls", password="password",
5039 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
5040 if dev[0].get_status_field("tls_session_reused") != '0':
5041 raise Exception("Unexpected session resumption on the first connection")
5043 dev[0].request("REAUTHENTICATE")
5044 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5046 raise Exception("EAP success timed out")
5047 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5049 raise Exception("Key handshake with the AP timed out")
5050 if dev[0].get_status_field("tls_session_reused") != '1':
5051 raise Exception("Session resumption not used on the second connection")
5053 def test_eap_ttls_no_session_resumption(dev, apdev):
5054 """EAP-TTLS session resumption disabled on server"""
5055 params = int_eap_server_params()
5056 params['tls_session_lifetime'] = '0'
5057 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5058 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
5059 anonymous_identity="ttls", password="password",
5060 ca_cert="auth_serv/ca.pem", eap_workaround='0',
5062 if dev[0].get_status_field("tls_session_reused") != '0':
5063 raise Exception("Unexpected session resumption on the first connection")
5065 dev[0].request("REAUTHENTICATE")
5066 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5068 raise Exception("EAP success timed out")
5069 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5071 raise Exception("Key handshake with the AP timed out")
5072 if dev[0].get_status_field("tls_session_reused") != '0':
5073 raise Exception("Unexpected session resumption on the second connection")
5075 def test_eap_peap_session_resumption(dev, apdev):
5076 """EAP-PEAP session resumption"""
5077 params = int_eap_server_params()
5078 params['tls_session_lifetime'] = '60'
5079 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5080 check_tls_session_resumption_capa(dev[0], hapd)
5081 eap_connect(dev[0], apdev[0], "PEAP", "user",
5082 anonymous_identity="peap", password="password",
5083 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5084 if dev[0].get_status_field("tls_session_reused") != '0':
5085 raise Exception("Unexpected session resumption on the first connection")
5087 dev[0].request("REAUTHENTICATE")
5088 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5090 raise Exception("EAP success timed out")
5091 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5093 raise Exception("Key handshake with the AP timed out")
5094 if dev[0].get_status_field("tls_session_reused") != '1':
5095 raise Exception("Session resumption not used on the second connection")
5097 def test_eap_peap_session_resumption_crypto_binding(dev, apdev):
5098 """EAP-PEAP session resumption with crypto binding"""
5099 params = int_eap_server_params()
5100 params['tls_session_lifetime'] = '60'
5101 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5102 check_tls_session_resumption_capa(dev[0], hapd)
5103 eap_connect(dev[0], apdev[0], "PEAP", "user",
5104 anonymous_identity="peap", password="password",
5105 phase1="peapver=0 crypto_binding=2",
5106 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5107 if dev[0].get_status_field("tls_session_reused") != '0':
5108 raise Exception("Unexpected session resumption on the first connection")
5110 dev[0].request("REAUTHENTICATE")
5111 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5113 raise Exception("EAP success timed out")
5114 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5116 raise Exception("Key handshake with the AP timed out")
5117 if dev[0].get_status_field("tls_session_reused") != '1':
5118 raise Exception("Session resumption not used on the second connection")
5120 def test_eap_peap_no_session_resumption(dev, apdev):
5121 """EAP-PEAP session resumption disabled on server"""
5122 params = int_eap_server_params()
5123 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5124 eap_connect(dev[0], apdev[0], "PEAP", "user",
5125 anonymous_identity="peap", password="password",
5126 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
5127 if dev[0].get_status_field("tls_session_reused") != '0':
5128 raise Exception("Unexpected session resumption on the first connection")
5130 dev[0].request("REAUTHENTICATE")
5131 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5133 raise Exception("EAP success timed out")
5134 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5136 raise Exception("Key handshake with the AP timed out")
5137 if dev[0].get_status_field("tls_session_reused") != '0':
5138 raise Exception("Unexpected session resumption on the second connection")
5140 def test_eap_tls_session_resumption(dev, apdev):
5141 """EAP-TLS session resumption"""
5142 params = int_eap_server_params()
5143 params['tls_session_lifetime'] = '60'
5144 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5145 check_tls_session_resumption_capa(dev[0], hapd)
5146 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5147 client_cert="auth_serv/user.pem",
5148 private_key="auth_serv/user.key")
5149 if dev[0].get_status_field("tls_session_reused") != '0':
5150 raise Exception("Unexpected session resumption on the first connection")
5152 dev[0].request("REAUTHENTICATE")
5153 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5155 raise Exception("EAP success timed out")
5156 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5158 raise Exception("Key handshake with the AP timed out")
5159 if dev[0].get_status_field("tls_session_reused") != '1':
5160 raise Exception("Session resumption not used on the second connection")
5162 dev[0].request("REAUTHENTICATE")
5163 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5165 raise Exception("EAP success timed out")
5166 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5168 raise Exception("Key handshake with the AP timed out")
5169 if dev[0].get_status_field("tls_session_reused") != '1':
5170 raise Exception("Session resumption not used on the third connection")
5172 def test_eap_tls_session_resumption_expiration(dev, apdev):
5173 """EAP-TLS session resumption"""
5174 params = int_eap_server_params()
5175 params['tls_session_lifetime'] = '1'
5176 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5177 check_tls_session_resumption_capa(dev[0], hapd)
5178 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5179 client_cert="auth_serv/user.pem",
5180 private_key="auth_serv/user.key")
5181 if dev[0].get_status_field("tls_session_reused") != '0':
5182 raise Exception("Unexpected session resumption on the first connection")
5184 # Allow multiple attempts since OpenSSL may not expire the cached entry
5189 dev[0].request("REAUTHENTICATE")
5190 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5192 raise Exception("EAP success timed out")
5193 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5195 raise Exception("Key handshake with the AP timed out")
5196 if dev[0].get_status_field("tls_session_reused") == '0':
5198 if dev[0].get_status_field("tls_session_reused") != '0':
5199 raise Exception("Session resumption used after lifetime expiration")
5201 def test_eap_tls_no_session_resumption(dev, apdev):
5202 """EAP-TLS session resumption disabled on server"""
5203 params = int_eap_server_params()
5204 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5205 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5206 client_cert="auth_serv/user.pem",
5207 private_key="auth_serv/user.key")
5208 if dev[0].get_status_field("tls_session_reused") != '0':
5209 raise Exception("Unexpected session resumption on the first connection")
5211 dev[0].request("REAUTHENTICATE")
5212 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5214 raise Exception("EAP success timed out")
5215 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5217 raise Exception("Key handshake with the AP timed out")
5218 if dev[0].get_status_field("tls_session_reused") != '0':
5219 raise Exception("Unexpected session resumption on the second connection")
5221 def test_eap_tls_session_resumption_radius(dev, apdev):
5222 """EAP-TLS session resumption (RADIUS)"""
5223 params = { "ssid": "as", "beacon_int": "2000",
5224 "radius_server_clients": "auth_serv/radius_clients.conf",
5225 "radius_server_auth_port": '18128',
5227 "eap_user_file": "auth_serv/eap_user.conf",
5228 "ca_cert": "auth_serv/ca.pem",
5229 "server_cert": "auth_serv/server.pem",
5230 "private_key": "auth_serv/server.key",
5231 "tls_session_lifetime": "60" }
5232 authsrv = hostapd.add_ap(apdev[1]['ifname'], params)
5233 check_tls_session_resumption_capa(dev[0], authsrv)
5235 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5236 params['auth_server_port'] = "18128"
5237 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5238 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5239 client_cert="auth_serv/user.pem",
5240 private_key="auth_serv/user.key")
5241 if dev[0].get_status_field("tls_session_reused") != '0':
5242 raise Exception("Unexpected session resumption on the first connection")
5244 dev[0].request("REAUTHENTICATE")
5245 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5247 raise Exception("EAP success timed out")
5248 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5250 raise Exception("Key handshake with the AP timed out")
5251 if dev[0].get_status_field("tls_session_reused") != '1':
5252 raise Exception("Session resumption not used on the second connection")
5254 def test_eap_tls_no_session_resumption_radius(dev, apdev):
5255 """EAP-TLS session resumption disabled (RADIUS)"""
5256 params = { "ssid": "as", "beacon_int": "2000",
5257 "radius_server_clients": "auth_serv/radius_clients.conf",
5258 "radius_server_auth_port": '18128',
5260 "eap_user_file": "auth_serv/eap_user.conf",
5261 "ca_cert": "auth_serv/ca.pem",
5262 "server_cert": "auth_serv/server.pem",
5263 "private_key": "auth_serv/server.key",
5264 "tls_session_lifetime": "0" }
5265 hostapd.add_ap(apdev[1]['ifname'], params)
5267 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5268 params['auth_server_port'] = "18128"
5269 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5270 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
5271 client_cert="auth_serv/user.pem",
5272 private_key="auth_serv/user.key")
5273 if dev[0].get_status_field("tls_session_reused") != '0':
5274 raise Exception("Unexpected session resumption on the first connection")
5276 dev[0].request("REAUTHENTICATE")
5277 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5279 raise Exception("EAP success timed out")
5280 ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10)
5282 raise Exception("Key handshake with the AP timed out")
5283 if dev[0].get_status_field("tls_session_reused") != '0':
5284 raise Exception("Unexpected session resumption on the second connection")
5286 def test_eap_mschapv2_errors(dev, apdev):
5287 """EAP-MSCHAPv2 error cases"""
5288 check_eap_capa(dev[0], "MSCHAPV2")
5289 check_eap_capa(dev[0], "FAST")
5291 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5292 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5293 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5294 identity="phase1-user", password="password",
5296 dev[0].request("REMOVE_NETWORK all")
5297 dev[0].wait_disconnected()
5299 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5300 (1, "nt_password_hash;mschapv2_derive_response"),
5301 (1, "nt_password_hash;=mschapv2_derive_response"),
5302 (1, "generate_nt_response;mschapv2_derive_response"),
5303 (1, "generate_authenticator_response;mschapv2_derive_response"),
5304 (1, "nt_password_hash;=mschapv2_derive_response"),
5305 (1, "get_master_key;mschapv2_derive_response"),
5306 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5307 for count, func in tests:
5308 with fail_test(dev[0], count, func):
5309 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5310 identity="phase1-user", password="password",
5311 wait_connect=False, scan_freq="2412")
5312 wait_fail_trigger(dev[0], "GET_FAIL")
5313 dev[0].request("REMOVE_NETWORK all")
5314 dev[0].wait_disconnected()
5316 tests = [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5317 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5318 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5319 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5320 for count, func in tests:
5321 with fail_test(dev[0], count, func):
5322 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5323 identity="phase1-user",
5324 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5325 wait_connect=False, scan_freq="2412")
5326 wait_fail_trigger(dev[0], "GET_FAIL")
5327 dev[0].request("REMOVE_NETWORK all")
5328 dev[0].wait_disconnected()
5330 tests = [ (1, "eap_mschapv2_init"),
5331 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5332 (1, "eap_msg_alloc;eap_mschapv2_success"),
5333 (1, "eap_mschapv2_getKey") ]
5334 for count, func in tests:
5335 with alloc_fail(dev[0], count, func):
5336 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5337 identity="phase1-user", password="password",
5338 wait_connect=False, scan_freq="2412")
5339 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5340 dev[0].request("REMOVE_NETWORK all")
5341 dev[0].wait_disconnected()
5343 tests = [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5344 for count, func in tests:
5345 with alloc_fail(dev[0], count, func):
5346 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="MSCHAPV2",
5347 identity="phase1-user", password="wrong password",
5348 wait_connect=False, scan_freq="2412")
5349 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5350 dev[0].request("REMOVE_NETWORK all")
5351 dev[0].wait_disconnected()
5353 tests = [ (2, "eap_mschapv2_init"),
5354 (3, "eap_mschapv2_init") ]
5355 for count, func in tests:
5356 with alloc_fail(dev[0], count, func):
5357 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="FAST",
5358 anonymous_identity="FAST", identity="user",
5359 password="password",
5360 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5361 phase1="fast_provisioning=1",
5362 pac_file="blob://fast_pac",
5363 wait_connect=False, scan_freq="2412")
5364 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5365 dev[0].request("REMOVE_NETWORK all")
5366 dev[0].wait_disconnected()
5368 def test_eap_gpsk_errors(dev, apdev):
5369 """EAP-GPSK error cases"""
5370 params = hostapd.wpa2_eap_params(ssid="test-wpa-eap")
5371 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5372 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5373 identity="gpsk user",
5374 password="abcdefghijklmnop0123456789abcdef",
5376 dev[0].request("REMOVE_NETWORK all")
5377 dev[0].wait_disconnected()
5379 tests = [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5380 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5382 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5384 (1, "eap_gpsk_derive_keys_helper", None),
5385 (2, "eap_gpsk_derive_keys_helper", None),
5386 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5388 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5390 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5391 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5392 (1, "eap_gpsk_derive_mid_helper", None) ]
5393 for count, func, phase1 in tests:
5394 with fail_test(dev[0], count, func):
5395 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5396 identity="gpsk user",
5397 password="abcdefghijklmnop0123456789abcdef",
5399 wait_connect=False, scan_freq="2412")
5400 wait_fail_trigger(dev[0], "GET_FAIL")
5401 dev[0].request("REMOVE_NETWORK all")
5402 dev[0].wait_disconnected()
5404 tests = [ (1, "eap_gpsk_init"),
5405 (2, "eap_gpsk_init"),
5406 (3, "eap_gpsk_init"),
5407 (1, "eap_gpsk_process_id_server"),
5408 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5409 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5410 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5411 (1, "eap_gpsk_derive_keys"),
5412 (1, "eap_gpsk_derive_keys_helper"),
5413 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5414 (1, "eap_gpsk_getKey"),
5415 (1, "eap_gpsk_get_emsk"),
5416 (1, "eap_gpsk_get_session_id") ]
5417 for count, func in tests:
5418 with alloc_fail(dev[0], count, func):
5419 dev[0].request("ERP_FLUSH")
5420 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="GPSK",
5421 identity="gpsk user", erp="1",
5422 password="abcdefghijklmnop0123456789abcdef",
5423 wait_connect=False, scan_freq="2412")
5424 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5425 dev[0].request("REMOVE_NETWORK all")
5426 dev[0].wait_disconnected()
5428 def test_ap_wpa2_eap_sim_db(dev, apdev, params):
5429 """EAP-SIM DB error cases"""
5430 sockpath = '/tmp/hlr_auc_gw.sock-test'
5435 hparams = int_eap_server_params()
5436 hparams['eap_sim_db'] = 'unix:' + sockpath
5437 hapd = hostapd.add_ap(apdev[0]['ifname'], hparams)
5439 # Initial test with hlr_auc_gw socket not available
5440 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
5441 eap="SIM", identity="1232010000000000",
5442 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5443 scan_freq="2412", wait_connect=False)
5444 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5446 raise Exception("EAP-Failure not reported")
5447 dev[0].wait_disconnected()
5448 dev[0].request("DISCONNECT")
5450 # Test with invalid responses and response timeout
5452 class test_handler(SocketServer.DatagramRequestHandler):
5454 data = self.request[0].strip()
5455 socket = self.request[1]
5456 logger.debug("Received hlr_auc_gw request: " + data)
5457 # EAP-SIM DB: Failed to parse response string
5458 socket.sendto("FOO", self.client_address)
5459 # EAP-SIM DB: Failed to parse response string
5460 socket.sendto("FOO 1", self.client_address)
5461 # EAP-SIM DB: Unknown external response
5462 socket.sendto("FOO 1 2", self.client_address)
5463 logger.info("No proper response - wait for pending eap_sim_db request timeout")
5465 server = SocketServer.UnixDatagramServer(sockpath, test_handler)
5468 dev[0].select_network(id)
5469 server.handle_request()
5470 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
5472 raise Exception("EAP-Failure not reported")
5473 dev[0].wait_disconnected()
5474 dev[0].request("DISCONNECT")
5476 # Test with a valid response
5478 class test_handler2(SocketServer.DatagramRequestHandler):
5480 data = self.request[0].strip()
5481 socket = self.request[1]
5482 logger.debug("Received hlr_auc_gw request: " + data)
5483 fname = os.path.join(params['logdir'],
5484 'hlr_auc_gw.milenage_db')
5485 cmd = subprocess.Popen(['../../hostapd/hlr_auc_gw',
5487 stdout=subprocess.PIPE)
5488 res = cmd.stdout.read().strip()
5490 logger.debug("hlr_auc_gw response: " + res)
5491 socket.sendto(res, self.client_address)
5493 server.RequestHandlerClass = test_handler2
5495 dev[0].select_network(id)
5496 server.handle_request()
5497 dev[0].wait_connected()
5498 dev[0].request("DISCONNECT")
5499 dev[0].wait_disconnected()
5501 def test_eap_tls_sha512(dev, apdev, params):
5502 """EAP-TLS with SHA512 signature"""
5503 params = int_eap_server_params()
5504 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5505 params["server_cert"] = "auth_serv/sha512-server.pem"
5506 params["private_key"] = "auth_serv/sha512-server.key"
5507 hostapd.add_ap(apdev[0]['ifname'], params)
5509 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5510 identity="tls user sha512",
5511 ca_cert="auth_serv/sha512-ca.pem",
5512 client_cert="auth_serv/sha512-user.pem",
5513 private_key="auth_serv/sha512-user.key",
5515 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5516 identity="tls user sha512",
5517 ca_cert="auth_serv/sha512-ca.pem",
5518 client_cert="auth_serv/sha384-user.pem",
5519 private_key="auth_serv/sha384-user.key",
5522 def test_eap_tls_sha384(dev, apdev, params):
5523 """EAP-TLS with SHA384 signature"""
5524 params = int_eap_server_params()
5525 params["ca_cert"] = "auth_serv/sha512-ca.pem"
5526 params["server_cert"] = "auth_serv/sha384-server.pem"
5527 params["private_key"] = "auth_serv/sha384-server.key"
5528 hostapd.add_ap(apdev[0]['ifname'], params)
5530 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5531 identity="tls user sha512",
5532 ca_cert="auth_serv/sha512-ca.pem",
5533 client_cert="auth_serv/sha512-user.pem",
5534 private_key="auth_serv/sha512-user.key",
5536 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5537 identity="tls user sha512",
5538 ca_cert="auth_serv/sha512-ca.pem",
5539 client_cert="auth_serv/sha384-user.pem",
5540 private_key="auth_serv/sha384-user.key",
5543 def test_ap_wpa2_eap_assoc_rsn(dev, apdev):
5544 """WPA2-Enterprise AP and association request RSN IE differences"""
5545 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5546 hostapd.add_ap(apdev[0]['ifname'], params)
5548 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap-11w")
5549 params["ieee80211w"] = "2"
5550 hostapd.add_ap(apdev[1]['ifname'], params)
5552 # Success cases with optional RSN IE fields removed one by one
5553 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5554 "30140100000fac040100000fac040100000fac010000"),
5555 ("Extra PMKIDCount field in RSN IE",
5556 "30160100000fac040100000fac040100000fac0100000000"),
5557 ("Extra Group Management Cipher Suite in RSN IE",
5558 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5559 ("Extra undefined extension field in RSN IE",
5560 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5561 ("RSN IE without RSN Capabilities",
5562 "30120100000fac040100000fac040100000fac01"),
5563 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5564 ("RSN IE without pairwise", "30060100000fac04"),
5565 ("RSN IE without group", "30020100") ]
5566 for title, ie in tests:
5568 set_test_assoc_ie(dev[0], ie)
5569 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5570 identity="gpsk user",
5571 password="abcdefghijklmnop0123456789abcdef",
5573 dev[0].request("REMOVE_NETWORK all")
5574 dev[0].wait_disconnected()
5576 tests = [ ("Normal wpa_supplicant assoc req RSN IE",
5577 "30140100000fac040100000fac040100000fac01cc00"),
5578 ("Group management cipher included in assoc req RSN IE",
5579 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5580 for title, ie in tests:
5582 set_test_assoc_ie(dev[0], ie)
5583 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5584 eap="GPSK", identity="gpsk user",
5585 password="abcdefghijklmnop0123456789abcdef",
5587 dev[0].request("REMOVE_NETWORK all")
5588 dev[0].wait_disconnected()
5590 tests = [ ("Invalid group cipher", "30060100000fac02", 41),
5591 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5592 for title, ie, status in tests:
5594 set_test_assoc_ie(dev[0], ie)
5595 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="GPSK",
5596 identity="gpsk user",
5597 password="abcdefghijklmnop0123456789abcdef",
5598 scan_freq="2412", wait_connect=False)
5599 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5601 raise Exception("Association rejection not reported")
5602 if "status_code=" + str(status) not in ev:
5603 raise Exception("Unexpected status code: " + ev)
5604 dev[0].request("REMOVE_NETWORK all")
5605 dev[0].dump_monitor()
5607 tests = [ ("Management frame protection not enabled",
5608 "30140100000fac040100000fac040100000fac010000", 31),
5609 ("Unsupported management group cipher",
5610 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5611 for title, ie, status in tests:
5613 set_test_assoc_ie(dev[0], ie)
5614 dev[0].connect("test-wpa2-eap-11w", key_mgmt="WPA-EAP", ieee80211w="1",
5615 eap="GPSK", identity="gpsk user",
5616 password="abcdefghijklmnop0123456789abcdef",
5617 scan_freq="2412", wait_connect=False)
5618 ev = dev[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5620 raise Exception("Association rejection not reported")
5621 if "status_code=" + str(status) not in ev:
5622 raise Exception("Unexpected status code: " + ev)
5623 dev[0].request("REMOVE_NETWORK all")
5624 dev[0].dump_monitor()
5626 def test_eap_tls_ext_cert_check(dev, apdev):
5627 """EAP-TLS and external server certification validation"""
5628 # With internal server certificate chain validation
5629 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5630 identity="tls user",
5631 ca_cert="auth_serv/ca.pem",
5632 client_cert="auth_serv/user.pem",
5633 private_key="auth_serv/user.key",
5634 phase1="tls_ext_cert_check=1", scan_freq="2412",
5635 only_add_network=True)
5636 run_ext_cert_check(dev, apdev, id)
5638 def test_eap_ttls_ext_cert_check(dev, apdev):
5639 """EAP-TTLS and external server certification validation"""
5640 # Without internal server certificate chain validation
5641 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
5642 identity="pap user", anonymous_identity="ttls",
5643 password="password", phase2="auth=PAP",
5644 phase1="tls_ext_cert_check=1", scan_freq="2412",
5645 only_add_network=True)
5646 run_ext_cert_check(dev, apdev, id)
5648 def test_eap_peap_ext_cert_check(dev, apdev):
5649 """EAP-PEAP and external server certification validation"""
5650 # With internal server certificate chain validation
5651 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5652 identity="user", anonymous_identity="peap",
5653 ca_cert="auth_serv/ca.pem",
5654 password="password", phase2="auth=MSCHAPV2",
5655 phase1="tls_ext_cert_check=1", scan_freq="2412",
5656 only_add_network=True)
5657 run_ext_cert_check(dev, apdev, id)
5659 def test_eap_fast_ext_cert_check(dev, apdev):
5660 """EAP-FAST and external server certification validation"""
5661 check_eap_capa(dev[0], "FAST")
5662 # With internal server certificate chain validation
5663 dev[0].request("SET blob fast_pac_auth_ext ")
5664 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
5665 identity="user", anonymous_identity="FAST",
5666 ca_cert="auth_serv/ca.pem",
5667 password="password", phase2="auth=GTC",
5668 phase1="tls_ext_cert_check=1 fast_provisioning=2",
5669 pac_file="blob://fast_pac_auth_ext",
5671 only_add_network=True)
5672 run_ext_cert_check(dev, apdev, id)
5674 def run_ext_cert_check(dev, apdev, net_id):
5675 check_ext_cert_check_support(dev[0])
5676 if not openssl_imported:
5677 raise HwsimSkip("OpenSSL python method not available")
5679 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5680 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5682 dev[0].select_network(net_id)
5685 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
5686 "CTRL-REQ-EXT_CERT_CHECK",
5687 "CTRL-EVENT-EAP-SUCCESS"], timeout=10)
5689 raise Exception("No peer server certificate event seen")
5690 if "CTRL-EVENT-EAP-PEER-CERT" in ev:
5693 vals = ev.split(' ')
5695 if v.startswith("depth="):
5696 depth = int(v.split('=')[1])
5697 elif v.startswith("cert="):
5698 cert = v.split('=')[1]
5699 if depth is not None and cert:
5700 certs[depth] = binascii.unhexlify(cert)
5701 elif "CTRL-EVENT-EAP-SUCCESS" in ev:
5702 raise Exception("Unexpected EAP-Success")
5703 elif "CTRL-REQ-EXT_CERT_CHECK" in ev:
5704 id = ev.split(':')[0].split('-')[-1]
5707 raise Exception("Server certificate not received")
5709 raise Exception("Server certificate issuer not received")
5711 cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5713 cn = cert.get_subject().commonName
5714 logger.info("Server certificate CN=" + cn)
5716 issuer = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1,
5718 icn = issuer.get_subject().commonName
5719 logger.info("Issuer certificate CN=" + icn)
5721 if cn != "server.w1.fi":
5722 raise Exception("Unexpected server certificate CN: " + cn)
5723 if icn != "Root CA":
5724 raise Exception("Unexpected server certificate issuer CN: " + icn)
5726 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=0.1)
5728 raise Exception("Unexpected EAP-Success before external check result indication")
5730 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
5731 dev[0].wait_connected()
5733 dev[0].request("DISCONNECT")
5734 dev[0].wait_disconnected()
5735 if "FAIL" in dev[0].request("PMKSA_FLUSH"):
5736 raise Exception("PMKSA_FLUSH failed")
5737 dev[0].request("SET blob fast_pac_auth_ext ")
5738 dev[0].request("RECONNECT")
5740 ev = dev[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout=10)
5742 raise Exception("No peer server certificate event seen (2)")
5743 id = ev.split(':')[0].split('-')[-1]
5744 dev[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
5745 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5747 raise Exception("EAP-Failure not reported")
5748 dev[0].request("REMOVE_NETWORK all")
5749 dev[0].wait_disconnected()
5751 def test_eap_tls_errors(dev, apdev):
5752 """EAP-TLS error cases"""
5753 params = int_eap_server_params()
5754 params['fragment_size'] = '100'
5755 hostapd.add_ap(apdev[0]['ifname'], params)
5756 with alloc_fail(dev[0], 1,
5757 "eap_peer_tls_reassemble_fragment"):
5758 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5759 identity="tls user", ca_cert="auth_serv/ca.pem",
5760 client_cert="auth_serv/user.pem",
5761 private_key="auth_serv/user.key",
5762 wait_connect=False, scan_freq="2412")
5763 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5764 dev[0].request("REMOVE_NETWORK all")
5765 dev[0].wait_disconnected()
5767 with alloc_fail(dev[0], 1, "eap_tls_init"):
5768 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5769 identity="tls user", ca_cert="auth_serv/ca.pem",
5770 client_cert="auth_serv/user.pem",
5771 private_key="auth_serv/user.key",
5772 wait_connect=False, scan_freq="2412")
5773 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5774 dev[0].request("REMOVE_NETWORK all")
5775 dev[0].wait_disconnected()
5777 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init"):
5778 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5779 identity="tls user", ca_cert="auth_serv/ca.pem",
5780 client_cert="auth_serv/user.pem",
5781 private_key="auth_serv/user.key",
5783 wait_connect=False, scan_freq="2412")
5784 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5785 ev = dev[0].wait_event(["CTRL-REQ-PIN"], timeout=5)
5787 raise Exception("No CTRL-REQ-PIN seen")
5788 dev[0].request("REMOVE_NETWORK all")
5789 dev[0].wait_disconnected()
5791 tests = [ "eap_peer_tls_derive_key;eap_tls_success",
5792 "eap_peer_tls_derive_session_id;eap_tls_success",
5795 "eap_tls_get_session_id" ]
5797 with alloc_fail(dev[0], 1, func):
5798 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
5799 identity="tls user", ca_cert="auth_serv/ca.pem",
5800 client_cert="auth_serv/user.pem",
5801 private_key="auth_serv/user.key",
5803 wait_connect=False, scan_freq="2412")
5804 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5805 dev[0].request("REMOVE_NETWORK all")
5806 dev[0].wait_disconnected()
5808 with alloc_fail(dev[0], 1, "eap_unauth_tls_init"):
5809 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5810 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5811 wait_connect=False, scan_freq="2412")
5812 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5813 dev[0].request("REMOVE_NETWORK all")
5814 dev[0].wait_disconnected()
5816 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
5817 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="UNAUTH-TLS",
5818 identity="unauth-tls", ca_cert="auth_serv/ca.pem",
5819 wait_connect=False, scan_freq="2412")
5820 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5821 dev[0].request("REMOVE_NETWORK all")
5822 dev[0].wait_disconnected()
5824 with alloc_fail(dev[0], 1, "eap_wfa_unauth_tls_init"):
5825 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5826 eap="WFA-UNAUTH-TLS",
5827 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5828 wait_connect=False, scan_freq="2412")
5829 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5830 dev[0].request("REMOVE_NETWORK all")
5831 dev[0].wait_disconnected()
5833 with alloc_fail(dev[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
5834 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
5835 eap="WFA-UNAUTH-TLS",
5836 identity="osen@example.com", ca_cert="auth_serv/ca.pem",
5837 wait_connect=False, scan_freq="2412")
5838 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5839 dev[0].request("REMOVE_NETWORK all")
5840 dev[0].wait_disconnected()
5842 def test_ap_wpa2_eap_status(dev, apdev):
5843 """EAP state machine status information"""
5844 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5845 hostapd.add_ap(apdev[0]['ifname'], params)
5846 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
5847 identity="cert user",
5848 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
5849 ca_cert2="auth_serv/ca.pem",
5850 client_cert2="auth_serv/user.pem",
5851 private_key2="auth_serv/user.key",
5852 scan_freq="2412", wait_connect=False)
5858 selected_methods = []
5859 for i in range(100000):
5860 s = dev[0].get_status(extra="VERBOSE")
5861 if 'EAP state' in s:
5862 state = s['EAP state']
5864 if state not in states:
5865 states.append(state)
5866 if state == "SUCCESS":
5869 if 'methodState' in s:
5870 val = s['methodState']
5871 if val not in method_states:
5872 method_states.append(val)
5875 if val not in decisions:
5876 decisions.append(val)
5877 if 'reqMethod' in s:
5878 val = s['reqMethod']
5879 if val not in req_methods:
5880 req_methods.append(val)
5881 if 'selectedMethod' in s:
5882 val = s['selectedMethod']
5883 if val not in selected_methods:
5884 selected_methods.append(val)
5885 logger.info("Iterations: %d" % i)
5886 logger.info("EAP states: " + str(states))
5887 logger.info("methodStates: " + str(method_states))
5888 logger.info("decisions: " + str(decisions))
5889 logger.info("reqMethods: " + str(req_methods))
5890 logger.info("selectedMethods: " + str(selected_methods))
5892 raise Exception("EAP did not succeed")
5893 dev[0].wait_connected()
5894 dev[0].request("REMOVE_NETWORK all")
5895 dev[0].wait_disconnected()
5897 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev, apdev):
5898 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
5899 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
5900 params['wpa_ptk_rekey'] = '2'
5901 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5902 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
5903 password="abcdefghijklmnop0123456789abcdef")
5904 ev = dev[0].wait_event(["WPA: Key negotiation completed"])
5906 raise Exception("PTK rekey timed out")
5907 hwsim_utils.test_connectivity(dev[0], hapd)